CVE-2009-0583

Name	CVE-2009-0583
Description	Multiple integer overflows in icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allow context-dependent attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly execute arbitrary code by using a device file for a translation request that operates on a crafted image file and targets a certain "native color space," related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-1746-1, DTSA-198-1
Debian Bugs	522416, 522448

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
argyll (PTS)	bullseye	2.0.1+repack-1.1	fixed
	bookworm	2.3.1+repack-1.1	fixed
	sid, trixie	3.1.0+repack-1	fixed
ghostscript (PTS)	bullseye (security), bullseye	9.53.3~dfsg-7+deb11u7	fixed
	bookworm, bookworm (security)	10.0.0~dfsg-11+deb12u4	fixed
	trixie	10.03.1~dfsg-1	fixed
	sid	10.03.1~dfsg-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
argyll	source	(unstable)	1.0.3-2			522448
ghostscript	source	lenny	8.62.dfsg.1-3.2lenny1		DSA-1746-1
ghostscript	source	squeeze	8.64~dfsg-1+squeeze1		DTSA-198-1
ghostscript	source	(unstable)	8.64~dfsg-1.1	medium		522416
gs-esp	source	(unstable)	(unfixed)
gs-gpl	source	etch	8.54.dfsg.1-5etch2		DSA-1746-1
gs-gpl	source	(unstable)	(unfixed)	medium