[ghostscript] [CVE-2008-0411] buffer overflow in the color space handling code

Chris Evans of Google security team has reported a buffer overflow in
zseticcspace() function in zicc.c. The issue is over-trust of the length of a
postscript array which an attacker can set to an arbitrary length.

This issue can lead to arbitrary code execution.

Stack-based buffer overflow in the zseticcspace() function in zicc.c, will result in arbitrary code execution.

Currently under embargo, awaiting upstream patch. The $URL is private.

Created attachment 294020
Patch proposed by Werner Fink

Tom and Stefan, can you please create an ebuild with the patch applied and attach it to this bug. Do not commit anything to CVS yet as long as this bug is under embargo.

Created attachment 143467
ghostscript-8.60-CVE-2008-0411.diff

Tom and Stefan, can you please prepare an ebuild so we can test this before Feb. 27?

Created attachment 144554
ghostscript-gnu-8.60.0-r1.ebuild.patch

I'll attach patch's for maintainer and others review. This one is for ghostscript-gnu. Other ghostscript packages will follow as soon as I test them...

Created attachment 144560
ghostscript-esp-8.15.4.ebuild.patch

Patch for ghostscript-esp. Includes lot's of quotations fixes.

Created attachment 144561
ghostscript-gpl-8.61-r2.ebuild.patch

And this is patch for ghostscript-gpl. But note during commit patch itself should go into ghostscript-gpl-8.61-patchset-4.tar.bz2. So this patch is for testing purposes only.

Arch Security Liaisons, please test the attached ebuilds and report stable on this bug.

=app-text/ghostscript-esp-8.15.4-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 release s390 sh sparc x86"

=app-text/ghostscript-gnu-8.60.0-r2
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sh sparc x86"

=app-text/ghostscript-gpl-8.61-r3
Target keywords : "ppc64 release"

CC'ing current Liaisons:
   alpha : ferdy
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer

Oh, and thanks Peter for preparing the ebuilds and doing some QA on the existing ones.

Both are good for HPPA.

(In reply to comment #7)
> Arch Security Liaisons, please test the attached ebuilds and report stable on
> this bug.

There is something wrong with the keywords:
> =app-text/ghostscript-gpl-8.61-r3
> Target keywords : "ppc64 release"

 Especially this one.

(In reply to comment #10)
> (In reply to comment #7)
> > Arch Security Liaisons, please test the attached ebuilds and report stable on
> > this bug.
>
> There is something wrong with the keywords:
> > =app-text/ghostscript-gpl-8.61-r3
> > Target keywords : "ppc64 release"
>
> Especially this one.

Not just that - AFAIK ghostscript-esp is getting dropped somewhere in the future and this bug doesn't have an attachment that patches a ghostscript-esp ebuild.

Also odd is that patch to a few ebuilds were posted instead of the new ebuilds themselves as is common practice.

(In reply to comment #11)
> (In reply to comment #10)
> > (In reply to comment #7)
> > > Arch Security Liaisons, please test the attached ebuilds and report stable on
> > > this bug.
> >
> > There is something wrong with the keywords:
> > > =app-text/ghostscript-gpl-8.61-r3
> > > Target keywords : "ppc64 release"
> >
> > Especially this one.
>
> Not just that - AFAIK ghostscript-esp is getting dropped somewhere in the
> future and this bug doesn't have an attachment that patches a ghostscript-esp
> ebuild.

 It does. See comment #5.

> Also odd is that patch to a few ebuilds were posted instead of the new ebuilds
> themselves as is common practice.

 Not that bad.

(In reply to comment #10)
> There is something wrong with the keywords:

Yes, sorry. I mixed up gpl and gnu.

=app-text/ghostscript-esp-8.15.4-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 release s390
sh sparc x86"

=app-text/ghostscript-gnu-8.60.0-r2
Target keywords : "ppc64 release"

=app-text/ghostscript-gpl-8.61-r3
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sh sparc x86"

Ok...-gpl and -esp fine on x86, they survived my stress test with different things on a really huge PostScript file.

(In reply to comment #12)
> It does. See comment #5.

Ow, missed that. Sorry.

> > Also odd is that patch to a few ebuilds were posted instead of the new ebuilds
> > themselves as is common practice.
>
> Not that bad.

It's bad when you require seven people to download and apply three patches individually - it's one more step to perform in testing each of the ebuilds.

Jeroen I didn't knew that and will do next time. Right now I've downloaded 5 patches for shorewall* packages and believe me - patches are not so hard to use ;) Just 2-3 additional commands but they worth it as patch greatly simplify review. If that's necessary I can attach full ebuilds now.

ghostscript-esp is good for HPPA too.

looks good on ppc ...

Chris Evans' advisory is public now, lifting embargo:

http://scary.beasts.org/security/CESA-2008-001.html

ghostscript-8.15.4-4.fc7 has been submitted as an update for Fedora 7

looks good on ppc64, too.

ghostscript-gpl-8.61.r2 is good on sparc; the others look good on sparc. I also thought ghostscript-esp was either dying or dead, but it does look good. Why are we keeping it around?

ghostscript-8.61-8.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with
 su -c 'yum --enablerepo=updates-testing update ghostscript'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-1998

Looks good for amd64 too.

This is public now. Peter/Printing, can you commit this to the tree with the stable keywords mentioned here. I can re-cc the missing arches.

Commited in the tree.

Target keywords left:
=app-text/ghostscript-esp-8.15.4-r1: "release, alpha, arm, ia64, m68k, mips, s390, sh"
=app-text/ghostscript-gpl-8.61-r3: "release, alpha, arm, ia64, m68k, sh"

Seems that the only reason to keep app-text/ghostscript-esp in the tree is that mips, s390 and sh still have not keyworded/stabilized app-text/ghostscript-{gpl,gnu}.

alpha/ia64 stable, Robert, i think i told you to cc me on restricted bugs, i hate you now! :P

mips is going all ~arch.

Fixed in release snapshot.

Seems ready for GLSA.

ghostscript-8.61-8.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.

Just a note: I committed ghostscript-gpl-8.62 to the tree a few minutes ago which had the fix applied upstream.

ghostscript-8.15.4-4.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.

GLSA 200803-14