Vulnerability Details : CVE-2012-4405
Multiple integer underflows in the icmLut_allocate function in International Color Consortium (ICC) Format library (icclib), as used in Ghostscript 9.06 and Argyll Color Management System, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted (1) PostScript or (2) PDF file with embedded images, which triggers a heap-based buffer overflow. NOTE: this issue is also described as an array index error.
Vulnerability category: OverflowExecute codeDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2012-4405
Probability of exploitation activity in the next 30 days: 4.91%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 92 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2012-4405
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2012-4405
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-4405
-
http://www.openwall.com/lists/oss-security/2012/09/11/2
oss-security - CVE-2012-4405 ghostscript, argyllcms: Array index error leading to heap-based bufer OOB write
-
http://www.mandriva.com/security/advisories?name=MDVSA-2012:151
mandriva.com
-
http://www.securitytracker.com/id?1027517
Ghostscript Integer Overflow in ICC Library Lets Remote Users Execute Arbitrary Code - SecurityTracker
-
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0301
Support/Advisories/MGASA-2012-0301 - Mageia wiki
-
http://www.mandriva.com/security/advisories?name=MDVSA-2013:090
mandriva.com
-
http://rhn.redhat.com/errata/RHSA-2012-1256.html
RHSA-2012:1256 - Security Advisory - Red Hat Customer Portal
-
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00001.html
[security-announce] openSUSE-SU-2012:1289-1: important: ghostscript
-
http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00031.html
[security-announce] SUSE-SU-2012:1222-1: important: Security update for
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/78411
icclib PDF file buffer overflow CVE-2012-4405 Vulnerability Report
-
http://www.mandriva.com/security/advisories?name=MDVSA-2013:089
mandriva.com
-
http://security.gentoo.org/glsa/glsa-201412-17.xml
GPL Ghostscript: Multiple vulnerabilities (GLSA 201412-17) — Gentoo security
-
http://www.securityfocus.com/bid/55494
ICCLIB CVE-2012-4405 Out-of-Bounds Memory Write Remote Code Execution Vulnerability
-
http://www.ubuntu.com/usn/USN-1581-1
USN-1581-1: Ghostscript vulnerability | Ubuntu security notices
-
http://lists.opensuse.org/opensuse-updates/2012-10/msg00015.html
openSUSE-SU-2012:1290-1: ghostscript-library: security bugfix release
Products affected by CVE-2012-4405
- cpe:2.3:a:ghostscript:ghostscript:9.06:*:*:*:*:*:*:*
- cpe:2.3:a:argyllcms:cms:-:*:*:*:*:*:*:*
- cpe:2.3:a:color:icclib:-:*:*:*:*:*:*:*