CVE-2010-1628: allows context-dependent attackers to execute arbitrary code

Debian Bug report logs - #584516
CVE-2010-1628: allows context-dependent attackers to execute arbitrary code

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2010-1628: allows context-dependent attackers to execute arbitrary code

Date: Fri, 04 Jun 2010 10:40:32 +0200

Package: ghostscript
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ghostscript.

CVE-2010-1628[0]:
| Ghostscript 8.64, 8.70, and possibly other versions allows
| context-dependent attackers to execute arbitrary code via a PostScript
| file containing unlimited recursive procedure invocations, which
| trigger memory corruption in the stack of the interpreter.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1628
    http://security-tracker.debian.org/tracker/CVE-2010-1628


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkwIu/0ACgkQNxpp46476aqSZwCgiYQSz4A8fTVRECgr8yK/+iot
FmwAnAwm+dN/IMETZLh76xRufiD6Z/xS
=+7ZU
-----END PGP SIGNATURE-----

Message #10 received at 584516@bugs.debian.org (full text, mbox, reply):

From: Marc Deslauriers <marc.deslauriers@ubuntu.com>

To: Debian Bug Tracking System <584516@bugs.debian.org>

Subject: [Re: CVE-2010-1628: allows context-dependent attackers to execute arbitrary code

Date: Thu, 22 Jul 2010 12:17:22 +0200

[Message part 1 (text/plain, inline)]

Package: ghostscript
Version: 8.63.dfsg.1-2
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu maverick ubuntu-patch



*** /tmp/tmpQ4x52y
In Ubuntu, we've applied the attached patch to achieve the following:

  * SECURITY UPDATE: arbitrary code execution via unlimited recursive
    procedure invocations (LP: #546009)
    - debian/patches/CVE-2010-1628.dpatch: only initialize structures if
      all allocations were successful in psi/ialloc.c, psi/idosave.h,
      psi/isave.c.
    - CVE-2010-1628

We thought you might be interested in doing the same. 


-- System Information:
Debian Release: squeeze/sid
  APT prefers maverick-updates
  APT policy: (500, 'maverick-updates'), (500, 'maverick-security'), (500, 'maverick-proposed'), (500, 'maverick')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.35-9-generic (SMP w/2 CPU cores)
Locale: LANG=en_CA.utf8, LC_CTYPE=en_CA.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

[tmp8llaJ7 (text/x-diff, attachment)]

Message #15 received at 584516-close@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: 584516-close@bugs.debian.org

Subject: Bug#584516: fixed in ghostscript 8.71~dfsg2-4

Date: Wed, 04 Aug 2010 00:47:23 +0000

Source: ghostscript
Source-Version: 8.71~dfsg2-4

We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive:

ghostscript-cups_8.71~dfsg2-4_i386.deb
  to main/g/ghostscript/ghostscript-cups_8.71~dfsg2-4_i386.deb
ghostscript-doc_8.71~dfsg2-4_all.deb
  to main/g/ghostscript/ghostscript-doc_8.71~dfsg2-4_all.deb
ghostscript-x_8.71~dfsg2-4_i386.deb
  to main/g/ghostscript/ghostscript-x_8.71~dfsg2-4_i386.deb
ghostscript_8.71~dfsg2-4.debian.tar.gz
  to main/g/ghostscript/ghostscript_8.71~dfsg2-4.debian.tar.gz
ghostscript_8.71~dfsg2-4.dsc
  to main/g/ghostscript/ghostscript_8.71~dfsg2-4.dsc
ghostscript_8.71~dfsg2-4_i386.deb
  to main/g/ghostscript/ghostscript_8.71~dfsg2-4_i386.deb
gs-common_8.71~dfsg2-4_all.deb
  to main/g/ghostscript/gs-common_8.71~dfsg2-4_all.deb
gs-esp_8.71~dfsg2-4_all.deb
  to main/g/ghostscript/gs-esp_8.71~dfsg2-4_all.deb
gs-gpl_8.71~dfsg2-4_all.deb
  to main/g/ghostscript/gs-gpl_8.71~dfsg2-4_all.deb
libgs-dev_8.71~dfsg2-4_i386.deb
  to main/g/ghostscript/libgs-dev_8.71~dfsg2-4_i386.deb
libgs8_8.71~dfsg2-4_i386.deb
  to main/g/ghostscript/libgs8_8.71~dfsg2-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 584516@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Muehlenhoff <jmm@debian.org> (supplier of updated ghostscript package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 31 Jul 2010 23:19:42 -0400
Source: ghostscript
Binary: ghostscript gs-esp gs-gpl gs-common ghostscript-cups ghostscript-x ghostscript-doc libgs8 libgs-dev
Architecture: source all i386
Version: 8.71~dfsg2-4
Distribution: unstable
Urgency: medium
Maintainer: Masayuki Hatta (mhatta) <mhatta@debian.org>
Changed-By: Moritz Muehlenhoff <jmm@debian.org>
Description: 
 ghostscript - The GPL Ghostscript PostScript/PDF interpreter
 ghostscript-cups - The GPL Ghostscript PostScript/PDF interpreter - CUPS filters
 ghostscript-doc - The GPL Ghostscript PostScript/PDF interpreter - Documentation
 ghostscript-x - The GPL Ghostscript PostScript/PDF interpreter - X Display suppor
 gs-common  - Dummy package depending on ghostscript
 gs-esp     - Transitional package
 gs-gpl     - Transitional package
 libgs-dev  - The Ghostscript PostScript Library - Development Files
 libgs8     - The Ghostscript PostScript/PDF interpreter Library
Closes: 584516 584667
Changes: 
 ghostscript (8.71~dfsg2-4) unstable; urgency=medium
 .
   * Collab-maint upload, adding myself to uploaders temporarily
   * Fix CVE-2010-1628 (Closes: #584516)
   * Apply upstream commit r11351 to pass -P- to all Ghostscript
     internal tools. Ghostscript will likely be changed to run
     with -P- by default, but this still needs more work/testing
     for a final patch (Closes: #584667)
Checksums-Sha1: 
 653bea320198f33a86df00d3a57cf29071c25b4f 1839 ghostscript_8.71~dfsg2-4.dsc
 0f1cebd8c2352f4c6712f928d6645d9c815334a2 233021 ghostscript_8.71~dfsg2-4.debian.tar.gz
 548386c327c02b595e4e382ea03bdbb8eff1c6a7 45034 gs-esp_8.71~dfsg2-4_all.deb
 fd3c75a2643250cca4f631778c68797b185fa15a 45034 gs-gpl_8.71~dfsg2-4_all.deb
 5fef857306fbbe3339c6bec7cf9b72c8393a97e4 45064 gs-common_8.71~dfsg2-4_all.deb
 b19c514d80392f9fc3972d098192b4f3a3f6d897 3229000 ghostscript-doc_8.71~dfsg2-4_all.deb
 379cbd28de1cc8a26ccffd28eacc2c0703ea7714 4094272 ghostscript_8.71~dfsg2-4_i386.deb
 b4b9bc3c846bd9f9cd5923d0e49aa3d5dd63106a 59510 ghostscript-cups_8.71~dfsg2-4_i386.deb
 5669e1c695d735b39d3561ba44fc5e494f0d4589 77738 ghostscript-x_8.71~dfsg2-4_i386.deb
 ca429d7553d17001094ba32b42ca086be776e9f5 2081170 libgs8_8.71~dfsg2-4_i386.deb
 b623c08d57af4ea102da9a46cf2a5809f537d411 2609328 libgs-dev_8.71~dfsg2-4_i386.deb
Checksums-Sha256: 
 281630b05a8b086247de706544bf7b0d63bf1c75310661e9bcf398e1aaeb15dc 1839 ghostscript_8.71~dfsg2-4.dsc
 277541fb11935cc4ead920a2b918bf57d51b0d09158cbd1b8f90c9d42550eea3 233021 ghostscript_8.71~dfsg2-4.debian.tar.gz
 d0f5d7d3a8e310f16f40867666d478a06593c6bba2dd1b17ee9dd03df0118660 45034 gs-esp_8.71~dfsg2-4_all.deb
 03c48b848041a4d5fe318bf218fe7b5385b4c74a8afa908b5aadd8a88f1cff5c 45034 gs-gpl_8.71~dfsg2-4_all.deb
 9d6cf73c68260757170f83e53167793eaa6c788cca45bb9635f886b17a6380e2 45064 gs-common_8.71~dfsg2-4_all.deb
 6e9de9ae3892cd097fc7f6eb9fb3b78f7666034f5495d5ee2b6695d976a0f5a7 3229000 ghostscript-doc_8.71~dfsg2-4_all.deb
 0968e2a9dd3d13cf1dc77cdc11c7ea9614cef6092a66e0558b62794191cf3671 4094272 ghostscript_8.71~dfsg2-4_i386.deb
 ed62be2fedfa4ac5eba32bf2726e1050e91f1429553070f70cb0faaedce3c19f 59510 ghostscript-cups_8.71~dfsg2-4_i386.deb
 4e90a618025fc49db098d3a551fa3791b0f563fab5012547683ab03a07b9b9ad 77738 ghostscript-x_8.71~dfsg2-4_i386.deb
 4a5d858ce6b7a0b402e0c7257ac2f3354ee59fd1ae77b1cb6e7d51038d428eb7 2081170 libgs8_8.71~dfsg2-4_i386.deb
 c08a2ca635357374e24f2cd60edc399454217d67cc06298538f80b7c208f151d 2609328 libgs-dev_8.71~dfsg2-4_i386.deb
Files: 
 a95900910ec7e9ae5b7370239e70bf72 1839 text optional ghostscript_8.71~dfsg2-4.dsc
 0ed2c5e2af026e4f36873680cd69c86f 233021 text optional ghostscript_8.71~dfsg2-4.debian.tar.gz
 7e94e8cca58fad358cad4627f8d50285 45034 text extra gs-esp_8.71~dfsg2-4_all.deb
 75a7f4d9b066ab986688a65b8a65c347 45034 text extra gs-gpl_8.71~dfsg2-4_all.deb
 a8491b71f8643c24ba6f54cee7ee3870 45064 text extra gs-common_8.71~dfsg2-4_all.deb
 e0d9ab639869ffd3b54b5ec16c20ad35 3229000 doc optional ghostscript-doc_8.71~dfsg2-4_all.deb
 3f8659844716b1e33dfa656f4b3f8f7a 4094272 text optional ghostscript_8.71~dfsg2-4_i386.deb
 5245de4159c35b54ed745cb55f40efee 59510 text optional ghostscript-cups_8.71~dfsg2-4_i386.deb
 082162a5c1d4b0d355cf07d892292a3a 77738 text optional ghostscript-x_8.71~dfsg2-4_i386.deb
 7bf354f6694d925dc86b196cdfccf7f4 2081170 libs optional libgs8_8.71~dfsg2-4_i386.deb
 73a690f327346b26549be7a13d8d9d69 2609328 libdevel optional libgs-dev_8.71~dfsg2-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkxYtWUACgkQXm3vHE4uylplgACeKHR6c3Ty3zLdUyaDMEu9ieTZ
Z5YAn2ZlsNQCgcQ2XQjwGu2wj20tFqA0
=xaMr
-----END PGP SIGNATURE-----

Message #20 received at 584516-close@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <dr@jones.dk>

To: 584516-close@bugs.debian.org

Subject: Bug#584516: fixed in ghostscript 8.71~dfsg2-6

Date: Thu, 19 Aug 2010 09:17:22 +0000

Source: ghostscript
Source-Version: 8.71~dfsg2-6

We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive:

ghostscript-cups_8.71~dfsg2-6_amd64.deb
  to main/g/ghostscript/ghostscript-cups_8.71~dfsg2-6_amd64.deb
ghostscript-doc_8.71~dfsg2-6_all.deb
  to main/g/ghostscript/ghostscript-doc_8.71~dfsg2-6_all.deb
ghostscript-x_8.71~dfsg2-6_amd64.deb
  to main/g/ghostscript/ghostscript-x_8.71~dfsg2-6_amd64.deb
ghostscript_8.71~dfsg2-6.debian.tar.gz
  to main/g/ghostscript/ghostscript_8.71~dfsg2-6.debian.tar.gz
ghostscript_8.71~dfsg2-6.dsc
  to main/g/ghostscript/ghostscript_8.71~dfsg2-6.dsc
ghostscript_8.71~dfsg2-6_amd64.deb
  to main/g/ghostscript/ghostscript_8.71~dfsg2-6_amd64.deb
gs-common_8.71~dfsg2-6_all.deb
  to main/g/ghostscript/gs-common_8.71~dfsg2-6_all.deb
gs-esp_8.71~dfsg2-6_all.deb
  to main/g/ghostscript/gs-esp_8.71~dfsg2-6_all.deb
gs-gpl_8.71~dfsg2-6_all.deb
  to main/g/ghostscript/gs-gpl_8.71~dfsg2-6_all.deb
libgs-dev_8.71~dfsg2-6_amd64.deb
  to main/g/ghostscript/libgs-dev_8.71~dfsg2-6_amd64.deb
libgs8_8.71~dfsg2-6_amd64.deb
  to main/g/ghostscript/libgs8_8.71~dfsg2-6_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 584516@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated ghostscript package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 19 Aug 2010 09:55:55 +0200
Source: ghostscript
Binary: ghostscript gs-esp gs-gpl gs-common ghostscript-cups ghostscript-x ghostscript-doc libgs8 libgs-dev
Architecture: source all amd64
Version: 8.71~dfsg2-6
Distribution: unstable
Urgency: low
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description: 
 ghostscript - The GPL Ghostscript PostScript/PDF interpreter
 ghostscript-cups - The GPL Ghostscript PostScript/PDF interpreter - CUPS filters
 ghostscript-doc - The GPL Ghostscript PostScript/PDF interpreter - Documentation
 ghostscript-x - The GPL Ghostscript PostScript/PDF interpreter - X Display suppor
 gs-common  - Dummy package depending on ghostscript
 gs-esp     - Transitional package
 gs-gpl     - Transitional package
 libgs-dev  - The Ghostscript PostScript Library - Development Files
 libgs8     - The Ghostscript PostScript/PDF interpreter Library
Closes: 519141 583738 584516 584667
Changes: 
 ghostscript (8.71~dfsg2-6) unstable; urgency=low
 .
   * Acknowledge pseudo-NMUs.
     Closes: bug#584667, #584516, #583738, thanks to Moritz Muehlenhoff
     and Sebastian Dröge.
   * There is no such thing as a "collab-maint upload:
     + Edit historical changelog entries to avoid further repitition.
     + Document sensible use of collab-maint for NMUs in README.source.
   * Reorder patches to match upstream commit order.
   * Replace patches 0960-0962 (fix printing from GTK+ apps) from Ubuntu
     with corresponding patches cherry-picked from upstream.
   * Refresh patches using shortening options --no-timestamps --no-index
     -pab.
   * Bump Standards-Version to 3.9.1.
   * Put myself as maintainer and Hatta as uploader, to better reflect
     our current levels of activity.
   * Drop superfluous cleanup in preinst of transitional gs-common.
     Thanks to Jonathan Nieder (see bug#519141).
   * Fix circular dependency: Stop ugly transitional hack of ghostscript
     depending on gs-common (which depends on ghostscript).
     Closes: bug#519141, thanks to Bill Allombert, Jonathan Nieder and
     others (see also bug#539754).
   * Add patch 011547 cherry-picked from upstream Subversion, to improve
     cups device support for rendering with high memory demands. Possibly
     fixes bug#534414 (try also setting RIPCache=auto in cupsd.conf).
Checksums-Sha1: 
 691791e56e683fcc2cdc22d280f8f73e66b146d4 2442 ghostscript_8.71~dfsg2-6.dsc
 e961899b79d32e6f5345305298012661fda6f7cc 247329 ghostscript_8.71~dfsg2-6.debian.tar.gz
 56cbc895a9320c4cdd64eb86c56529121da351ba 45602 gs-esp_8.71~dfsg2-6_all.deb
 69a44e6625bfe6b94882d2743a7f09c9e40dea7f 45604 gs-gpl_8.71~dfsg2-6_all.deb
 238e727330b84c652182cbf74b5ba7cf8faa180b 45322 gs-common_8.71~dfsg2-6_all.deb
 73d7152a88f5c50b292cf955c53df8ee9a807bca 3235456 ghostscript-doc_8.71~dfsg2-6_all.deb
 1810de658a2bf0a7f5ac0c24880c18d4f6671dcf 4117640 ghostscript_8.71~dfsg2-6_amd64.deb
 e707969ec3df1cdb65365d085c4a3369a5e210e6 60640 ghostscript-cups_8.71~dfsg2-6_amd64.deb
 4b64d1a356185eb7748b5b7de7fdadacfbc2a076 80154 ghostscript-x_8.71~dfsg2-6_amd64.deb
 e4671d5627d27b126aa6cfd8fbbb5c6a78b923f6 2192140 libgs8_8.71~dfsg2-6_amd64.deb
 2e6d03db704a5f8189a9f3f504e33d7a92d0b9c5 2768682 libgs-dev_8.71~dfsg2-6_amd64.deb
Checksums-Sha256: 
 fd19ff1acd006e22a799087dd5abc697fb2457afdb65af7b1ad44d62faeb4a19 2442 ghostscript_8.71~dfsg2-6.dsc
 48318afb06f22f0cdd318ab80565aeb6a9f22fc10a40eaf51d658094f2edafa9 247329 ghostscript_8.71~dfsg2-6.debian.tar.gz
 aee90efaee79a703a61e85983a97bc4e6bf9cc8e92f0d7d7ddecb34152d25ee0 45602 gs-esp_8.71~dfsg2-6_all.deb
 51d604c08359e6fddee481ebba9d4ffd3025e62bc6a391bd0ed328a88c5102c9 45604 gs-gpl_8.71~dfsg2-6_all.deb
 9ce6b83ce839ecb56408d9ae5edd82d1694fd7367f37586963b7ddd6c6d40075 45322 gs-common_8.71~dfsg2-6_all.deb
 bf9e2b3b460c9d6aa4b62c513be7e76b424b4580e2ded0a3c8bd541a673a2047 3235456 ghostscript-doc_8.71~dfsg2-6_all.deb
 210a3777091c34222654f2d43663b751b9bd2be1c79c28455a2b9a22b7952242 4117640 ghostscript_8.71~dfsg2-6_amd64.deb
 d305faa1481e53f56a360cd598bcae6cb2e5ceffab4afdf9067ded09b889b3ed 60640 ghostscript-cups_8.71~dfsg2-6_amd64.deb
 6ea37bd3475d3240001a4904ed90185030bd40e08d1e92cb3fe81800ca67d0e3 80154 ghostscript-x_8.71~dfsg2-6_amd64.deb
 0d62629e340f2de4237ab77218516079687fb2198250eb2663c1fcf89dcefb60 2192140 libgs8_8.71~dfsg2-6_amd64.deb
 c6cacc85db507858a505275146e293133b497917e0d4dabb0b3fed51ab3735ec 2768682 libgs-dev_8.71~dfsg2-6_amd64.deb
Files: 
 b9bc77add3a034a4bcbd82d725ab1284 2442 text optional ghostscript_8.71~dfsg2-6.dsc
 1f88a9e691f2d7efdb3c40ff998c3e5d 247329 text optional ghostscript_8.71~dfsg2-6.debian.tar.gz
 38941641c577d7faeeb1f7478b3ef011 45602 text extra gs-esp_8.71~dfsg2-6_all.deb
 c0f2bd2bb27d9241216ebbe8a893443a 45604 text extra gs-gpl_8.71~dfsg2-6_all.deb
 3f341ef6775b87e4807e9f7fb3b0bd65 45322 text extra gs-common_8.71~dfsg2-6_all.deb
 9c739aec5315f28d4c9f2acfe5c496fd 3235456 doc optional ghostscript-doc_8.71~dfsg2-6_all.deb
 a7fcdf70e0967f32c4e8d1dfa083a63c 4117640 text optional ghostscript_8.71~dfsg2-6_amd64.deb
 1ffe04c947562b37e785efb5ba391672 60640 text optional ghostscript-cups_8.71~dfsg2-6_amd64.deb
 21c0605bdae67572ae755a96fe5c5f13 80154 text optional ghostscript-x_8.71~dfsg2-6_amd64.deb
 64a45b491619cbae01147216b2e09363 2192140 libs optional libgs8_8.71~dfsg2-6_amd64.deb
 d2f5ab6fe9e6ec128f6f5dd4e48a8ee5 2768682 libdevel optional libgs-dev_8.71~dfsg2-6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJMbPL6AAoJECx8MUbBoAEhVKsP/2WJqHfVc9bDP0GD0f59+a4+
xBYd3m65HU2wrWsqJRte8abYRhGISDuBir6Ad0ltlXLFMexYchF7eawV+3g9bs5O
Z35MVa6qzj6Ysgz3npIjfhTTtYAgR9ZUAv0ohhhEJuKKNZKN/RX2NNV/Nl0RQ72T
tbixgUBxzdT+C+W8IjxPTpnnwvHKA0wQcJ4F9gy/uZBaHUdnYfovx+J+XF4Q6ICh
H5AGtv2bNQdbVH58xgv9KeQ/LgJXHNfCwLd6JxqmsxEjTf4woPWKyrN/TBhjS8f8
lgsgs5xlLBsyxbqhWzjS4QtyegRpYDcWH+oaBd/XhQZo+HK//zKHeUu0txZ+26QO
ajip8MHfQ9ytSnDa+JJddp9P3Iww4H5mKXTHvd95+Aihm/aihcSosn1NanTmWqcz
JMWaS2tvxggiBvaM2slXQj/zaHPjB8KVk383IkWb2nCZsB0hDfZpMa5FCGsvMX5Q
pDG3RREfBUEseVq/mHcMs1oFdj84V8wv6TUn5X+xftvoMglEv0X/lCfATS08mWsw
6OdJwoj+0O9oXZbkswBXGjaW+nAn0YTXhENSpzoHZC+vMhc1mp5IqVUCS9gaoFU/
+Zh9Tk8csnaWlWhZOAiErKIGqMRQhEwOXpLtxoOipIE3JiA8N4e9hXPtFEZqcpKt
geX2cZdK5iM7ZL39kD98
=S4BO
-----END PGP SIGNATURE-----

Message #25 received at 584516-close@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: 584516-close@bugs.debian.org

Subject: Bug#584516: fixed in ghostscript 8.62.dfsg.1-3.2lenny5

Date: Fri, 20 Aug 2010 20:05:40 +0000

Source: ghostscript
Source-Version: 8.62.dfsg.1-3.2lenny5

We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive:

ghostscript-doc_8.62.dfsg.1-3.2lenny5_all.deb
  to main/g/ghostscript/ghostscript-doc_8.62.dfsg.1-3.2lenny5_all.deb
ghostscript-x_8.62.dfsg.1-3.2lenny5_i386.deb
  to main/g/ghostscript/ghostscript-x_8.62.dfsg.1-3.2lenny5_i386.deb
ghostscript_8.62.dfsg.1-3.2lenny5.diff.gz
  to main/g/ghostscript/ghostscript_8.62.dfsg.1-3.2lenny5.diff.gz
ghostscript_8.62.dfsg.1-3.2lenny5.dsc
  to main/g/ghostscript/ghostscript_8.62.dfsg.1-3.2lenny5.dsc
ghostscript_8.62.dfsg.1-3.2lenny5_i386.deb
  to main/g/ghostscript/ghostscript_8.62.dfsg.1-3.2lenny5_i386.deb
gs-aladdin_8.62.dfsg.1-3.2lenny5_all.deb
  to main/g/ghostscript/gs-aladdin_8.62.dfsg.1-3.2lenny5_all.deb
gs-common_8.62.dfsg.1-3.2lenny5_all.deb
  to main/g/ghostscript/gs-common_8.62.dfsg.1-3.2lenny5_all.deb
gs-esp_8.62.dfsg.1-3.2lenny5_all.deb
  to main/g/ghostscript/gs-esp_8.62.dfsg.1-3.2lenny5_all.deb
gs-gpl_8.62.dfsg.1-3.2lenny5_all.deb
  to main/g/ghostscript/gs-gpl_8.62.dfsg.1-3.2lenny5_all.deb
gs_8.62.dfsg.1-3.2lenny5_all.deb
  to main/g/ghostscript/gs_8.62.dfsg.1-3.2lenny5_all.deb
libgs-dev_8.62.dfsg.1-3.2lenny5_i386.deb
  to main/g/ghostscript/libgs-dev_8.62.dfsg.1-3.2lenny5_i386.deb
libgs8_8.62.dfsg.1-3.2lenny5_i386.deb
  to main/g/ghostscript/libgs8_8.62.dfsg.1-3.2lenny5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 584516@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated ghostscript package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 18 Aug 2010 12:35:45 +0200
Source: ghostscript
Binary: ghostscript gs gs-esp gs-gpl gs-aladdin gs-common ghostscript-x ghostscript-doc libgs8 libgs-dev
Architecture: source all i386
Version: 8.62.dfsg.1-3.2lenny5
Distribution: stable-security
Urgency: high
Maintainer: Masayuki Hatta (mhatta) <mhatta@debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 ghostscript - The GPL Ghostscript PostScript/PDF interpreter
 ghostscript-doc - The GPL Ghostscript PostScript/PDF interpreter - Documentation
 ghostscript-x - The GPL Ghostscript PostScript/PDF interpreter - X Display suppor
 gs         - Transitional package
 gs-aladdin - Transitional package
 gs-common  - Dummy package depending on ghostscript
 gs-esp     - Transitional package
 gs-gpl     - Transitional package
 libgs-dev  - The Ghostscript PostScript Library - Development Files
 libgs8     - The Ghostscript PostScript/PDF interpreter Library
Closes: 584516
Changes: 
 ghostscript (8.62.dfsg.1-3.2lenny5) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-4897: Buffer overflow in gs/psi/iscan.c allows remote
     attackers to execute arbitrary code or cause a denial of service via a
     crafted PDF document containing a long name.
   * Fixed CVE-2010-1628: execute arbitrary code via a PostScript file
     containing unlimited recursive procedure invocations, which trigger
     memory corruption in the stack of the interpreter (Closes: #584516)
Checksums-Sha1: 
 fd2866e3d82f398f8091a762b7e2faafee7da846 1536 ghostscript_8.62.dfsg.1-3.2lenny5.dsc
 8d5ea77baacacea4dbb6b93ac42c94166a72bee9 106204 ghostscript_8.62.dfsg.1-3.2lenny5.diff.gz
 1919470cdd089ef93651855d5ee72ff743f23d65 28902 gs_8.62.dfsg.1-3.2lenny5_all.deb
 47f84c4e05b0f9715f04bdbc9114eea2070838f3 28898 gs-esp_8.62.dfsg.1-3.2lenny5_all.deb
 c124e13c947a59d5cedf5d34bc3c8a26b6e0f81a 28900 gs-gpl_8.62.dfsg.1-3.2lenny5_all.deb
 ad74a114c72288aa6657961c3fda6da61dab50fc 28906 gs-aladdin_8.62.dfsg.1-3.2lenny5_all.deb
 833f5d7f338892ee1ddd981aef749824ad3e219a 29112 gs-common_8.62.dfsg.1-3.2lenny5_all.deb
 352cb9dd565b04a324e8908446a52838b3c50f03 2783318 ghostscript-doc_8.62.dfsg.1-3.2lenny5_all.deb
 3fe45a30113329a2c065bec6bc0f288876623ab1 801786 ghostscript_8.62.dfsg.1-3.2lenny5_i386.deb
 579125184c0298a17ce8c5028e081149b0f49a4a 61720 ghostscript-x_8.62.dfsg.1-3.2lenny5_i386.deb
 1d5132e4ee03684e6f776d211586622963dba82b 2221596 libgs8_8.62.dfsg.1-3.2lenny5_i386.deb
 374ced3fcfb0c39592cf12770e6a65a104834a85 36512 libgs-dev_8.62.dfsg.1-3.2lenny5_i386.deb
Checksums-Sha256: 
 23fb8fa7319fc1c95cc67587fceb68e77f8301f9e46ed5585ff4c1399eb7a0ef 1536 ghostscript_8.62.dfsg.1-3.2lenny5.dsc
 6fa5d8e9ab2f2ed552cf4ec33260108cf4a33878614ab7815166d237c024df1c 106204 ghostscript_8.62.dfsg.1-3.2lenny5.diff.gz
 7818f3eaf570c7e37122b339eb7e207b0364d24fbccd3d90d0a90996da697284 28902 gs_8.62.dfsg.1-3.2lenny5_all.deb
 a635686f115762b22aad345caa448d317997f84ca07237354d15bad154c4f256 28898 gs-esp_8.62.dfsg.1-3.2lenny5_all.deb
 250b0c59a0751c8ded3ec83840903d11cd73c98d593800d23d945bbe88ba69dc 28900 gs-gpl_8.62.dfsg.1-3.2lenny5_all.deb
 7dac9fad754d9f4e9235954f081cf5a4fe41f1b657d857b7f1759e4993144998 28906 gs-aladdin_8.62.dfsg.1-3.2lenny5_all.deb
 c14de345507a2a2f930eb5cb3a2f9a6d37c20ffb6fd7562c50dfe2602949adfe 29112 gs-common_8.62.dfsg.1-3.2lenny5_all.deb
 5510e386882d61713b4260385a3400a3eca2fe59ac243ea14c41b1b9ab15aa06 2783318 ghostscript-doc_8.62.dfsg.1-3.2lenny5_all.deb
 422ba7e825cfdf76a5b38adc818d1fc80f3038d376f3e8b4fc50ed34fd7147ec 801786 ghostscript_8.62.dfsg.1-3.2lenny5_i386.deb
 278251c6db5661ac9584f0b56a58b7a31af0823a04ceaeae58917262eb9a9e45 61720 ghostscript-x_8.62.dfsg.1-3.2lenny5_i386.deb
 fb073e2f03a8395a90c0eb4bd3551011974fcb0888d92ace97ada08ba08d5bec 2221596 libgs8_8.62.dfsg.1-3.2lenny5_i386.deb
 a3bf1e2580d23a311674dcfefbfb54ff4fdc3b626ee5cfeefc4e56ffe7f5cba4 36512 libgs-dev_8.62.dfsg.1-3.2lenny5_i386.deb
Files: 
 546b30cfe6f76c0b5bd72cbeac6508d4 1536 text optional ghostscript_8.62.dfsg.1-3.2lenny5.dsc
 b0bbc6e0754c9a0675fadba1e90f1fbc 106204 text optional ghostscript_8.62.dfsg.1-3.2lenny5.diff.gz
 996faec6be2dee08b2eb331db983cb42 28902 text extra gs_8.62.dfsg.1-3.2lenny5_all.deb
 02a99ada64c8e28343b0c1fefaeb4b90 28898 text extra gs-esp_8.62.dfsg.1-3.2lenny5_all.deb
 a749fa7a079f61432dba471524e3e7a5 28900 text extra gs-gpl_8.62.dfsg.1-3.2lenny5_all.deb
 d3d81f5b998eb50a9e48715f2e60db6f 28906 text extra gs-aladdin_8.62.dfsg.1-3.2lenny5_all.deb
 22d376a18c120a6dca73cbf6554c9f3c 29112 text optional gs-common_8.62.dfsg.1-3.2lenny5_all.deb
 79a9eb022df01d0bfb84f1b3506ca396 2783318 doc optional ghostscript-doc_8.62.dfsg.1-3.2lenny5_all.deb
 0dfcc2411c49a9d70327e40af7e13f98 801786 text optional ghostscript_8.62.dfsg.1-3.2lenny5_i386.deb
 92f05e83194a8de2512f844c86a2c976 61720 text optional ghostscript-x_8.62.dfsg.1-3.2lenny5_i386.deb
 5f4189281a15ec2ec55ddce517962f86 2221596 libs optional libgs8_8.62.dfsg.1-3.2lenny5_i386.deb
 47a4a9c4d9266c8b537fb6baafcc1faa 36512 libdevel optional libgs-dev_8.62.dfsg.1-3.2lenny5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkxrxdAACgkQNxpp46476apLzQCfbVTsJ35p2QswmRgLFt1YF5XY
kMUAnjU/nY8m9NSwSTMli2AOdzJKEfG5
=U3Hg
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.