oss-sec mailing list archives
Re: CVE assignment: ghostscript stack-based overflow
From: Dan Rosenberg <dan.j.rosenberg () gmail com>
Date: Tue, 11 May 2010 20:33:01 -0400
CVE request for the second issue described in this advisory, just published: http://seclists.org/fulldisclosure/2010/May/134 quote: GhostScript (all tested versions) fails to properly handle infinitely recursive procedure invocations. By providing a PostScript file with a sequence such as: /A{pop 0 A 0} bind def /product A 0 the interpreter's internal stack will be overflowed with recursive calls, at which point execution will jump to an attacker-controlled address. This vulnerability can be exploited by enticing a user to open a maliciously crafted PostScript file, achieving arbitrary code execution. This issue has not yet been assigned a CVE identifier. Thanks, Dan On Tue, May 11, 2010 at 7:24 PM, Steven M. Christey <coley () linus mitre org> wrote:
FYI. The researcher told me that some distros were notified pre-disclosure, but I had already assigned this CVE when I found out. ====================================================== Name: CVE-2010-1869 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1869 Reference: MISC:http://www.checkpoint.com/defense/advisories/public/2010/cpai-10-May.html Stack-based buffer overflow in the parser function in GhostScript 8.70 and 8.64 allows context-dependent attackers to execute arbitrary code via a crafted PostScript file.
Current thread:
- CVE assignment: ghostscript stack-based overflow Steven M. Christey (May 11)
- Re: CVE assignment: ghostscript stack-based overflow Dan Rosenberg (May 11)
- Re: CVE assignment: ghostscript stack-based overflow Josh Bressers (May 18)
- Re: CVE assignment: ghostscript stack-based overflow Dan Rosenberg (May 11)