Debian Bug report logs -
#1033757
ghostscript: CVE-2023-28879
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#1033757; Package src:ghostscript.
(Fri, 31 Mar 2023 19:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian QA Group <packages@qa.debian.org>.
(Fri, 31 Mar 2023 19:21:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ghostscript
Version: 10.0.0~dfsg-9
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=706494
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for ghostscript.
CVE-2023-28879[0]:
| In Artifex Ghostscript through 10.01.0, there is a buffer overflow
| leading to potential corruption of data internal to the PostScript
| interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode,
| TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte
| less than full, and one then tries to write an escaped character, two
| bytes are written.
I'm preparing an update for this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-28879
https://www.cve.org/CVERecord?id=CVE-2023-28879
[1] https://bugs.ghostscript.com/show_bug.cgi?id=706494 (not public)
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 01 Apr 2023 08:51:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 01 Apr 2023 08:51:03 GMT) (full text, mbox, link).
Message #10 received at 1033757-close@bugs.debian.org (full text, mbox, reply):
Source: ghostscript
Source-Version: 10.0.0~dfsg-11
Done: Salvatore Bonaccorso <carnil@debian.org>
We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1033757@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ghostscript package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 01 Apr 2023 09:48:32 +0200
Source: ghostscript
Architecture: source
Version: 10.0.0~dfsg-11
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1033757
Changes:
ghostscript (10.0.0~dfsg-11) unstable; urgency=medium
.
* QA upload.
* Prevent buffer overrun in (T)BCP encoding (CVE-2023-28879)
(Closes: #1033757)
Checksums-Sha1:
d979e4f9cc8f632fc786f69bbc715a10757ce093 2987 ghostscript_10.0.0~dfsg-11.dsc
7946dd26efb4274e62d31d6d955a839f34f135c5 85428 ghostscript_10.0.0~dfsg-11.debian.tar.xz
7f47fd6c6a2baa5f0772ff6454ed61b7525cc239 7081 ghostscript_10.0.0~dfsg-11_source.buildinfo
Checksums-Sha256:
e4e6af2e982228ea452f5dbd64f29f79db10f731571174adf3b37b0b913a5c97 2987 ghostscript_10.0.0~dfsg-11.dsc
41861b53c348ce9b9cbe64cac2ecbba44d3bbb16c87a8cb807336f3107fc4650 85428 ghostscript_10.0.0~dfsg-11.debian.tar.xz
dd83d1e03ac9b7d8cf139ab182a49843cd1acadbf84239970b2a8bf9aaf2e804 7081 ghostscript_10.0.0~dfsg-11_source.buildinfo
Files:
202c53a276ed471f7e7333c15ae6f99b 2987 text optional ghostscript_10.0.0~dfsg-11.dsc
360c629443995dd5aee569a840efe8cf 85428 text optional ghostscript_10.0.0~dfsg-11.debian.tar.xz
4cf2a2c9332621fb66e496d7f7a16b39 7081 text optional ghostscript_10.0.0~dfsg-11_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmQn7XFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EP6YP/RFxxbXSCnNnNnFsKiF/dn6jV3+JLwir
wuiBweug4zyGhAcFd1m6+nyVlLg/PHQxDNREF792XWoNl2wrU4hTSq/uovvkMHTQ
w3Dk3X/t0lrcXfsIOofjAbYWQX0zVhn8Ood1DCTuhtzk1i3AThlZb1xNSI3IWEVp
UvBBBuKm4nPFOtlTRyHuz0tOYmDhh52mgCNbmNek4fI14bqHOLw/rev+L8eeVtJz
/7zHk/fTc4+O8GXCufrcvAGCvUDxso7F9arbNUJ0we3GgU6F7P+TxyIs5SfLwsMw
NNuSWYZaj6eBxh5Cl+NZx7dx6dRyvq96DkrGsjIM14PyYDV/LfPFi+eSdPKQ9yzs
+0IK5dvISzZHMH5eXUpkjTwUo3Tr5f/YoXstL/MmMGzFYruqfvNvmkV4AJLiN/JO
hvQgLS6Eq7N5xt69X0y+GFvDU1IsnRf2rrm/UY42EK/NFN3ztXyuBD+kxyCeeQR0
xvsz5hu5j5YztmdkTGLjp2IYFayez+NKpTvSFRSI4Q6zvlhkiBKJ41tRBp8nKK8N
f3AR1PAVvtgTkoum/7AJCb8FrpbhPEw8Tjz8v5nfHAuucQ/9BINswsy7QHJju7F4
Tluxfx3L9Pv+j6z8etfwXVKn41DCU6qlOyLOO1yt/gQaaYUY3xYMYnEq2xo+dzbY
k26BIO5+/jci
=9F78
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Apr 1 13:09:42 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon