The attached patch fixes this security issue and similar issues in outprintf() and gs_throw_imp().
The patch also applies to ghostscript-8.62.dfsg.1 (lenny version) except that the source file is src/gsmisc.c instead of base/gsmisc.c.
diff -u ghostscript-8.70~dfsg/debian/changelog ghostscript-8.70~dfsg/debian/changelog --- ghostscript-8.70~dfsg/debian/changelog +++ ghostscript-8.70~dfsg/debian/changelog @@ -1,3 +1,13 @@ +ghostscript (8.70~dfsg-2.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix some security issues: + - CVE-2009-4270[0]: stack-based buffer overflow multiple integer + overflows in the icc library (closes: #562643) + - fix possible buffer overflow in gs_throw_imp() + + -- Andreas Kirschbaum <kirschb...@in-medias-res.com> Sat, 23 Jan 2010 10:19:35 +0100 + ghostscript (8.70~dfsg-2) unstable; urgency=low * Fix resolving package-relations. only in patch2: unchanged: --- ghostscript-8.70~dfsg.orig/base/gsmisc.c +++ ghostscript-8.70~dfsg/base/gsmisc.c @@ -69,12 +69,11 @@ va_start(args, fmt); - count = vsprintf(buf, fmt, args); + count = vsnprintf(buf, sizeof(buf), fmt, args); outwrite(mem, buf, count); if (count >= PRINTF_BUF_LENGTH) { count = sprintf(buf, - "PANIC: printf exceeded %d bytes. Stack has been corrupted.\n", - PRINTF_BUF_LENGTH); + "WARNING: previous message has been truncated.\n"); outwrite(mem, buf, count); } va_end(args); @@ -89,12 +88,11 @@ va_start(args, fmt); - count = vsprintf(buf, fmt, args); + count = vsnprintf(buf, sizeof(buf), fmt, args); errwrite(buf, count); if (count >= PRINTF_BUF_LENGTH) { count = sprintf(buf, - "PANIC: printf exceeded %d bytes. Stack has been corrupted.\n", - PRINTF_BUF_LENGTH); + "WARNING: previous message has been truncated.\n"); errwrite(buf, count); } va_end(args); @@ -236,7 +234,7 @@ va_list ap; va_start(ap, fmt); - vsprintf(msg, fmt, ap); + vsnprintf(msg, sizeof(msg), fmt, ap); msg[sizeof(msg) - 1] = 0; va_end(ap);