oss-sec mailing list archives
Re: possible vulnerability in ghostscript >= 8.64
From: Josh Bressers <bressers () redhat com>
Date: Fri, 18 Dec 2009 14:25:36 -0500 (EST)
Use CVE-2009-4270 for the stack overflow. Thanks. ----- "Vincent Danen" <vdanen () redhat com> wrote:
We had reported to us a crash in ghostscript's gdevcups.c, and I don't think it can be used to do anything more than crash ghostscript, certainly not in our configurations (compiled with FORTIFY_SOURCE). Debug logging was added to gdevcups.c prior to the 8.64 release on Oct 17th, 2008: http://svn.ghostscript.com/viewvc?view=rev&revision=9165 The addition of the debug logging allowed for a MediaType string to be printed, which if longer than the 1024-byte buffer in errprintf would cause ghostscript to crash This is due to errprintf() and outprintf() using vsprintf() on a fixed-length array on the stack. This issue does not affect versions of ghostscript older than 8.64; for 8.64 and newer, if compiled using FORTIFY_SOURCE (as it is in Fedora), this is turned into nothing more than a crash. On a system without FORTIFY_SOURCE, this _might_ be exploitable, but I cannot say for certain. As well, we can't see (in ghostscript 8.15 at least), any other calls to errprintf() or outprintf() that use the %s specifier with user-supplied strings (so arguably the vsprintf() calls in those functions should be fixed, but we don't see an immediate need to do so). I imagine that most vendors using ghostscript 8.64 or newer also have a newer glibc and are using FORTIFY_SOURCE protection, but I can't know that for certain, so this is a general notice that the issue exists. Our bug report: https://bugzilla.redhat.com/show_bug.cgi?id=540760 this had also been reported previously upstream as well: http://bugs.ghostscript.com/show_bug.cgi?id=690829 -- Vincent Danen / Red Hat Security Response Team
-- JB
Current thread:
- possible vulnerability in ghostscript >= 8.64 Vincent Danen (Dec 17)
- Re: possible vulnerability in ghostscript >= 8.64 Josh Bressers (Dec 18)