Vigil@nce: Ghostscript, integer overflows via ICC
April 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can invite the victim to open a malicious PDF or PS
file with Ghostscript in order to execute code with victim’s
privileges.
Severity: 2/4
Consequences: user access/rights, client access/rights
Provenance: document
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 16/04/2009
IMPACTED PRODUCTS
– Fedora
– OpenSUSE
– Red Hat Enterprise Linux
– SUSE Linux Enterprise Server
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The ICC (International Color Consortium) profile defines color
variations needed by each device in order to display identical
colors. Some image types, such as JPEG or PNG, can contain ICC
profiles and can be included in a PDF or PostScript document.
The icclib/icc.c file of Ghostscript implements ICC.
The VIGILANCE-VUL-8547 (https://vigilance.fr/tree/1/8547)
vulnerability describes several ICC integer overflows which lead
to code execution. However, its patch was incomplete.
The icclib/icc.c file still contains several errors in the
handling of integers coming from an ICC profile. These integer
overflows can corrupt the memory.
An attacker can therefore invite the victim to open a malicious
PDF or PS file with Ghostscript in order to execute code with
victim’s privileges.
CHARACTERISTICS
Identifiers: 491853, CVE-2009-0792, FEDORA-2009-3430,
FEDORA-2009-3435, FEDORA-2009-3709, FEDORA-2009-3710,
FEDORA-2009-3720, FEDORA-2009-3740, RHSA-2009:0420-01,
RHSA-2009:0421-01, SUSE-SR:2009:009, VIGILANCE-VUL-8640
http://vigilance.fr/vulnerability/Ghostscript-integer-overflows-via-ICC-8640