Articles / Ubuntu: New Ghostscript pac...

Ubuntu: New Ghostscript packages fix security vulnerabilities

It was discovered that Ghostscript did not correctly handle memory allocation when parsing certain malformed JPEG-2000 images. If a user or automated system were tricked into opening a specially crafted image, an attacker could cause a denial of service and possibly execute arbitrary code with user privileges. It was discovered that Ghostscript did not correctly handle certain formatting operations when parsing JPEG-2000 images. If a user or automated system were tricked into opening a specially crafted image, an attacker could cause a denial of service and possibly execute arbitrary code with user privileges. It was discovered that Ghostscript incorrectly handled certain malformed TrueType fonts. If a user or automated system were tricked into opening a document containing a specially crafted font, an attacker could cause a denial of service and possibly execute arbitrary code with user privileges.

It was discovered that Ghostscript incorrectly handled certain malformed Type 2 fonts. If a user or automated system were tricked into opening a document containing a specially crafted font, an attacker could cause a denial of service and possibly execute arbitrary code with user privileges. Jonathan Foote discovered that Ghostscript incorrectly handled certain malformed JPEG-2000 image files. If a user or automated system were tricked into opening a specially crafted JPEG-2000 image file, an attacker could cause Ghostscript to crash or possibly execute arbitrary code with user privileges.

Updated packages are available from security.ubuntu.com.

==========================================================================
Ubuntu Security Notice USN-1317-1
January 04, 2012

ghostscript vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

Ghostscript could be made to crash or run programs as your login if it
opened a specially crafted file.

Software Description:
- ghostscript: The GPL Ghostscript PostScript/PDF interpreter

Details:

It was discovered that Ghostscript did not correctly handle memory
allocation when parsing certain malformed JPEG-2000 images. If a user or
automated system were tricked into opening a specially crafted image, an
attacker could cause a denial of service and possibly execute arbitrary
code with user privileges. (CVE-2008-3520)

It was discovered that Ghostscript did not correctly handle certain
formatting operations when parsing JPEG-2000 images. If a user or automated
system were tricked into opening a specially crafted image, an attacker
could cause a denial of service and possibly execute arbitrary code with
user privileges. (CVE-2008-3522)

It was discovered that Ghostscript incorrectly handled certain malformed
TrueType fonts. If a user or automated system were tricked into opening a
document containing a specially crafted font, an attacker could cause a
denial of service and possibly execute arbitrary code with user privileges.
This issue only affected Ubuntu 8.04 LTS. (CVE-2009-3743)

It was discovered that Ghostscript incorrectly handled certain malformed
Type 2 fonts. If a user or automated system were tricked into opening a
document containing a specially crafted font, an attacker could cause a
denial of service and possibly execute arbitrary code with user privileges.
This issue only affected Ubuntu 8.04 LTS. (CVE-2010-4054)

Jonathan Foote discovered that Ghostscript incorrectly handled certain
malformed JPEG-2000 image files. If a user or automated system were tricked
into opening a specially crafted JPEG-2000 image file, an attacker could
cause Ghostscript to crash or possibly execute arbitrary code with user
privileges. (CVE-2011-4516, CVE-2011-4517)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.10:
 libgs8                          8.71.dfsg.2-0ubuntu7.1

Ubuntu 10.04 LTS:
 libgs8                          8.71.dfsg.1-0ubuntu5.4

Ubuntu 8.04 LTS:
 libgs8                          8.61.dfsg.1-1ubuntu3.4

In general, a standard system update will make all the necessary changes.

References:
 http://www.ubuntu.com/usn/usn-1317-1
 CVE-2008-3520, CVE-2008-3522, CVE-2009-3743, CVE-2010-4054,
 CVE-2011-4516, CVE-2011-4517

Package Information:
 https://launchpad.net/ubuntu/+source/ghostscript/8.71.dfsg.2-0ubuntu7.1
 https://launchpad.net/ubuntu/+source/ghostscript/8.71.dfsg.1-0ubuntu5.4
 https://launchpad.net/ubuntu/+source/ghostscript/8.61.dfsg.1-1ubuntu3.4
Screenshot

Project Spotlight

GeneaPro

Genealogy software based on the GenTech Genealogical Data Model.

Screenshot

Project Spotlight

Aspose.Cells for Reporting Services

Software that lets you export native Excel reports in Microsoft SQL Server 2005 Reporting Services.