RedHat has issued an advisory on September 11: https://rhn.redhat.com/errata/RHSA-2012-1256.html Mandriva has issued an advisory for this today (September 12): http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2012:151 In Mageia, this issue affects the icclib and argyllcms packages. Fixes have already been submitted in Cauldron. Fixes have also already been submitted in Mageia 2 in SVN, but I am waiting on feedback from D Morgan on how to fix Bug 5897, which also affects these packages, before submitting to QA. In November, D Morgan also imported these packages into Mageia 1 updates_testing, but they had not been pushed yet. I have upgraded these to the versions in Mageia 2, with the fix for CVE-2012-4405, so we can provide these in Mageia 1 with this update as well.
CC: (none) => dmorganecBlocks: (none) => 7195, 7196, 5897Whiteboard: (none) => MGA1TOO
Severity: normal => major
As it turns out, this does also affect ghostscript 9. Mandriva has issued an advisory for MDV 2011 on October 5: http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:151-1 So I'll be updating ghostscript in Mageia 1, Mageia 2, and Cauldron. I also haven't gotten any action from D Morgan, so I will not push argyllcms and icclib for Mageia 1 at this time, and we will just have to take Bug 5897 as a known issue for Mageia 2.
Summary: argyllcms, icclib new security issue CVE-2012-4405 => ghostscript, argyllcms, icclib new security issue CVE-2012-4405
Source RPM: argyllcms, icclib => ghostscript, argyllcms, icclib
Patched packages uploaded for Mageia 1 and Mageia 2. Note to QA: The argyllcms and icclib packages in Mageia 1 updates_testing are *NOT* included with this update. Advisory: ======================== Updated ghostscript packages fix security vulnerability: An integer overflow flaw, leading to a heap-based buffer overflow, was found in Ghostscript's International Color Consortium Format library (icclib). An attacker could create a specially-crafted PostScript or PDF file with embedded images that would cause Ghostscript to crash or, potentially, execute arbitrary code with the privileges of the user running Ghostscript (CVE-2012-4405). The argyllcms and icclib packages in Mageia 2 are also affected by this flaw and have been updated as well. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4405 http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:151-1 ======================== Updated packages in core/updates_testing: ======================== ghostscript-9.04-1.1.mga1 ghostscript-dvipdf-9.04-1.1.mga1 ghostscript-common-9.04-1.1.mga1 ghostscript-X-9.04-1.1.mga1 ghostscript-module-X-9.04-1.1.mga1 libgs9-9.04-1.1.mga1 libgs9-devel-9.04-1.1.mga1 libijs1-0.35-81.1.mga1 libijs1-devel-0.35-81.1.mga1 ghostscript-doc-9.04-1.1.mga1 ghostscript-9.05-2.1.mga2 ghostscript-dvipdf-9.05-2.1.mga2 ghostscript-common-9.05-2.1.mga2 ghostscript-X-9.05-2.1.mga2 ghostscript-module-X-9.05-2.1.mga2 libgs9-9.05-2.1.mga2 libgs9-devel-9.05-2.1.mga2 libijs1-0.35-86.1.mga2 libijs1-devel-0.35-86.1.mga2 ghostscript-doc-9.05-2.1.mga2 argyllcms-1.4.0-1.1.mga2 icclib-2.13-1.1.mga2 libicc2-2.13-1.1.mga2 libicc-devel-2.13-1.1.mga2 from SRPMS: ghostscript-9.04-1.1.mga1.src.rpm ghostscript-9.05-2.1.mga2.src.rpm argyllcms-1.4.0-1.1.mga2.src.rpm icclib-2.13-1.1.mga2.src.rpm
Assignee: bugsquad => qa-bugs
No public PoC
Ghostscript can be checked by 'printing' a web page to file and saving as a postscript file. Then: $ gs GPL Ghostscript 9.05 (2012-02-08) Copyright (C) 2010 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. GS>(mozilla.ps) run >>showpage, press <return> to continue<< >>showpage, press <return> to continue<< >>showpage, press <return> to continue<< GS>quit mozilla.ps is the filename here. List of changed files in argyllcms: $ rpmdiff -iT argyllcms-1.4.0-1.mga2.x86_64.rpm argyllcms-1.4.0-1.1.mga2.x86_64.rpm removed PROVIDES argyllcms(x86-64) = 1.4.0-1.mga2 added PROVIDES argyllcms(x86-64) = 1.4.0-1.1.mga2 ..5........ /usr/bin/applycal ..5........ /usr/bin/average ..5........ /usr/bin/ccttest ..5........ /usr/bin/ccxxmake ..5........ /usr/bin/chartread ..5........ /usr/bin/collink ..5........ /usr/bin/colprof ..5........ /usr/bin/dispcal ..5........ /usr/bin/dispread ..5........ /usr/bin/dispwin ..5........ /usr/bin/extracticc ..5........ /usr/bin/extractttag ..5........ /usr/bin/fakeCMY ..5........ /usr/bin/fakeread ..5........ /usr/bin/iccdump ..5........ /usr/bin/iccgamut ..5........ /usr/bin/icclu ..5........ /usr/bin/icctest ..5........ /usr/bin/invprofcheck ..5........ /usr/bin/kodak2ti3 ..5........ /usr/bin/mppcheck ..5........ /usr/bin/mpplu ..5........ /usr/bin/mppprof ..5........ /usr/bin/pathplot ..5........ /usr/bin/printcal ..5........ /usr/bin/printtarg ..5........ /usr/bin/profcheck ..5........ /usr/bin/refine ..5........ /usr/bin/revfix ..5........ /usr/bin/scanin ..5........ /usr/bin/sepgen ..5........ /usr/bin/simpprof ..5........ /usr/bin/spec2cie ..5........ /usr/bin/specplot ..5........ /usr/bin/splitti3 ..5........ /usr/bin/spotread ..5........ /usr/bin/synthcal ..5........ /usr/bin/synthread ..5........ /usr/bin/targen ..5........ /usr/bin/tiffgamut ..5........ /usr/bin/txt2ti3 ..5........ /usr/bin/verify ..5........ /usr/bin/viewgam ..5........ /usr/bin/xicclu Just checking some appear to work, as extra equipment is needed to use this properly. Nothing actually requires icclib so just checking it installs and updates without any problems.
Whiteboard: MGA1TOO => MGA1TOO has_procedure
Also.. Ghostscript can also be tested using gv ghostscript-X can be tested with by using the gsx command.. $ gsx mozilla.ps libijs1 can be tested with.. $ gs -sDEVICE=djet500 -sOutputFile="testoutput.prn" -dNOPAUSE mozilla.ps -c quit $ gs GPL Ghostscript 9.05 (2012-02-08) Copyright (C) 2010 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. GS>devicenames == gives a long list of supported ijs devices
I notice with the existing packages.. There was a problem during the installation: file /usr/bin/iccdump conflicts between attempted installs of argyllcms-1.4.0-1.mga2.x86_64 and icclib-2.13-1.mga2.x86_64 file /usr/bin/icclu conflicts between attempted installs of argyllcms-1.4.0-1.mga2.x86_64 and icclib-2.13-1.mga2.x86_64 file /usr/bin/icctest conflicts between attempted installs of argyllcms-1.4.0-1.mga2.x86_64 and icclib-2.13-1.mga2.x86_64 also with the updated packages.. 1 installation transactions failed There was a problem during the installation: file /usr/bin/iccdump conflicts between attempted installs of argyllcms-1.4.0-1.1.mga2.x86_64 and icclib-2.13-1.1.mga2.x86_64 file /usr/bin/icclu conflicts between attempted installs of argyllcms-1.4.0-1.1.mga2.x86_64 and icclib-2.13-1.1.mga2.x86_64 file /usr/bin/icctest conflicts between attempted installs of argyllcms-1.4.0-1.1.mga2.x86_64 and icclib-2.13-1.1.mga2.x86_64
Ghostscript tested ok mga2 64 though
As noted in Comment 1, the file conflicts between argyllcms and icclib are a known issue and will not be fixed at this time. Sorry.
Ok, we should mention that in in the advisory. Additional advisory -------------------------- There are known file conflicts between argyllcms and icclib which will be fixed in a separate update. See bug 5897 for further details. -------------------------- Testing complete mga2 64 Used several random commands from the list from argyllcms then uninstalled and verified icclib & lib64icc2 could be installed and updated.
Whiteboard: MGA1TOO has_procedure => MGA1TOO has_procedure mga2-64-OK
Testing complete Mageia 2 i586, Mageia 1 i586, and x86-64. Could someone from the sysadmin team push the srpms ghostscript-9.05-2.1.mga2.src.rpm argyllcms-1.4.0-1.1.mga2.src.rpm icclib-2.13-1.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm ghostscript-9.04-1.1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated ghostscript packages fix security vulnerability: An integer overflow flaw, leading to a heap-based buffer overflow, was found in Ghostscript's International Color Consortium Format library (icclib). An attacker could create a specially-crafted PostScript or PDF file with embedded images that would cause Ghostscript to crash or, potentially, execute arbitrary code with the privileges of the user running Ghostscript (CVE-2012-4405). The argyllcms and icclib packages in Mageia 2 are also affected by this flaw and have been updated as well. There are known file conflicts between argyllcms and icclib which will be fixed in a separate update. See bug 5897 for further details. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4405 http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:151-1 https://bugs.mageia.org/show_bug.cgi?id=5897 https://bugs.mageia.org/show_bug.cgi?id=7464
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: MGA1TOO has_procedure mga2-64-OK => MGA1TOO has_procedure mga2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0301
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
Blocks: 5897 => (none)
Blocks: 7195 => (none)
Blocks: 7196 => (none)