Package: ghostscript Version: 8.61.dfsg.1-1 Severity: grave Tags: security patch
Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for ghostscript. CVE-2008-0411[0]: | This advisory notes a stack-based buffer overflow in the zseticcspace() | function in zicc.c. The issue is over-trust of the length of a postscript array | which an attacker can set to an arbitrary length. One slight amusement is that | the overflowed type is "float", leading to machine code -> float conversion in | any exploit. Mitre has not yet put any vulnerability text on their website. In the meantime you can get a verbose description on: http://scary.beasts.org/security/ea9fde3e0e58b7b6/CESA-2008-001.html A patch is attached. If you fix this vulnerability please also include the CVE id in your changelog entry. For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0411 Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
--- src/zicc.c
+++ src/zicc.c 2008-02-05 16:11:59.000000000 +0000
@@ -77,6 +77,9 @@ zseticcspace(i_ctx_t * i_ctx_p)
dict_find_string(op, "N", &pnval);
ncomps = pnval->value.intval;
+ if (2*ncomps > sizeof(range_buff)/sizeof(float))
+ return_error(e_rangecheck);
+
/* verify the DataSource entry */
if (dict_find_string(op, "DataSource", &pstrmval) <= 0)
return_error(e_undefined);
pgpKYByhmhonB.pgp
Description: PGP signature
