Re: possible vulnerability in ghostscript >= 8.64

[Josh Bressers <bressers () redhat com>]

Use CVE-2009-4270 for the stack overflow.

Thanks.

----- "Vincent Danen" <vdanen () redhat com> wrote:

> We had reported to us a crash in ghostscript's gdevcups.c, and I
> don't
> think it can be used to do anything more than crash ghostscript,
> certainly not in our configurations (compiled with FORTIFY_SOURCE).
>
> Debug logging was added to gdevcups.c prior to the 8.64 release on
> Oct
> 17th, 2008:
>
> http://svn.ghostscript.com/viewvc?view=rev&revision=9165
>
> The addition of the debug logging allowed for a MediaType string to
> be
> printed, which if longer than the 1024-byte buffer in errprintf would
> cause ghostscript to crash   This is due to errprintf() and
> outprintf()
> using vsprintf() on a fixed-length array on the stack.
>
> This issue does not affect versions of ghostscript older than 8.64;
> for
> 8.64 and newer, if compiled using FORTIFY_SOURCE (as it is in
> Fedora),
> this is turned into nothing more than a crash.  On a system without
> FORTIFY_SOURCE, this _might_ be exploitable, but I cannot say for
> certain.
>
> As well, we can't see (in ghostscript 8.15 at least), any other calls
> to
> errprintf() or outprintf() that use the %s specifier with
> user-supplied
> strings (so arguably the vsprintf() calls in those functions should
> be
> fixed, but we don't see an immediate need to do so).
>
> I imagine that most vendors using ghostscript 8.64 or newer also have
> a
> newer glibc and are using FORTIFY_SOURCE protection, but I can't know
> that for certain, so this is a general notice that the issue exists.
>
> Our bug report:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=540760
>
> this had also been reported previously upstream as well:
>
> http://bugs.ghostscript.com/show_bug.cgi?id=690829
>
> -- 
> Vincent Danen / Red Hat Security Response Team

-- 
    JB