lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 11 May 2010 20:27:35 -0400
From: Dan Rosenberg <>
Subject: Multiple memory corruption vulnerabilities in

 Ghostscript, multiple arbitrary code execution vulnerabilities
 May 11, 2010


Ghostscript (, an interpreter for the PostScript language,
is vulnerable to two memory corruption vulnerabilities:

1. A stack overflow in the parser for Ghostscript versions 8.64 and 8.70 occurs
when very long identifiers are provided within a PostScript file.  By enticing
a user to open a maliciously crafted PostScript file, arbitrary code execution
can be achieved.  This vulnerability was reported to downstream distributions
by me on March 4, 2010.  An anonymous researcher independently published this
vulnerability today (May 11, 2010), prompting this advisory.  This issue has
been assigned CVE-2010-1869.

2. GhostScript (all tested versions) fails to properly handle infinitely
recursive procedure invocations.  By providing a PostScript file with a
sequence such as:

/A{pop 0 A 0} bind def
/product A 0

the interpreter's internal stack will be overflowed with recursive calls, at
which point execution will jump to an attacker-controlled address.  This
vulnerability can be exploited by enticing a user to open a maliciously crafted
PostScript file, achieving arbitrary code execution.  This issue has not yet
been assigned a CVE identifier.


In the absence of a patch, users are encouraged to discontinue use of
Ghostscript or avoid processing untrusted PostScript files.


These vulnerabilities were discovered by Dan Rosenberg


3/04/10 - Initial report to downstream distribution
5/11/10 - Anonymous researcher discloses first issue
5/11/10 - Disclosure


CVE identifier CVE-2010-1869 has been assigned to the first issue.

The original report for this bug can be found at:

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists