ID |
CVE-2009-0584
|
Summary |
icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code by using a device file for processing a crafted image file associated with large integer values for certain sizes, related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images. |
References |
|
Vulnerable Configurations |
-
cpe:2.3:a:argyllcms:cms:*:*:*:*:*:*:*:*
cpe:2.3:a:argyllcms:cms:*:*:*:*:*:*:*:*
-
cpe:2.3:a:ghostscript:ghostscript:0:*:*:*:*:*:*:*
cpe:2.3:a:ghostscript:ghostscript:0:*:*:*:*:*:*:*
-
cpe:2.3:a:ghostscript:ghostscript:5.50:*:*:*:*:*:*:*
cpe:2.3:a:ghostscript:ghostscript:5.50:*:*:*:*:*:*:*
-
cpe:2.3:a:ghostscript:ghostscript:7.05:*:*:*:*:*:*:*
cpe:2.3:a:ghostscript:ghostscript:7.05:*:*:*:*:*:*:*
-
cpe:2.3:a:ghostscript:ghostscript:7.07:*:*:*:*:*:*:*
cpe:2.3:a:ghostscript:ghostscript:7.07:*:*:*:*:*:*:*
-
cpe:2.3:a:ghostscript:ghostscript:8.0.1:*:*:*:*:*:*:*
cpe:2.3:a:ghostscript:ghostscript:8.0.1:*:*:*:*:*:*:*
-
cpe:2.3:a:ghostscript:ghostscript:8.15:*:*:*:*:*:*:*
cpe:2.3:a:ghostscript:ghostscript:8.15:*:*:*:*:*:*:*
-
cpe:2.3:a:ghostscript:ghostscript:8.15.2:*:*:*:*:*:*:*
cpe:2.3:a:ghostscript:ghostscript:8.15.2:*:*:*:*:*:*:*
-
cpe:2.3:a:ghostscript:ghostscript:8.54:*:*:*:*:*:*:*
cpe:2.3:a:ghostscript:ghostscript:8.54:*:*:*:*:*:*:*
-
cpe:2.3:a:ghostscript:ghostscript:8.56:*:*:*:*:*:*:*
cpe:2.3:a:ghostscript:ghostscript:8.56:*:*:*:*:*:*:*
-
cpe:2.3:a:ghostscript:ghostscript:8.57:*:*:*:*:*:*:*
cpe:2.3:a:ghostscript:ghostscript:8.57:*:*:*:*:*:*:*
-
cpe:2.3:a:ghostscript:ghostscript:8.60:*:*:*:*:*:*:*
cpe:2.3:a:ghostscript:ghostscript:8.60:*:*:*:*:*:*:*
-
cpe:2.3:a:ghostscript:ghostscript:8.61:*:*:*:*:*:*:*
cpe:2.3:a:ghostscript:ghostscript:8.61:*:*:*:*:*:*:*
-
cpe:2.3:a:ghostscript:ghostscript:*:*:*:*:*:*:*:*
cpe:2.3:a:ghostscript:ghostscript:*:*:*:*:*:*:*:*
|
CVSS |
Base: | 9.3 (as of 10-10-2018 - 19:29) |
Impact: | |
Exploitability: | |
|
CWE |
CWE-189 |
CAPEC |
|
Access |
Vector | Complexity | Authentication |
NETWORK |
MEDIUM |
NONE |
|
Impact |
Confidentiality | Integrity | Availability |
COMPLETE |
COMPLETE |
COMPLETE |
|
cvss-vector
via4
|
AV:N/AC:M/Au:N/C:C/I:C/A:C
|
oval
via4
|
accepted | 2013-04-29T04:06:34.516-04:00 | class | vulnerability | contributors | name | Aharon Chernin | organization | SCAP.com, LLC |
name | Dragos Prisaca | organization | G2, Inc. |
| definition_extensions | comment | The operating system installed on the system is Red Hat Enterprise Linux 3 | oval | oval:org.mitre.oval:def:11782 |
comment | CentOS Linux 3.x | oval | oval:org.mitre.oval:def:16651 |
comment | The operating system installed on the system is Red Hat Enterprise Linux 4 | oval | oval:org.mitre.oval:def:11831 |
comment | CentOS Linux 4.x | oval | oval:org.mitre.oval:def:16636 |
comment | Oracle Linux 4.x | oval | oval:org.mitre.oval:def:15990 |
comment | The operating system installed on the system is Red Hat Enterprise Linux 5 | oval | oval:org.mitre.oval:def:11414 |
comment | The operating system installed on the system is CentOS Linux 5.x | oval | oval:org.mitre.oval:def:15802 |
comment | Oracle Linux 5.x | oval | oval:org.mitre.oval:def:15459 |
| description | icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code by using a device file for processing a crafted image file associated with large integer values for certain sizes, related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images. | family | unix | id | oval:org.mitre.oval:def:10544 | status | accepted | submitted | 2010-07-09T03:56:16-04:00 | title | icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code by using a device file for processing a crafted image file associated with large integer values for certain sizes, related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images. | version | 30 |
|
redhat
via4
|
advisories | bugzilla | id | 487744 | title | CVE-2009-0584 ghostscript, argyllcms: Multiple insufficient upper-bounds checks on certain sizes in the International Color Consortium Format Library |
| oval | OR | comment | Red Hat Enterprise Linux must be installed | oval | oval:com.redhat.rhba:tst:20070304026 |
AND | comment | Red Hat Enterprise Linux 4 is installed | oval | oval:com.redhat.rhba:tst:20070304025 |
OR | AND | comment | ghostscript is earlier than 0:7.07-33.2.el4_7.5 | oval | oval:com.redhat.rhsa:tst:20090345001 |
comment | ghostscript is signed with Red Hat master key | oval | oval:com.redhat.rhsa:tst:20080155002 |
|
AND | comment | ghostscript-devel is earlier than 0:7.07-33.2.el4_7.5 | oval | oval:com.redhat.rhsa:tst:20090345003 |
comment | ghostscript-devel is signed with Red Hat master key | oval | oval:com.redhat.rhsa:tst:20080155004 |
|
AND | comment | ghostscript-gtk is earlier than 0:7.07-33.2.el4_7.5 | oval | oval:com.redhat.rhsa:tst:20090345005 |
comment | ghostscript-gtk is signed with Red Hat master key | oval | oval:com.redhat.rhsa:tst:20080155006 |
|
|
|
AND | comment | Red Hat Enterprise Linux 5 is installed | oval | oval:com.redhat.rhba:tst:20070331005 |
OR | AND | comment | ghostscript is earlier than 0:8.15.2-9.4.el5_3.4 | oval | oval:com.redhat.rhsa:tst:20090345008 |
comment | ghostscript is signed with Red Hat redhatrelease key | oval | oval:com.redhat.rhsa:tst:20080155009 |
|
AND | comment | ghostscript-devel is earlier than 0:8.15.2-9.4.el5_3.4 | oval | oval:com.redhat.rhsa:tst:20090345010 |
comment | ghostscript-devel is signed with Red Hat redhatrelease key | oval | oval:com.redhat.rhsa:tst:20080155011 |
|
AND | comment | ghostscript-gtk is earlier than 0:8.15.2-9.4.el5_3.4 | oval | oval:com.redhat.rhsa:tst:20090345012 |
comment | ghostscript-gtk is signed with Red Hat redhatrelease key | oval | oval:com.redhat.rhsa:tst:20080155013 |
|
|
|
|
| rhsa | id | RHSA-2009:0345 | released | 2009-03-19 | severity | Moderate | title | RHSA-2009:0345: ghostscript security update (Moderate) |
|
| rpms | - ghostscript-0:7.05-32.1.17
- ghostscript-0:7.07-33.2.el4_7.5
- ghostscript-0:8.15.2-9.4.el5_3.4
- ghostscript-debuginfo-0:7.05-32.1.17
- ghostscript-debuginfo-0:7.07-33.2.el4_7.5
- ghostscript-debuginfo-0:8.15.2-9.4.el5_3.4
- ghostscript-devel-0:7.05-32.1.17
- ghostscript-devel-0:7.07-33.2.el4_7.5
- ghostscript-devel-0:8.15.2-9.4.el5_3.4
- ghostscript-gtk-0:7.07-33.2.el4_7.5
- ghostscript-gtk-0:8.15.2-9.4.el5_3.4
- hpijs-0:1.3-32.1.17
|
|
refmap
via4
|
auscert | ESB-2009.0259 | bid | 34184 | bugtraq | 20090319 rPSA-2009-0050-1 ghostscript | confirm | | debian | DSA-1746 | fedora | - FEDORA-2009-2883
- FEDORA-2009-2885
- FEDORA-2009-3011
- FEDORA-2009-3031
| gentoo | GLSA-200903-37 | mandriva | - MDVSA-2009:095
- MDVSA-2009:096
| osvdb | 52988 | sectrack | 1021868 | secunia | - 34266
- 34373
- 34381
- 34393
- 34398
- 34418
- 34437
- 34443
- 34469
- 34729
- 35559
- 35569
| sunalert | 262288 | suse | SUSE-SR:2009:007 | ubuntu | | vupen | - ADV-2009-0776
- ADV-2009-0777
- ADV-2009-0816
- ADV-2009-1708
| xf | ghostscript-icclib-bo(49327) |
|
Last major update |
10-10-2018 - 19:29 |
Published |
23-03-2009 - 20:00 |
Last modified |
10-10-2018 - 19:29 |