Ghostscript Heap Corruption in TrueType bytecode interpreter

ID VU:644319
Type cert
Reporter CERT
Modified 2010-12-06T00:00:00



The TrueType bytecode interpreter which is a part of Ghostscript is prone to heap corruption.


Ghostscript includes a TrueType bytecode interpreter which is prone to an off by one bug which causes heap corruption. Further details can be found in the Ghostscript Bug #691044, Ghostscript r10602 commit statement and Toucan System's TSSA-2010-01 advisory.


An attacker may use a specially crafted document with a malformed TrueType font to cause a denial of service condition or execute arbitrary code.


Upgrade to Ghostscript 8.71 or newer.

Vendor Information

Vendor| Status| Date Notified| Date Updated
Artifex Software, Inc.| | 03 Aug 2010| 24 Aug 2010
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A



Thanks to Jonathan Brossard for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2009-3743
  • Date Public: 24 Aug 2010
  • Date First Published: 24 Aug 2010
  • Date Last Updated: 06 Dec 2010
  • Severity Metric: 0.45
  • Document Revision: 34