possible vulnerability in ghostscript >= 8.64

[Vincent Danen <vdanen () redhat com>]

We had reported to us a crash in ghostscript's gdevcups.c, and I don't
think it can be used to do anything more than crash ghostscript,
certainly not in our configurations (compiled with FORTIFY_SOURCE).

Debug logging was added to gdevcups.c prior to the 8.64 release on Oct
17th, 2008:

http://svn.ghostscript.com/viewvc?view=rev&revision=9165

The addition of the debug logging allowed for a MediaType string to be
printed, which if longer than the 1024-byte buffer in errprintf would
cause ghostscript to crash   This is due to errprintf() and outprintf()
using vsprintf() on a fixed-length array on the stack.

This issue does not affect versions of ghostscript older than 8.64; for
8.64 and newer, if compiled using FORTIFY_SOURCE (as it is in Fedora),
this is turned into nothing more than a crash.  On a system without
FORTIFY_SOURCE, this _might_ be exploitable, but I cannot say for
certain.

As well, we can't see (in ghostscript 8.15 at least), any other calls to
errprintf() or outprintf() that use the %s specifier with user-supplied
strings (so arguably the vsprintf() calls in those functions should be
fixed, but we don't see an immediate need to do so).

I imagine that most vendors using ghostscript 8.64 or newer also have a
newer glibc and are using FORTIFY_SOURCE protection, but I can't know
that for certain, so this is a general notice that the issue exists.

Our bug report:

https://bugzilla.redhat.com/show_bug.cgi?id=540760

this had also been reported previously upstream as well:

http://bugs.ghostscript.com/show_bug.cgi?id=690829

--
Vincent Danen / Red Hat Security Response Team