CVE-2009-0584

23.03.2009, 20:00

icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code by using a device file for processing a crafted image file associated with large integer values for certain sizes, related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.3 UNKNOWN	NETWORK	MEDIUM		AV:N/AC:M/Au:N/C:C/I:C/A:C
redhat	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 92%

Vendor	Product	Version
argyllcms	cms	𝑥 ≤ 1.0.3
ghostscript	ghostscript	𝑥 ≤ 8.64
ghostscript	ghostscript	5.50
ghostscript	ghostscript	7.05
ghostscript	ghostscript	7.07
ghostscript	ghostscript	8.0.1
ghostscript	ghostscript	8.15
ghostscript	ghostscript	8.15.2
ghostscript	ghostscript	8.54
ghostscript	ghostscript	8.56
ghostscript	ghostscript	8.57
ghostscript	ghostscript	8.60
ghostscript	ghostscript	8.61

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

argyll

bullseye	2.0.1+repack-1.1 fixed
bookworm	2.3.1+repack-1.1 fixed
sid	3.1.0+repack-1.1 fixed
trixie	3.1.0+repack-1.1 fixed

ghostscript

bullseye	9.53.3~dfsg-7+deb11u7 fixed
bullseye (security)	9.53.3~dfsg-7+deb11u8 fixed
bookworm	10.0.0~dfsg-11+deb12u4 fixed
bookworm (security)	10.0.0~dfsg-11+deb12u5 fixed
sid	10.04.0~dfsg-1 fixed
trixie	10.04.0~dfsg-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

ghostscript

intrepid	Fixed 8.63.dfsg.1-0ubuntu6.3 released
hardy	Fixed 8.61.dfsg.1-1ubuntu3.1 released
gutsy	Fixed 8.61.dfsg.1~svn8187-0ubuntu3.5 released
dapper	dne

gs-gpl

intrepid	dne
hardy	dne
gutsy	dne
dapper	Fixed 8.15-4ubuntu3.2 released

Common Weakness Enumeration

CWE-189 -

References

http://bugs.gentoo.org/show_bug.cgi?id=261087

http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html

http://osvdb.org/52988

http://secunia.com/advisories/34266

http://secunia.com/advisories/34373

http://secunia.com/advisories/34381

http://secunia.com/advisories/34393

http://secunia.com/advisories/34398

http://secunia.com/advisories/34418

http://secunia.com/advisories/34437

http://secunia.com/advisories/34443

http://secunia.com/advisories/34469

http://secunia.com/advisories/34729

http://secunia.com/advisories/35559

http://secunia.com/advisories/35569

http://securitytracker.com/id?1021868

http://sunsolve.sun.com/search/document.do?assetkey=1-26-262288-1

http://support.avaya.com/elmodocs2/security/ASA-2009-098.htm

http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0050

http://www.auscert.org.au/render.html?it=10666

http://www.debian.org/security/2009/dsa-1746

http://www.gentoo.org/security/en/glsa/glsa-200903-37.xml

http://www.mandriva.com/security/advisories?name=MDVSA-2009:095

http://www.mandriva.com/security/advisories?name=MDVSA-2009:096

http://www.redhat.com/support/errata/RHSA-2009-0345.html

http://www.securityfocus.com/archive/1/501994/100/0/threaded

http://www.securityfocus.com/bid/34184

http://www.ubuntu.com/usn/USN-743-1

http://www.vupen.com/english/advisories/2009/0776

http://www.vupen.com/english/advisories/2009/0777

http://www.vupen.com/english/advisories/2009/0816

http://www.vupen.com/english/advisories/2009/1708

https://bugzilla.redhat.com/show_bug.cgi?id=487744

https://exchange.xforce.ibmcloud.com/vulnerabilities/49327

https://issues.rpath.com/browse/RPL-2991

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10544

https://usn.ubuntu.com/757-1/

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00770.html

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00772.html

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00887.html

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00916.html

http://bugs.gentoo.org/show_bug.cgi?id=261087

http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html

http://osvdb.org/52988

http://secunia.com/advisories/34266

http://secunia.com/advisories/34373

http://secunia.com/advisories/34381

http://secunia.com/advisories/34393

http://secunia.com/advisories/34398

http://secunia.com/advisories/34418

http://secunia.com/advisories/34437

http://secunia.com/advisories/34443

http://secunia.com/advisories/34469

http://secunia.com/advisories/34729

http://secunia.com/advisories/35559

http://secunia.com/advisories/35569

http://securitytracker.com/id?1021868

http://sunsolve.sun.com/search/document.do?assetkey=1-26-262288-1

http://support.avaya.com/elmodocs2/security/ASA-2009-098.htm

http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0050

http://www.auscert.org.au/render.html?it=10666

http://www.debian.org/security/2009/dsa-1746

http://www.gentoo.org/security/en/glsa/glsa-200903-37.xml

http://www.mandriva.com/security/advisories?name=MDVSA-2009:095

http://www.mandriva.com/security/advisories?name=MDVSA-2009:096

http://www.redhat.com/support/errata/RHSA-2009-0345.html

http://www.securityfocus.com/archive/1/501994/100/0/threaded

http://www.securityfocus.com/bid/34184

http://www.ubuntu.com/usn/USN-743-1

http://www.vupen.com/english/advisories/2009/0776

http://www.vupen.com/english/advisories/2009/0777

http://www.vupen.com/english/advisories/2009/0816

http://www.vupen.com/english/advisories/2009/1708

https://bugzilla.redhat.com/show_bug.cgi?id=487744

https://exchange.xforce.ibmcloud.com/vulnerabilities/49327

https://issues.rpath.com/browse/RPL-2991

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10544

https://usn.ubuntu.com/757-1/

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00770.html

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00772.html

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00887.html

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00916.html