Re: ghostscript vulnerabilities

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ghostscript vulnerabilities

From:	Alex Vong
Subject:	Re: ghostscript vulnerabilities
Date:	Sun, 16 Oct 2016 23:47:39 +0800
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)

Hello,

I notice the patch for CVE-2016-7977[0] handles the problem differently
than GNU Ghostscript[1] does. Maybe you can take a look at it.

[0]: 
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8abd22010eb4db0fb1b10e430d5f5d83e015ef70
[1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zfile.c

Thanks,
Alex

Didier Link <address@hidden> writes:

> Hello all
>
> I will review the Mark's patches and apply them for a security release next 
> week.
>
> Thanks for your help !
>
> Best regards
>
> Didier
>
> Le 15/10/2016 à 09:36, Mark H Weaver a écrit :
>
>  address@hidden (Ludovic Courtès) writes:
>
>  Hello Didier and all,
>
> We are wondering about the applicability to GNU Ghostscript of the
> recent vulnerabilities discovered in AGPL Ghostscript:
>
> Alex Vong <address@hidden> skribis:
>
>  Salvatore Bonaccorso <address@hidden> writes:
>
>  -------------------------------------------------------------------------
>  
> Debian Security Advisory DSA-3691-1                   address@hidden
> https://www.debian.org/security/                     Salvatore Bonaccorso
> October 12, 2016                      https://www.debian.org/security/faq
> -------------------------------------------------------------------------
>
> Package        : ghostscript
> CVE ID         : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 
>                  CVE-2016-7979 CVE-2016-8602
> Debian Bug     : 839118 839260 839841 839845 839846 840451
>
> Several vulnerabilities were discovered in Ghostscript, the GPL
> PostScript/PDF interpreter, which may lead to the execution of arbitrary
> code or information disclosure if a specially crafted Postscript file is
> processed.
>
> [...]
>
>  I've checked just now. GNU Ghostscript is also affected at least by
> CVE-2016-8602. Looking at the patch in this bug report[0] and the
> source[1], one can see that the vulnerable lines are present in GNU
> Ghostscript. What should we do now?
>
> [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840451
> [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c
>
> WDYT?  Perhaps a new release incorporating the fixes is in order?
>
> FYI, I ported the upstream patches to GNU ghostscript for GNU Guix.
> You can find them here:
>
> http://git.savannah.gnu.org/cgit/guix.git/commit/?id=1de17a648fa631f0074d315bfff0716220ce4880
>
>       Mark

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

ghostscript vulnerabilities, Alex Vong, 2016/10/12
- Re: ghostscript vulnerabilities, Leo Famulari, 2016/10/12
  - Re: ghostscript vulnerabilities, Leo Famulari, 2016/10/12
- Re: ghostscript vulnerabilities, Ludovic Courtès, 2016/10/12
  - Re: ghostscript vulnerabilities, Mark H Weaver, 2016/10/15
    - Re: ghostscript vulnerabilities, Didier Link, 2016/10/16
    - Re: ghostscript vulnerabilities, Alex Vong <=

Prev by Date: [PATCH 15/15] gnu: Add GHC 8.0.1.
Next by Date: Re: [PATCH] import: utils: Remove dependency on (json) module.
Previous by thread: Re: ghostscript vulnerabilities
Next by thread: [PATCH 00/13] Add a bunch of LV2 audio effects!
Index(es):
- Date
- Thread