Vigil@nce: Ghostscript, memory corruption via gs_type2_interpret
October 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can invite the victim to see a malicious PDF document,
in order to stop Ghostscript, or to execute code.
– Severity: 2/4
– Creation date: 13/10/2010
DESCRIPTION OF THE VULNERABILITY
The Ghostscript program displays PDF or PostScript documents.
A PDF document can contain its own fonts. The Ghostscript
gs_type2_interpret() function decodes TrueType fonts.
Objects in a PDF document can be compressed. When a font object is
incorrectly compressed, invalid uncompressed data are sent to
gs_type2_interpret(). This function then uses an invalid glyph
list. A NULL pointer, or a low value pointer, is thus dereferenced
during a copy operation.
An attacker can therefore invite the victim to see a malicious PDF
document, in order to stop Ghostscript, or to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Ghostscript-memory-corruption-via-gs-type2-interpret-10045