Debian: DSA-1746-1: New ghostscript packages fix arbitrary code execution

    Date20 Mar 2009
    CategoryDebian
    53
    Posted ByLinuxSecurity Advisories
    Two security issues have been discovered in ghostscript, the GPL Ghostscript PostScript/PDF interpreter. The Common Vulnerabilities and Exposures project identifies the following problems:
    
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1746-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                      Steffen Joeris
    March 20, 2009                   	http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : ghostscript
    Vulnerability  : several vulnerabilities
    Problem type   : local (remote)
    Debian-specific: no
    CVE Ids        : CVE-2009-0583 CVE-2009-0584
    
    
    Two security issues have been discovered in ghostscript, the GPL
    Ghostscript PostScript/PDF interpreter. The Common Vulnerabilities and
    Exposures project identifies the following problems:
    
    
    CVE-2009-0583
    
    Jan Lieskovsky discovered multiple integer overflows in the ICC library,
    which allow the execution of arbitrary code via crafted ICC profiles in
    PostScript files with embedded images.
    
    CVE-2009-0584
    
    Jan Lieskovsky discovered insufficient upper-bounds checks on certain
    variable sizes in the ICC library, which allow the execution of
    arbitrary code via crafted ICC profiles in PostScript files with
    embedded images.
    
    
    For the stable distribution (lenny), these problems have been fixed in
    version 8.62.dfsg.1-3.2lenny1.
    
    For the oldstable distribution (etch), these problems have been fixed
    in version 8.54.dfsg.1-5etch2. Please note that the package in oldstable
    is called gs-gpl.
    
    For the testing distribution (squeeze) and the unstable distribution
    (sid), these problems will be fixed soon.
    
    
    We recommend that you upgrade your ghostscript/gs-gpl packages.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Debian (oldstable)
    - ------------------
    
    Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1.orig.tar.gz
        Size/MD5 checksum: 11695732 05938e26bfa8769e28cf2bb38efd9673
      http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2.diff.gz
        Size/MD5 checksum:   222025 2c1bc048ef7c965631c44e4f5fdf2421
      http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2.dsc
        Size/MD5 checksum:      837 548225280e3ea0cc9f0752a0b84ee16a
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/g/gs-gpl/gs_8.54.dfsg.1-5etch2_all.deb
        Size/MD5 checksum:    14404 acbacfffd7964c8d7e2efc6d7b0c5fff
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2_alpha.deb
        Size/MD5 checksum:  5838820 d4e38d1dbc1265ca2b4ad8e49b8700cb
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2_amd64.deb
        Size/MD5 checksum:  5617322 f9d719e1c72e869f0aa530057d5da244
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2_arm.deb
        Size/MD5 checksum:  5509682 3581a6fa9c7e1b7eecb139a69bad831d
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2_hppa.deb
        Size/MD5 checksum:  5766684 408f1bc20285d13ebdaa1e92be345004
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2_i386.deb
        Size/MD5 checksum:  5526514 3f23df691da756cd3dbd7a56b1f7baae
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2_ia64.deb
        Size/MD5 checksum:  6551116 f0204f85d0c2342ce1df8a877b09ee68
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2_mips.deb
        Size/MD5 checksum:  5737602 48b8a1cd5c68383cb2bd673845a26a4c
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2_mipsel.deb
        Size/MD5 checksum:  5744092 cc66db4d6319f3115bebbe7a530950e0
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2_powerpc.deb
        Size/MD5 checksum:  5581730 cacef2383b679cecc01b5f8b039c6a5f
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2_s390.deb
        Size/MD5 checksum:  5536144 043ff8f2871620435156699cb28ab897
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/g/gs-gpl/gs-gpl_8.54.dfsg.1-5etch2_sparc.deb
        Size/MD5 checksum:  5460146 74f43838cbe0cc7e33e75f46a3ea209a
    
    
    Debian GNU/Linux 5.0 alias lenny
    - --------------------------------
    
    Debian (stable)
    - ---------------
    
    Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript_8.62.dfsg.1-3.2lenny1.dsc
        Size/MD5 checksum:     1535 2f2559433a5e6996e514dafcca7dd69c
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript_8.62.dfsg.1-3.2lenny1.diff.gz
        Size/MD5 checksum:   100462 83f637fa1b723157588d60b00a6b3a24
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript_8.62.dfsg.1.orig.tar.gz
        Size/MD5 checksum: 12212309 42fc1b31aa745c3765c2fcd2da243236
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/g/ghostscript/gs_8.62.dfsg.1-3.2lenny1_all.deb
        Size/MD5 checksum:    28512 ade6aa8af31b6bac6c452ea151db60b8
      http://security.debian.org/pool/updates/main/g/ghostscript/gs-common_8.62.dfsg.1-3.2lenny1_all.deb
        Size/MD5 checksum:    28726 10ba84f9f9385457a238ed77d89ed5c1
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript-doc_8.62.dfsg.1-3.2lenny1_all.deb
        Size/MD5 checksum:  2790286 6c42b8804fe67c08afac4844c132c885
      http://security.debian.org/pool/updates/main/g/ghostscript/gs-esp_8.62.dfsg.1-3.2lenny1_all.deb
        Size/MD5 checksum:    28514 539902aa120256407c4d8e865b1c5904
      http://security.debian.org/pool/updates/main/g/ghostscript/gs-gpl_8.62.dfsg.1-3.2lenny1_all.deb
        Size/MD5 checksum:    28514 cb5278471b25206d79427cabc4ce2ea3
      http://security.debian.org/pool/updates/main/g/ghostscript/gs-aladdin_8.62.dfsg.1-3.2lenny1_all.deb
        Size/MD5 checksum:    28522 9443d3a57981788d7c307ecd77f7ab1c
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript_8.62.dfsg.1-3.2lenny1_alpha.deb
        Size/MD5 checksum:   762156 4e36f7ff8af994054cffabb253c51ba9
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs8_8.62.dfsg.1-3.2lenny1_alpha.deb
        Size/MD5 checksum:  2628412 1238c1f69916afdd72ef4ad265437844
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript-x_8.62.dfsg.1-3.2lenny1_alpha.deb
        Size/MD5 checksum:    65272 e0db66adbdc1ecf15cf0bc07b331d72c
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs-dev_8.62.dfsg.1-3.2lenny1_alpha.deb
        Size/MD5 checksum:    35280 dbaeb18e5f652d20f9756acdd16285bc
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs8_8.62.dfsg.1-3.2lenny1_amd64.deb
        Size/MD5 checksum:  2324530 f5b409aaa3a652c232c6dc1c5c31b824
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs-dev_8.62.dfsg.1-3.2lenny1_amd64.deb
        Size/MD5 checksum:    35292 8589ff0d11cf1df9e8af3407cdd23ec2
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript_8.62.dfsg.1-3.2lenny1_amd64.deb
        Size/MD5 checksum:   798148 311a2a0375b14bdfabb7a49c4ee5a388
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript-x_8.62.dfsg.1-3.2lenny1_amd64.deb
        Size/MD5 checksum:    62126 286cad4bbf646f4c3db19528cde748ed
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs8_8.62.dfsg.1-3.2lenny1_arm.deb
        Size/MD5 checksum:  2176974 3053978d7f749cba4ce6b68580b3733f
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript-x_8.62.dfsg.1-3.2lenny1_arm.deb
        Size/MD5 checksum:    59684 c758e0c50cc23195b1b588054591a56d
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs-dev_8.62.dfsg.1-3.2lenny1_arm.deb
        Size/MD5 checksum:    34654 18d4896df4df84814f27fc8f4aa5594c
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript_8.62.dfsg.1-3.2lenny1_arm.deb
        Size/MD5 checksum:   796402 b04ba32752a0a9ba9c645c921100535f
    
    armel architecture (ARM EABI)
    
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs-dev_8.62.dfsg.1-3.2lenny1_armel.deb
        Size/MD5 checksum:    35296 e8e3031e8005ac8a6d312b24d5dbff23
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript-x_8.62.dfsg.1-3.2lenny1_armel.deb
        Size/MD5 checksum:    63276 a525fc26418e4bc95bdfaa55a1bea7d6
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript_8.62.dfsg.1-3.2lenny1_armel.deb
        Size/MD5 checksum:   799534 029d1ca77de78e6c123246db94f23726
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs8_8.62.dfsg.1-3.2lenny1_armel.deb
        Size/MD5 checksum:  2211746 d5deb1d2d75e62c41804b88c52021e1d
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs8_8.62.dfsg.1-3.2lenny1_hppa.deb
        Size/MD5 checksum:  2568152 d57efabc1fc8076c2d31793fb7f8a4ac
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript_8.62.dfsg.1-3.2lenny1_hppa.deb
        Size/MD5 checksum:   796056 738411624ecf1cedf40c6437db6bbeaa
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs-dev_8.62.dfsg.1-3.2lenny1_hppa.deb
        Size/MD5 checksum:    36130 9c629bb5ac49d922e0dd19bc201260af
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript-x_8.62.dfsg.1-3.2lenny1_hppa.deb
        Size/MD5 checksum:    65802 926ddc29fc040141841f7ad9939010f4
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript-x_8.62.dfsg.1-3.2lenny1_i386.deb
        Size/MD5 checksum:    60650 09929bd54215e145ccbb400bd5fd64b4
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs8_8.62.dfsg.1-3.2lenny1_i386.deb
        Size/MD5 checksum:  2221498 bf1da8385d836970119e02ee8ba2679d
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs-dev_8.62.dfsg.1-3.2lenny1_i386.deb
        Size/MD5 checksum:    36130 ae0ac01db0c9d94dcaafd66891a19fcd
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript_8.62.dfsg.1-3.2lenny1_i386.deb
        Size/MD5 checksum:   797038 2b334a1592e6b8c41803a3dd350ef514
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript_8.62.dfsg.1-3.2lenny1_ia64.deb
        Size/MD5 checksum:   762564 b4e9e1bb352813d8598ed0820dc6d563
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript-x_8.62.dfsg.1-3.2lenny1_ia64.deb
        Size/MD5 checksum:    80240 96679a948d589619d83926074c11a99b
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs-dev_8.62.dfsg.1-3.2lenny1_ia64.deb
        Size/MD5 checksum:    35278 385266dfdf5cca6bcfe5076b6d78b804
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs8_8.62.dfsg.1-3.2lenny1_ia64.deb
        Size/MD5 checksum:  3615012 5be855cf7988372e69017ef193eaea81
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript_8.62.dfsg.1-3.2lenny1_mips.deb
        Size/MD5 checksum:   798528 2c06f890ab0f951623609c10a13ef20c
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs-dev_8.62.dfsg.1-3.2lenny1_mips.deb
        Size/MD5 checksum:    36222 adef63b494296202b32fe81d979b0999
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs8_8.62.dfsg.1-3.2lenny1_mips.deb
        Size/MD5 checksum:  2307372 4b41acf75b32134f2bd92685a3a7ccb4
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript-x_8.62.dfsg.1-3.2lenny1_mips.deb
        Size/MD5 checksum:    61622 f0a94415338960e5bb59ae495e395801
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs-dev_8.62.dfsg.1-3.2lenny1_mipsel.deb
        Size/MD5 checksum:    35294 fe6687e3f2166d7985d117255c26540b
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript-x_8.62.dfsg.1-3.2lenny1_mipsel.deb
        Size/MD5 checksum:    61584 945878bc6fec2d0b68b726bc425a2b67
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript_8.62.dfsg.1-3.2lenny1_mipsel.deb
        Size/MD5 checksum:   761978 9d56a58f19cd1822925e0f4cfd76e69f
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs8_8.62.dfsg.1-3.2lenny1_mipsel.deb
        Size/MD5 checksum:  2299918 8c54526e2c0b82dda98fe20c5c056e92
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript_8.62.dfsg.1-3.2lenny1_powerpc.deb
        Size/MD5 checksum:   764044 60515f78c9c727c220d0d29bfa25a5ae
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs-dev_8.62.dfsg.1-3.2lenny1_powerpc.deb
        Size/MD5 checksum:    35284 68b7094bd9cb97a252b256037c9d0594
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs8_8.62.dfsg.1-3.2lenny1_powerpc.deb
        Size/MD5 checksum:  2408840 63bb2dd93f575c7e66fbdc767804b4e4
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript-x_8.62.dfsg.1-3.2lenny1_powerpc.deb
        Size/MD5 checksum:    64990 8302cc72305a647e63e1120dd310e18d
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript_8.62.dfsg.1-3.2lenny1_s390.deb
        Size/MD5 checksum:   762026 910f881d6eaccffd26934a949c888ca9
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs8_8.62.dfsg.1-3.2lenny1_s390.deb
        Size/MD5 checksum:  2436778 afd004cbeddcb57e86eb49093493d5f7
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs-dev_8.62.dfsg.1-3.2lenny1_s390.deb
        Size/MD5 checksum:    35278 40f1a8eaedf95e6b8043bff48a7dabfa
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript-x_8.62.dfsg.1-3.2lenny1_s390.deb
        Size/MD5 checksum:    63232 b847b55b28214772602aca9caa72cecd
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs8_8.62.dfsg.1-3.2lenny1_sparc.deb
        Size/MD5 checksum:  2186660 d6f70af487a94d9a8d15bc04b2907171
      http://security.debian.org/pool/updates/main/g/ghostscript/libgs-dev_8.62.dfsg.1-3.2lenny1_sparc.deb
        Size/MD5 checksum:    35288 7f7ffd352ce32f219136cfaa596928f7
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript-x_8.62.dfsg.1-3.2lenny1_sparc.deb
        Size/MD5 checksum:    59170 01a70b61316be217c9e1eaadd452dedd
      http://security.debian.org/pool/updates/main/g/ghostscript/ghostscript_8.62.dfsg.1-3.2lenny1_sparc.deb
        Size/MD5 checksum:   761898 bd1f18ac686723643cff62993f96bfd7
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"15","type":"x","order":"1","pct":53.57,"resources":[]},{"id":"88","title":"Should be more technical","votes":"4","type":"x","order":"2","pct":14.29,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"9","type":"x","order":"3","pct":32.14,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.