[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ghostscript vulnerabilities
|
From: |
Ludovic Courtès |
|
Subject: |
Re: ghostscript vulnerabilities |
|
Date: |
Wed, 12 Oct 2016 23:13:54 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Hello Didier and all,
We are wondering about the applicability to GNU Ghostscript of the
recent vulnerabilities discovered in AGPL Ghostscript:
Alex Vong <address@hidden> skribis:
> Salvatore Bonaccorso <address@hidden> writes:
>
>> -------------------------------------------------------------------------
>> Debian Security Advisory DSA-3691-1 address@hidden
>> https://www.debian.org/security/ Salvatore Bonaccorso
>> October 12, 2016 https://www.debian.org/security/faq
>> -------------------------------------------------------------------------
>>
>> Package : ghostscript
>> CVE ID : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978
>> CVE-2016-7979 CVE-2016-8602
>> Debian Bug : 839118 839260 839841 839845 839846 840451
>>
>> Several vulnerabilities were discovered in Ghostscript, the GPL
>> PostScript/PDF interpreter, which may lead to the execution of arbitrary
>> code or information disclosure if a specially crafted Postscript file is
>> processed.
[...]
> I've checked just now. GNU Ghostscript is also affected at least by
> CVE-2016-8602. Looking at the patch in this bug report[0] and the
> source[1], one can see that the vulnerable lines are present in GNU
> Ghostscript. What should we do now?
>
> [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840451
> [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c
WDYT? Perhaps a new release incorporating the fixes is in order?
Thanks,
Ludo’.