You have been subscribed to a public bug by Kees Cook (kees):
Binary package hint: ghostscript
evince crashes when opening the attached postscript document. The crash
is because libgs tries to execute code at vma null. Haven't checked
whether eip could be controlled to make the execution jump to a location
chosen by the attacker.
#0 0x00000000 in ?? ()
#1 0x08a88b81 in pop_estack () from /usr/lib/libgs.so.8
#2 0x08a7af9d in gs_interpret () from /usr/lib/libgs.so.8
#3 0x08a6e6ae in gs_main_run_string_continue () from /usr/lib/libgs.so.8
#4 0x08a72a87 in gsapi_run_string_continue () from /usr/lib/libgs.so.8
#5 0x022787d1 in spectre_gs_process () from /usr/lib/libspectre.so.1
#6 0x02278ae5 in spectre_gs_send_page () from /usr/lib/libspectre.so.1
#7 0x0227962e in spectre_device_render () from /usr/lib/libspectre.so.1
#8 0x02279c74 in spectre_page_render () from /usr/lib/libspectre.so.1
#9 0x00f828f4 in ps_document_render (document=0x23104558, rc=0x22a0c8e0)
at /build/buildd/evince-2.32.0/./backend/ps/ev-spectre.c:301
#10 0x00f82a30 in ps_document_thumbnails_get_thumbnail (
document_thumbnails=0x23104558, rc=0x22a0c8e0, border=1)
at /build/buildd/evince-2.32.0/./backend/ps/ev-spectre.c:361
#11 0x00e50ff3 in ev_document_thumbnails_get_thumbnail (document=0x23104558,
rc=0x22a0c8e0, border=1)
at /build/buildd/evince-2.32.0/./libdocument/ev-document-thumbnails.c:44
#12 0x00de4ed5 in ev_job_thumbnail_run (job=0x230be0d8)
at /build/buildd/evince-2.32.0/./libview/ev-jobs.c:779
#13 0x00de2371 in ev_job_run (job=0x230be0d8)
at /build/buildd/evince-2.32.0/./libview/ev-jobs.c:214
#14 0x00de6368 in ev_job_thread (data=0x0)
at /build/buildd/evince-2.32.0/./libview/ev-job-scheduler.c:183
#15 ev_job_thread_proxy (data=0x0)
at /build/buildd/evince-2.32.0/./libview/ev-job-scheduler.c:213
#16 0x0077f48f in ?? () from /lib/libglib-2.0.so.0
#17 0x006c7cc9 in start_thread (arg=0xb57aab70) at pthread_create.c:304
#18 0x0109a6be in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
ProblemType: Crash
DistroRelease: Ubuntu 10.10
Package: evince 2.32.0-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.35-19.28-generic 2.6.35.3
Uname: Linux 2.6.35-19-generic i686
Architecture: i386
Date: Sun Nov 21 11:55:00 2010
Disassembly: => 0x0: Cannot access memory at address 0x0
ExecutablePath: /usr/bin/evince
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Alpha i386 (20100803.1)
KernLog:
ProcCmdline: BOOT_IMAGE=/boot/vmlinuz-2.6.35-19-generic
root=UUID=b3362ce7-07a5-489a-a2dd-3f83cd0c19ed ro
ProcEnviron:
SHELL=/bin/bash
LANG=en_US.utf8
SegvAnalysis:
Segfault happened at: 0x0: Cannot access memory at address 0x0
PC (0x00000000) not located in a known VMA region (needed executable region)!
Stack memory exhausted (SP below stack segment)
SegvReason: executing NULL VMA
Signal: 11
SourcePackage: evince
StacktraceTop:
?? ()
pop_estack () from /usr/lib/libgs.so.8
gs_interpret () from /usr/lib/libgs.so.8
gs_main_run_string_continue () from /usr/lib/libgs.so.8
gsapi_run_string_continue () from /usr/lib/libgs.so.8
Title: evince crashed with SIGSEGV in pop_estack()
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
** Affects: ghostscript (Ubuntu)
Importance: Medium
Status: Confirmed
** Tags: apport-crash i386 maverick
--
evince crashed with SIGSEGV in pop_estack()
https://bugs.launchpad.net/bugs/678073
You received this bug notification because you are a member of Ubuntu Bugs,
which is a direct subscriber.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
