| 
 Ghostscript: User-assisted execution of arbitrary code1. 
            Gentoo Linux Security Advisory Version Information 
          
            | Advisory Reference | GLSA 200903-37 / ghostscript-gpl ghostscript-esp ghostscript-gnu |  
            | Release Date | March 23, 2009 |  
            | Latest Revision | March 23, 2009: 01 |  
            | Impact | normal |  
            | Exploitable | remote |  
          
            | Package | Vulnerable versions | Unaffected versions | Architecture(s) |  
            | app-text/ghostscript-gpl | <
            8.64-r2 | >=
            8.64-r2 | All supported architectures |  
            | app-text/ghostscript-gnu | <
            8.62.0 | >=
            8.62.0 | All supported architectures |  
            | app-text/ghostscript-esp | <=
            8.15.4-r1 |  | All supported architectures |  
Related bugreports: 
#261087 Synopsis 
    Multiple integer overflows in the Ghostscript ICC library might allow for
    user-assisted execution of arbitrary code.
   2. 
            Impact Information Background 
    Ghostscript is an interpreter for the PostScript language and the
    Portable Document Format (PDF).
     Description 
    Jan Lieskovsky from the Red Hat Security Response Team discovered the
    following vulnerabilities in Ghostscript's ICC Library:
     
Multiple integer overflows (CVE-2009-0583).Multiple
    insufficient bounds checks on certain variable sizes
    (CVE-2009-0584). Impact 
    A remote attacker could entice a user to open a specially crafted
    PostScript file containing images and a malicious ICC profile, possibly
    resulting in the execution of arbitrary code with the privileges of the
    user running the application.
     3. 
            Resolution Information Workaround 
    There is no known workaround at this time.
     Resolution 
    All GPL Ghostscript users should upgrade to the latest version:
     
| Code Listing 3.1: Resolution |  | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-8.64-r2"
 |  
    All GNU Ghostscript users should upgrade to the latest version:
     
| Code Listing 3.2: Resolution |  | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/ghostscript-gnu-8.62.0"
 |  
    We recommend that users unmerge ESP Ghostscript and use GPL or GNU
    Ghostscript instead:
     
| Code Listing 3.3: Resolution |  | # emerge --unmerge "app-text/ghostscript-esp"
 |  
    For installation instructions, see above.
     4. 
            References 
 
 |