ghostscript-8.15.2-9.4.4.2AXS3
エラータID: AXSA:2009-43:02
リリース日:
2009/04/28 Tuesday - 15:50
題名:
ghostscript-8.15.2-9.4.4.2AXS3
影響のあるチャネル:
Asianux Server 3 for x86
Asianux Server 3 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- ghostscript の CCITTFax デコーディングフィルタに問題があり、巧妙に作られた PDF ファイルによって、リモートの攻撃者がサービス拒否 (クラッシュ) を引き起こしたり任意のコードを実行される脆弱性があります。(CVE-2007-6725)
- ghostscript の BaseFont writer モジュールにはバッファオーバーフローの問題が存在し、リモートの攻撃者が巧妙に作られた Postscript ファイルによってサービス拒否 (ps2pdf のクラッシュ) を引き起こしたり、任意のコードを実行する脆弱性があります。(CVE-2008-6679)
- ghostscript の JBIG2 デコーディングライブラリにはヒープベースバッファオーバーフローの問題が存在し、リモートの攻撃者が PDFファイルによって任意のコードを実行する脆弱性があります。(CVE-2009-0196)
- ghostscriptで使用されているicclibには複数の整数オーバーフローが存在し、サービス拒否 (ヒープベースのバッファオーバーフロー、アプリケーションのクラッシュ) を引き起こしたり任意のコードが実行される脆弱性があります。
(CVE-2009-0792)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2007-6725
The CCITTFax decoding filter in Ghostscript 8.60, 8.61, and possibly other versions, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PDF file that triggers a buffer underflow in the cf_decode_2d function.
The CCITTFax decoding filter in Ghostscript 8.60, 8.61, and possibly other versions, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PDF file that triggers a buffer underflow in the cf_decode_2d function.
CVE-2008-6679
Buffer overflow in the BaseFont writer module in Ghostscript 8.62, and possibly other versions, allows remote attackers to cause a denial of service (ps2pdf crash) and possibly execute arbitrary code via a crafted Postscript file.
Buffer overflow in the BaseFont writer module in Ghostscript 8.62, and possibly other versions, allows remote attackers to cause a denial of service (ps2pdf crash) and possibly execute arbitrary code via a crafted Postscript file.
CVE-2009-0196
Heap-based buffer overflow in the big2_decode_symbol_dict function (jbig2_symbol_dict.c) in the JBIG2 decoding library (jbig2dec) in Ghostscript 8.64, and probably earlier versions, allows remote attackers to execute arbitrary code via a PDF file with a JBIG2 symbol dictionary segment with a large run length value.
Heap-based buffer overflow in the big2_decode_symbol_dict function (jbig2_symbol_dict.c) in the JBIG2 decoding library (jbig2dec) in Ghostscript 8.64, and probably earlier versions, allows remote attackers to execute arbitrary code via a PDF file with a JBIG2 symbol dictionary segment with a large run length value.
CVE-2009-0792
Multiple integer overflows in icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allow context-dependent attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly execute arbitrary code by using a device file for a translation request that operates on a crafted image file and targets a certain "native color space," related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images. NOTE: this issue exists because of an incomplete fix for CVE-2009-0583.
Multiple integer overflows in icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allow context-dependent attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly execute arbitrary code by using a device file for a translation request that operates on a crafted image file and targets a certain "native color space," related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images. NOTE: this issue exists because of an incomplete fix for CVE-2009-0583.
追加情報:
N/A
ダウンロード:
SRPMS
- ghostscript-8.15.2-9.4.4.2AXS3.src.rpm
MD5: 833f1d07eaccb8e98f855c0868545520
SHA-256: 2884b4b26956aa7cdef795bf39c24275aecc3ab59f11ce93990598a2bb59729f
Size: 9.08 MB
Asianux Server 3 for x86
- ghostscript-8.15.2-9.4.4.2AXS3.i386.rpm
MD5: 3c687397e7f034510d0403bd3451c472
SHA-256: b342c98113c335a1094eae50277b63c3f80351fa70f966667bcf411ca5c26364
Size: 6.64 MB - ghostscript-devel-8.15.2-9.4.4.2AXS3.i386.rpm
MD5: f35255ecaf1bcabaea1c2ecc91f14e57
SHA-256: 62fd8da73063fa080dea85456d6ed2c6534b2b9155ee5a0b55bfe5dd725ac416
Size: 40.85 kB - ghostscript-gtk-8.15.2-9.4.4.2AXS3.i386.rpm
MD5: 648d9eecac7e6b0f85709f4a14dd0278
SHA-256: 0439e7160f9df700c97539faf19dc922fffcab9c4ed1e95414c34a814aec311d
Size: 30.91 kB
Asianux Server 3 for x86_64
- ghostscript-8.15.2-9.4.4.2AXS3.x86_64.rpm
MD5: 671021ddfa96b19a95c05c8ee29d363b
SHA-256: 3c80947cb45aefb039e52f15fa538b01ea54c651bf3b221bbe07d8005f236324
Size: 6.63 MB - ghostscript-devel-8.15.2-9.4.4.2AXS3.x86_64.rpm
MD5: 6f74428d0f8f857aaa1812be93612cdb
SHA-256: e9ae6b6a4520d64d066146e02626ce9c42ba079001b16b24fb05ab5d58ffdc8f
Size: 41.50 kB - ghostscript-gtk-8.15.2-9.4.4.2AXS3.x86_64.rpm
MD5: c53a8dfb25e23dce6e5b937b4ffbb2b5
SHA-256: aa49bf1c06d29f36b043fa3888b18a6aaa86d8fea4dd87f3d0df927c329717f9
Size: 31.08 kB