MeeGo alert MeeGo-SA-10:13 (ghostscript)
| From: | "Ware, Ryan R" <ryan.r.ware@intel.com> | |
| To: | "meego-security@meego.com" <meego-security@meego.com> | |
| Subject: | [MeeGo-security] [MeeGo-SA-10:13.ghostscript] Multiple ghostscript Arbitrary Code Execution Vulnerabilities | |
| Date: | Fri, 27 Aug 2010 16:22:10 -0700 | |
| Message-ID: | <C89D96B2.363AA%ryan.r.ware@intel.com> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== == MeeGo-SA-10:13.ghostscript Security Advisory MeeGo Project Topic: Multiple ghostscript Arbitrary Code Execution Vulnerabilities Category: PostScript Module: ghostscript Announced: August 3, 2010 Affects: MeeGo 1.0 Corrected: August 3, 2010 MeeGo BID: 2069 CVE: CVE-2010-1869 For general information regarding MeeGo Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://www.MeeGo.com/>. I. Background Ghostscript is a set of software that provides a PostScript interpreter, a set of C procedures (the Ghostscript library, which implements the graphics capabilities in the PostScript language) and an interpreter for Portable Document Format (PDF) files. Ghostscript translates PostScript code into many common, bitmapped formats, like those understood by your printer or screen. Ghostscript is normally used to display PostScript files and to print PostScript files to non-PostScript printers. II. Problem Description 1. A stack overflow in the parser for Ghostscript versions 8.64 and 8.70 occurs when very long identifiers are provided within a PostScript file. By enticing a user to open a maliciously crafted PostScript file, arbitrary code execution can be achieved. This vulnerability was reported to downstream distributions by me on March 4, 2010. An anonymous researcher independently published this vulnerability today (May 11, 2010), prompting this advisory. This issue has been assigned CVE-2010-1869. 2. GhostScript (all tested versions) fails to properly handle infinitely recursive procedure invocations. By providing a PostScript file with a sequence such as: /A{pop 0 A 0} bind def /product A 0 the interpreter's internal stack will be overflowed with recursive calls, at which point execution will jump to an attacker-controlled address. This vulnerability can be exploited by enticing a user to open a maliciously crafted PostScript file, achieving arbitrary code execution. This issue has not yet been assigned a CVE identifier. CVSS v2 Base: 9.3 (HIGH) Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism III. Impact Potential execution of arbitrary malicious code due to buffer errors (CWE-119). IV. Workaround None V. Solution Update to package ghostscript-8.71-10.1 or later. VI. References http://bugs.meego.com/show_bug.cgi?id=2069 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... http://cwe.mitre.org/data/definitions/119.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (Darwin) iQEcBAEBAgAGBQJMeEO9AAoJECxjfBlj7RcKywwIALLETWhM3a5gileuacQi8m0+ xHQrj0E2Gl0reibq/JuH5tX47s5ELrWdoDduNhUTVKdtmMA4mnNffnALTvU6TvgR PfgaoYMTuuW79HmZxXs27H3dX2RnpLaZNivsBGL7eANne+Yh5HqEpGSiXTwlJI8U L5S0SAhdvHepr7xPxojLrDO6bLTUmQ0B/tuA9v2keSQRIYKX0o+8pzhMDYXe/SwW nw2C2lNe48a3tClzuQ/08RomMVY5tfW4yK2KRfpqSB6ZDdUYxnPZpSmwJyb1+BUc tbEdQwY9rkPNq6t/l6Gshp7Rm97xNQhvcOebVi9nHaZ5NJBGPd0sS2EzCR9dm5E= =tILF -----END PGP SIGNATURE----- _______________________________________________ MeeGo-security mailing list MeeGo-security@meego.com http://lists.meego.com/listinfo/meego-security