The attached patch fixes this security issue and similar issues in
outprintf() and gs_throw_imp().
The patch also applies to ghostscript-8.62.dfsg.1 (lenny version) except
that the source file is src/gsmisc.c instead of base/gsmisc.c.
diff -u ghostscript-8.70~dfsg/debian/changelog ghostscript-8.70~dfsg/debian/changelog
--- ghostscript-8.70~dfsg/debian/changelog
+++ ghostscript-8.70~dfsg/debian/changelog
@@ -1,3 +1,13 @@
+ghostscript (8.70~dfsg-2.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Fix some security issues:
+ - CVE-2009-4270[0]: stack-based buffer overflow multiple integer
+ overflows in the icc library (closes: #562643)
+ - fix possible buffer overflow in gs_throw_imp()
+
+ -- Andreas Kirschbaum <kirschb...@in-medias-res.com> Sat, 23 Jan 2010 10:19:35 +0100
+
ghostscript (8.70~dfsg-2) unstable; urgency=low
* Fix resolving package-relations.
only in patch2:
unchanged:
--- ghostscript-8.70~dfsg.orig/base/gsmisc.c
+++ ghostscript-8.70~dfsg/base/gsmisc.c
@@ -69,12 +69,11 @@
va_start(args, fmt);
- count = vsprintf(buf, fmt, args);
+ count = vsnprintf(buf, sizeof(buf), fmt, args);
outwrite(mem, buf, count);
if (count >= PRINTF_BUF_LENGTH) {
count = sprintf(buf,
- "PANIC: printf exceeded %d bytes. Stack has been corrupted.\n",
- PRINTF_BUF_LENGTH);
+ "WARNING: previous message has been truncated.\n");
outwrite(mem, buf, count);
}
va_end(args);
@@ -89,12 +88,11 @@
va_start(args, fmt);
- count = vsprintf(buf, fmt, args);
+ count = vsnprintf(buf, sizeof(buf), fmt, args);
errwrite(buf, count);
if (count >= PRINTF_BUF_LENGTH) {
count = sprintf(buf,
- "PANIC: printf exceeded %d bytes. Stack has been corrupted.\n",
- PRINTF_BUF_LENGTH);
+ "WARNING: previous message has been truncated.\n");
errwrite(buf, count);
}
va_end(args);
@@ -236,7 +234,7 @@
va_list ap;
va_start(ap, fmt);
- vsprintf(msg, fmt, ap);
+ vsnprintf(msg, sizeof(msg), fmt, ap);
msg[sizeof(msg) - 1] = 0;
va_end(ap);
