Bug 7464 - ghostscript, argyllcms, icclib new security issue CVE-2012-4405
Summary: ghostscript, argyllcms, icclib new security issue CVE-2012-4405
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/515812/
Whiteboard: MGA1TOO has_procedure mga2-64-OK MGA2...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-09-12 21:31 CEST by David Walser
Modified: 2012-10-20 19:42 CEST (History)
4 users (show)

See Also:
Source RPM: ghostscript, argyllcms, icclib
CVE:
Status comment:


Attachments

Description David Walser 2012-09-12 21:31:19 CEST
RedHat has issued an advisory on September 11:
https://rhn.redhat.com/errata/RHSA-2012-1256.html

Mandriva has issued an advisory for this today (September 12):
http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2012:151

In Mageia, this issue affects the icclib and argyllcms packages.

Fixes have already been submitted in Cauldron.

Fixes have also already been submitted in Mageia 2 in SVN, but I am waiting on feedback from D Morgan on how to fix Bug 5897, which also affects these packages, before submitting to QA.

In November, D Morgan also imported these packages into Mageia 1 updates_testing, but they had not been pushed yet.  I have upgraded these to the versions in Mageia 2, with the fix for CVE-2012-4405, so we can provide these in Mageia 1 with this update as well.
David Walser 2012-09-12 21:31:47 CEST

CC: (none) => dmorganec
Blocks: (none) => 7195, 7196, 5897
Whiteboard: (none) => MGA1TOO

David Walser 2012-09-12 21:57:27 CEST

Severity: normal => major

Comment 1 David Walser 2012-10-09 23:37:19 CEST
As it turns out, this does also affect ghostscript 9.

Mandriva has issued an advisory for MDV 2011 on October 5:
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:151-1

So I'll be updating ghostscript in Mageia 1, Mageia 2, and Cauldron.

I also haven't gotten any action from D Morgan, so I will not push argyllcms and icclib for Mageia 1 at this time, and we will just have to take Bug 5897 as a known issue for Mageia 2.

Summary: argyllcms, icclib new security issue CVE-2012-4405 => ghostscript, argyllcms, icclib new security issue CVE-2012-4405

David Walser 2012-10-09 23:50:27 CEST

Source RPM: argyllcms, icclib => ghostscript, argyllcms, icclib

Comment 2 David Walser 2012-10-10 00:24:00 CEST
Patched packages uploaded for Mageia 1 and Mageia 2.

Note to QA: The argyllcms and icclib packages in Mageia 1 updates_testing are *NOT* included with this update.

Advisory:
========================

Updated ghostscript packages fix security vulnerability:

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in Ghostscript's International Color Consortium Format library
(icclib). An attacker could create a specially-crafted PostScript or
PDF file with embedded images that would cause Ghostscript to crash
or, potentially, execute arbitrary code with the privileges of the
user running Ghostscript (CVE-2012-4405).

The argyllcms and icclib packages in Mageia 2 are also affected by this
flaw and have been updated as well.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4405
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:151-1
========================

Updated packages in core/updates_testing:
========================
ghostscript-9.04-1.1.mga1
ghostscript-dvipdf-9.04-1.1.mga1
ghostscript-common-9.04-1.1.mga1
ghostscript-X-9.04-1.1.mga1
ghostscript-module-X-9.04-1.1.mga1
libgs9-9.04-1.1.mga1
libgs9-devel-9.04-1.1.mga1
libijs1-0.35-81.1.mga1
libijs1-devel-0.35-81.1.mga1
ghostscript-doc-9.04-1.1.mga1
ghostscript-9.05-2.1.mga2
ghostscript-dvipdf-9.05-2.1.mga2
ghostscript-common-9.05-2.1.mga2
ghostscript-X-9.05-2.1.mga2
ghostscript-module-X-9.05-2.1.mga2
libgs9-9.05-2.1.mga2
libgs9-devel-9.05-2.1.mga2
libijs1-0.35-86.1.mga2
libijs1-devel-0.35-86.1.mga2
ghostscript-doc-9.05-2.1.mga2
argyllcms-1.4.0-1.1.mga2
icclib-2.13-1.1.mga2
libicc2-2.13-1.1.mga2
libicc-devel-2.13-1.1.mga2

from SRPMS:
ghostscript-9.04-1.1.mga1.src.rpm
ghostscript-9.05-2.1.mga2.src.rpm
argyllcms-1.4.0-1.1.mga2.src.rpm
icclib-2.13-1.1.mga2.src.rpm

Assignee: bugsquad => qa-bugs

Comment 3 claire robinson 2012-10-11 16:36:40 CEST
No public PoC
Comment 4 claire robinson 2012-10-15 16:17:59 CEST
Ghostscript can be checked by 'printing' a web page to file and saving as a postscript file. Then:

$ gs
GPL Ghostscript 9.05 (2012-02-08)
Copyright (C) 2010 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>(mozilla.ps) run
>>showpage, press <return> to continue<<

>>showpage, press <return> to continue<<

>>showpage, press <return> to continue<<

GS>quit

mozilla.ps is the filename here.



List of changed files in argyllcms:

$ rpmdiff -iT argyllcms-1.4.0-1.mga2.x86_64.rpm argyllcms-1.4.0-1.1.mga2.x86_64.rpm 
removed     PROVIDES argyllcms(x86-64) = 1.4.0-1.mga2
added       PROVIDES argyllcms(x86-64) = 1.4.0-1.1.mga2
..5........ /usr/bin/applycal
..5........ /usr/bin/average
..5........ /usr/bin/ccttest
..5........ /usr/bin/ccxxmake
..5........ /usr/bin/chartread
..5........ /usr/bin/collink
..5........ /usr/bin/colprof
..5........ /usr/bin/dispcal
..5........ /usr/bin/dispread
..5........ /usr/bin/dispwin
..5........ /usr/bin/extracticc
..5........ /usr/bin/extractttag
..5........ /usr/bin/fakeCMY
..5........ /usr/bin/fakeread
..5........ /usr/bin/iccdump
..5........ /usr/bin/iccgamut
..5........ /usr/bin/icclu
..5........ /usr/bin/icctest
..5........ /usr/bin/invprofcheck
..5........ /usr/bin/kodak2ti3
..5........ /usr/bin/mppcheck
..5........ /usr/bin/mpplu
..5........ /usr/bin/mppprof
..5........ /usr/bin/pathplot
..5........ /usr/bin/printcal
..5........ /usr/bin/printtarg
..5........ /usr/bin/profcheck
..5........ /usr/bin/refine
..5........ /usr/bin/revfix
..5........ /usr/bin/scanin
..5........ /usr/bin/sepgen
..5........ /usr/bin/simpprof
..5........ /usr/bin/spec2cie
..5........ /usr/bin/specplot
..5........ /usr/bin/splitti3
..5........ /usr/bin/spotread
..5........ /usr/bin/synthcal
..5........ /usr/bin/synthread
..5........ /usr/bin/targen
..5........ /usr/bin/tiffgamut
..5........ /usr/bin/txt2ti3
..5........ /usr/bin/verify
..5........ /usr/bin/viewgam
..5........ /usr/bin/xicclu

Just checking some appear to work, as extra equipment is needed to use this properly.

Nothing actually requires icclib so just checking it installs and updates without any problems.

Whiteboard: MGA1TOO => MGA1TOO has_procedure

Comment 5 claire robinson 2012-10-15 17:07:10 CEST
Also..

Ghostscript can also be tested using gv

ghostscript-X can be tested with by using the gsx command..

$ gsx mozilla.ps

libijs1 can be tested with..

$ gs -sDEVICE=djet500 -sOutputFile="testoutput.prn" -dNOPAUSE mozilla.ps -c quit

$ gs
GPL Ghostscript 9.05 (2012-02-08)
Copyright (C) 2010 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>devicenames ==

gives a long list of supported ijs devices
Comment 6 claire robinson 2012-10-15 17:28:18 CEST
I notice with the existing packages..

There was a problem during the installation:

file /usr/bin/iccdump conflicts between attempted installs of argyllcms-1.4.0-1.mga2.x86_64 and icclib-2.13-1.mga2.x86_64

file /usr/bin/icclu conflicts between attempted installs of argyllcms-1.4.0-1.mga2.x86_64 and icclib-2.13-1.mga2.x86_64

file /usr/bin/icctest conflicts between attempted installs of argyllcms-1.4.0-1.mga2.x86_64 and icclib-2.13-1.mga2.x86_64




also with the updated packages..

1 installation transactions failed

There was a problem during the installation:

file /usr/bin/iccdump conflicts between attempted installs of argyllcms-1.4.0-1.1.mga2.x86_64 and icclib-2.13-1.1.mga2.x86_64

file /usr/bin/icclu conflicts between attempted installs of argyllcms-1.4.0-1.1.mga2.x86_64 and icclib-2.13-1.1.mga2.x86_64

file /usr/bin/icctest conflicts between attempted installs of argyllcms-1.4.0-1.1.mga2.x86_64 and icclib-2.13-1.1.mga2.x86_64
Comment 7 claire robinson 2012-10-15 17:29:19 CEST
Ghostscript tested ok mga2 64 though
Comment 8 David Walser 2012-10-15 18:18:56 CEST
As noted in Comment 1, the file conflicts between argyllcms and icclib are a known issue and will not be fixed at this time.  Sorry.
Comment 9 claire robinson 2012-10-15 18:54:18 CEST
Ok, we should mention that in in the advisory.

Additional advisory
--------------------------
There are known file conflicts between argyllcms and icclib which will be fixed in a separate update. See bug 5897 for further details.
--------------------------

Testing complete mga2 64

Used several random commands from the list from argyllcms then uninstalled and verified icclib & lib64icc2 could be installed and updated.

Whiteboard: MGA1TOO has_procedure => MGA1TOO has_procedure mga2-64-OK

Comment 10 Dave Hodgins 2012-10-16 04:14:54 CEST
Testing complete Mageia 2 i586, Mageia 1 i586, and x86-64.

Could someone from the sysadmin team push the srpms
ghostscript-9.05-2.1.mga2.src.rpm
argyllcms-1.4.0-1.1.mga2.src.rpm
icclib-2.13-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
ghostscript-9.04-1.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated ghostscript packages fix security vulnerability:

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in Ghostscript's International Color Consortium Format library
(icclib). An attacker could create a specially-crafted PostScript or
PDF file with embedded images that would cause Ghostscript to crash
or, potentially, execute arbitrary code with the privileges of the
user running Ghostscript (CVE-2012-4405).

The argyllcms and icclib packages in Mageia 2 are also affected by this
flaw and have been updated as well.

There are known file conflicts between argyllcms and icclib which will be fixed
in a separate update. See bug 5897 for further details.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4405
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:151-1
https://bugs.mageia.org/show_bug.cgi?id=5897

https://bugs.mageia.org/show_bug.cgi?id=7464

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: MGA1TOO has_procedure mga2-64-OK => MGA1TOO has_procedure mga2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK

Comment 11 Thomas Backlund 2012-10-20 17:37:58 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0301

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Manuel Hiebel 2012-10-20 19:40:06 CEST

Blocks: 5897 => (none)

Manuel Hiebel 2012-10-20 19:41:47 CEST

Blocks: 7195 => (none)

Manuel Hiebel 2012-10-20 19:42:04 CEST

Blocks: 7196 => (none)


Note You need to log in before you can comment on or make changes to this bug.