// For flags

CVE-2009-0584

argyllcms: Multiple insufficient upper-bounds checks on certain sizes in the International Color Consortium Format Library

Severity Score

9.3
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code by using a device file for processing a crafted image file associated with large integer values for certain sizes, related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images.

icc.c, perteneciente a la librería de formatos del International Color Consortium (ICC) (alias icclib), tal y como se utiliza en Ghostscript 8.64 y anteriores y Argyll Color Management System (CMS) 1.0.3 y anteriores, permite causar una denegación de servicio (con caída de la aplicación) a atacantes dependientes de contexto, o posiblemente ejecutar código arbitrario por medio de un fichero de dispositivo diseñado para procesar archivos de imagen con modificaciones relacionadas con valores enteros grandes para determinados tamaños, en relación con un perfil ICC en un (1) PostScript o (2) un archivo PDF con imágenes incrustadas.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2009-02-13 CVE Reserved
  • 2009-03-23 CVE Published
  • 2024-08-07 CVE Updated
  • 2024-11-06 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-189: Numeric Errors
CAPEC
References (42)
URL Tag Source
http://bugs.gentoo.org/show_bug.cgi?id=261087 X_refsource_confirm
http://osvdb.org/52988 Vdb Entry
http://secunia.com/advisories/34266 Third Party Advisory
http://secunia.com/advisories/34418 Third Party Advisory
http://secunia.com/advisories/34443 Third Party Advisory
http://secunia.com/advisories/34469 Third Party Advisory
http://secunia.com/advisories/34729 Third Party Advisory
http://secunia.com/advisories/35559 Third Party Advisory
http://secunia.com/advisories/35569 Third Party Advisory
http://securitytracker.com/id?1021868 Vdb Entry
http://support.avaya.com/elmodocs2/security/ASA-2009-098.htm X_refsource_confirm
http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0050 X_refsource_confirm
http://www.auscert.org.au/render.html?it=10666 Third Party Advisory
http://www.securityfocus.com/archive/1/501994/100/0/threaded Mailing List
http://www.securityfocus.com/bid/34184 Vdb Entry
http://www.vupen.com/english/advisories/2009/1708 Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/49327 Vdb Entry
https://issues.rpath.com/browse/RPL-2991 X_refsource_confirm
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10544 Signature
URL Date SRC
URL Date SRC
URL Date SRC
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html 2018-10-10
http://secunia.com/advisories/34373 2018-10-10
http://secunia.com/advisories/34381 2018-10-10
http://secunia.com/advisories/34393 2018-10-10
http://secunia.com/advisories/34398 2018-10-10
http://secunia.com/advisories/34437 2018-10-10
http://sunsolve.sun.com/search/document.do?assetkey=1-26-262288-1 2018-10-10
http://www.debian.org/security/2009/dsa-1746 2018-10-10
http://www.gentoo.org/security/en/glsa/glsa-200903-37.xml 2018-10-10
http://www.mandriva.com/security/advisories?name=MDVSA-2009:095 2018-10-10
http://www.mandriva.com/security/advisories?name=MDVSA-2009:096 2018-10-10
http://www.redhat.com/support/errata/RHSA-2009-0345.html 2018-10-10
http://www.ubuntu.com/usn/USN-743-1 2018-10-10
http://www.vupen.com/english/advisories/2009/0776 2018-10-10
http://www.vupen.com/english/advisories/2009/0777 2018-10-10
http://www.vupen.com/english/advisories/2009/0816 2018-10-10
https://bugzilla.redhat.com/show_bug.cgi?id=487744 2009-03-19
https://usn.ubuntu.com/757-1 2018-10-10
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00770.html 2018-10-10
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00772.html 2018-10-10
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00887.html 2018-10-10
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00916.html 2018-10-10
https://access.redhat.com/security/cve/CVE-2009-0584 2009-03-19
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Argyllcms
Search vendor "Argyllcms"
 Cms
Search vendor "Argyllcms" for product "Cms"
 <= 1.0.3
Search vendor "Argyllcms" for product "Cms" and version " <= 1.0.3"
-
Affected
Ghostscript
Search vendor "Ghostscript"
 Ghostscript
Search vendor "Ghostscript" for product "Ghostscript"
 <= 8.64
Search vendor "Ghostscript" for product "Ghostscript" and version " <= 8.64"
-
Affected
Ghostscript
Search vendor "Ghostscript"
 Ghostscript
Search vendor "Ghostscript" for product "Ghostscript"
 0
Search vendor "Ghostscript" for product "Ghostscript" and version "0"
-
Affected
Ghostscript
Search vendor "Ghostscript"
 Ghostscript
Search vendor "Ghostscript" for product "Ghostscript"
 5.50
Search vendor "Ghostscript" for product "Ghostscript" and version "5.50"
-
Affected
Ghostscript
Search vendor "Ghostscript"
 Ghostscript
Search vendor "Ghostscript" for product "Ghostscript"
 7.05
Search vendor "Ghostscript" for product "Ghostscript" and version "7.05"
-
Affected
Ghostscript
Search vendor "Ghostscript"
 Ghostscript
Search vendor "Ghostscript" for product "Ghostscript"
 7.07
Search vendor "Ghostscript" for product "Ghostscript" and version "7.07"
-
Affected
Ghostscript
Search vendor "Ghostscript"
 Ghostscript
Search vendor "Ghostscript" for product "Ghostscript"
 8.0.1
Search vendor "Ghostscript" for product "Ghostscript" and version "8.0.1"
-
Affected
Ghostscript
Search vendor "Ghostscript"
 Ghostscript
Search vendor "Ghostscript" for product "Ghostscript"
 8.15
Search vendor "Ghostscript" for product "Ghostscript" and version "8.15"
-
Affected
Ghostscript
Search vendor "Ghostscript"
 Ghostscript
Search vendor "Ghostscript" for product "Ghostscript"
 8.15.2
Search vendor "Ghostscript" for product "Ghostscript" and version "8.15.2"
-
Affected
Ghostscript
Search vendor "Ghostscript"
 Ghostscript
Search vendor "Ghostscript" for product "Ghostscript"
 8.54
Search vendor "Ghostscript" for product "Ghostscript" and version "8.54"
-
Affected
Ghostscript
Search vendor "Ghostscript"
 Ghostscript
Search vendor "Ghostscript" for product "Ghostscript"
 8.56
Search vendor "Ghostscript" for product "Ghostscript" and version "8.56"
-
Affected
Ghostscript
Search vendor "Ghostscript"
 Ghostscript
Search vendor "Ghostscript" for product "Ghostscript"
 8.57
Search vendor "Ghostscript" for product "Ghostscript" and version "8.57"
-
Affected
Ghostscript
Search vendor "Ghostscript"
 Ghostscript
Search vendor "Ghostscript" for product "Ghostscript"
 8.60
Search vendor "Ghostscript" for product "Ghostscript" and version "8.60"
-
Affected
Ghostscript
Search vendor "Ghostscript"
 Ghostscript
Search vendor "Ghostscript" for product "Ghostscript"
 8.61
Search vendor "Ghostscript" for product "Ghostscript" and version "8.61"
-
Affected