USN-757-1: Ghostscript vulnerabilities

15 April 2009

ghostscript, gs-esp, gs-gpl vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 8.10
  • Ubuntu 8.04 LTS
  • Ubuntu 6.06 LTS

Software Description

  • ghostscript
  • gs-esp
  • gs-gpl

Details

It was discovered that Ghostscript contained a buffer underflow in its CCITTFax decoding filter. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. (CVE-2007-6725)

It was discovered that Ghostscript contained a buffer overflow in the BaseFont writer module. If a user or automated system were tricked into opening a crafted Postscript file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. (CVE-2008-6679)

It was discovered that Ghostscript contained additional integer overflows in its ICC color management library. If a user or automated system were tricked into opening a crafted Postscript or PDF file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. (CVE-2009-0792)

Alin Rad Pop discovered that Ghostscript contained a buffer overflow in the jbig2dec library. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. (CVE-2009-0196)

USN-743-1 provided updated ghostscript and gs-gpl packages to fix two security vulnerabilities. This update corrects the same vulnerabilities in the gs-esp package.

Original advisory details: It was discovered that Ghostscript contained multiple integer overflows in its ICC color management library. If a user or automated system were tricked into opening a crafted Postscript file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. (CVE-2009-0583)

It was discovered that Ghostscript did not properly perform bounds checking in its ICC color management library. If a user or automated system were tricked into opening a crafted Postscript file, an attacker could cause a denial of service or execute arbitrary code with privileges of the user invoking the program. (CVE-2009-0584)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 8.10
libgs8 - 8.63.dfsg.1-0ubuntu6.4
Ubuntu 8.04 LTS
libgs8 - 8.61.dfsg.1-1ubuntu3.2
Ubuntu 6.06 LTS
gs-esp - 8.15.2.dfsg.0ubuntu1-0ubuntu1.2
gs-gpl - 8.15-4ubuntu3.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system upgrade is sufficient to effect the necessary changes.

References