CVE-2009-0583 - Vulnerability Details

- argyllcms: Multiple integer overflows in the International Color Consortium Format Library

Description

Multiple integer overflows in icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allow context-dependent attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly execute arbitrary code by using a device file for a translation request that operates on a crafted image file and targets a certain "native color space," related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images.

Published: 2009-03-23

Score: 9.3 Critical

EPSS: 4.6% Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:ghostscript:ghostscript::::::::
	cpe:2.3:a:ghostscript:ghostscript:5.50:::::::*
	cpe:2.3:a:ghostscript:ghostscript:7.05:::::::*
	cpe:2.3:a:ghostscript:ghostscript:7.07:::::::*
	cpe:2.3:a:ghostscript:ghostscript:8.0.1:::::::*
	cpe:2.3:a:ghostscript:ghostscript:8.15:::::::*
	cpe:2.3:a:ghostscript:ghostscript:8.15.2:::::::*
	cpe:2.3:a:ghostscript:ghostscript:8.54:::::::*
	cpe:2.3:a:ghostscript:ghostscript:8.56:::::::*
	cpe:2.3:a:ghostscript:ghostscript:8.57:::::::*
	cpe:2.3:a:ghostscript:ghostscript:8.61:::::::*
	cpe:2.3:a:ghostscript:ghostscript:8.62:::::::*
	cpe:2.3:a:ghostscript:ghostscript:8.63:::::::*

Configuration 2 [-]

OR	cpe:2.3:a:argyllcms:argyllcms::::::::
	cpe:2.3:a:argyllcms:argyllcms:0.1.0:::::::*
	cpe:2.3:a:argyllcms:argyllcms:0.2.0:::::::*
	cpe:2.3:a:argyllcms:argyllcms:0.2.1:::::::*
	cpe:2.3:a:argyllcms:argyllcms:0.2.2:::::::*
	cpe:2.3:a:argyllcms:argyllcms:0.3.0:::::::*
	cpe:2.3:a:argyllcms:argyllcms:0.6.0:::::::*
	cpe:2.3:a:argyllcms:argyllcms:0.7.0:beta_8::::::
	cpe:2.3:a:argyllcms:argyllcms:1.0.0:::::::*
	cpe:2.3:a:argyllcms:argyllcms:1.0.2:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 3
ghostscript-0:7.05-32.1.17	cpe:/o:redhat:enterprise_linux:3	RHSA-2009:0345	2009-03-19T00:00:00Z
Red Hat Enterprise Linux 4
ghostscript-0:7.07-33.2.el4_7.5	cpe:/o:redhat:enterprise_linux:4	RHSA-2009:0345	2009-03-19T00:00:00Z
Red Hat Enterprise Linux 5
ghostscript-0:8.15.2-9.4.el5_3.4	cpe:/o:redhat:enterprise_linux:5	RHSA-2009:0345	2009-03-19T00:00:00Z

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-1746-1	New ghostscript packages fix arbitrary code execution
EUVD	EUVD-2009-0586	Multiple integer overflows in icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allow context-dependent attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly execute arbitrary code by using a device file for a translation request that operates on a crafted image file and targets a certain "native color space," related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images.
Ubuntu USN	USN-743-1	Ghostscript vulnerabilities
Ubuntu USN	USN-757-1	Ghostscript vulnerabilities

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.04568.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://bugs.gentoo.org/show_bug.cgi?id=261087
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html
http://secunia.com/advisories/34266
http://secunia.com/advisories/34373
http://secunia.com/advisories/34381
http://secunia.com/advisories/34393
http://secunia.com/advisories/34398
http://secunia.com/advisories/34418
http://secunia.com/advisories/34437
http://secunia.com/advisories/34443
http://secunia.com/advisories/34469
http://secunia.com/advisories/34729
http://secunia.com/advisories/35559
http://secunia.com/advisories/35569
http://securitytracker.com/id?1021868
http://sunsolve.sun.com/search/document.do?assetkey=1-26-262288-1
http://support.avaya.com/elmodocs2/security/ASA-2009-098.htm
http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0050
http://www.auscert.org.au/render.html?it=10666
http://www.debian.org/security/2009/dsa-1746
http://www.gentoo.org/security/en/glsa/glsa-200903-37.xml
http://www.mandriva.com/security/advisories?name=MDVSA-2009:095
http://www.mandriva.com/security/advisories?name=MDVSA-2009:096
http://www.redhat.com/support/errata/RHSA-2009-0345.html
http://www.securityfocus.com/archive/1/501994/100/0/threaded
http://www.securityfocus.com/bid/34184
http://www.ubuntu.com/usn/USN-743-1
http://www.vupen.com/english/advisories/2009/0776
http://www.vupen.com/english/advisories/2009/0777
http://www.vupen.com/english/advisories/2009/0816
http://www.vupen.com/english/advisories/2009/1708
https://bugzilla.redhat.com/show_bug.cgi?id=487742
https://exchange.xforce.ibmcloud.com/vulnerabilities/49329
https://issues.rpath.com/browse/RPL-2991
https://nvd.nist.gov/vuln/detail/CVE-2009-0583
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10795
https://usn.ubuntu.com/757-1/
https://www.cve.org/CVERecord?id=CVE-2009-0583
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00770.html
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00772.html
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00887.html
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00916.html

History

No history.

Subscriptions

Argyllcms Argyllcms

Ghostscript Ghostscript

Redhat Enterprise Linux

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2009-03-23T19:26:00.000Z

Updated: 2024-08-07T04:40:05.059Z

Reserved: 2009-02-13T00:00:00.000Z

Link: CVE-2009-0583

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2009-03-23T20:00:00.343

Modified: 2025-04-09T00:30:58.490

Link: CVE-2009-0583

Redhat

Severity : Moderate

Publid Date: 2009-03-19T00:00:00Z

Links: CVE-2009-0583 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

Tracking

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object