Debian Bug report logs -
#925256
ghostscript: CVE-2019-3835: superexec operator is available
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 21 Mar 2019 21:06:02 UTC
Severity: grave
Tags: security, upstream
Found in versions ghostscript/9.26a~dfsg-2, ghostscript/9.26a~dfsg-0+deb9u1
Fixed in versions ghostscript/9.27~~dc1~dfsg-1, ghostscript/9.27~dfsg-1, ghostscript/9.26a~dfsg-0+deb9u2
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://bugs.ghostscript.com/show_bug.cgi?id=700585
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#925256; Package src:ghostscript.
(Thu, 21 Mar 2019 21:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Printing Team <debian-printing@lists.debian.org>.
(Thu, 21 Mar 2019 21:06:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ghostscript
Version: 9.26a~dfsg-2
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 9.26a~dfsg-0+deb9u1
Hi,
The following vulnerability was published for ghostscript.
CVE-2019-3835[0]:
superexec operator is available
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-3835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3835
Regards,
Salvatore
Marked as found in versions ghostscript/9.26a~dfsg-0+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 21 Mar 2019 21:06:04 GMT) (full text, mbox, link).
Marked as fixed in versions ghostscript/9.27~~dc1~dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 25 Mar 2019 15:06:03 GMT) (full text, mbox, link).
Reply sent
to Jonas Smedegaard <dr@jones.dk>:
You have taken responsibility.
(Thu, 04 Apr 2019 18:36:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 04 Apr 2019 18:36:03 GMT) (full text, mbox, link).
Message #16 received at 925256-close@bugs.debian.org (full text, mbox, reply):
Source: ghostscript
Source-Version: 9.27~dfsg-1
We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 925256@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated ghostscript package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 04 Apr 2019 20:17:20 +0200
Source: ghostscript
Architecture: source
Version: 9.27~dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Closes: 925256 925257
Changes:
ghostscript (9.27~dfsg-1) unstable; urgency=high
.
[ upstream ]
* New release.
Closes: Bug#925256, 925257 (CVE-2019-3835, CVE-2019-3838).
Thanks to Salvatore Bonaccorso.
* Set urgency=high, due to CVE fix.
.
[ Jonas Smedegaard ]
* Drop patches cherry-picked upstream now applied.
* Unfuzz patches.
* Build-depend versioned on libjbig2dec0-dev
(not unversioned on libjbig2dec-dev).
* Use dpkg-provided snippet
(not additional explicit dpkg-parsechangelog call)
to resolve when build is targeted experimental suite.
* Revert to again split ABI at ~ (not a)."
* Update copyright info: Extend coverage for main upstream author.
* Update testsuite to catch new error message.
* Update symbols:
+ 18 private symbols dropped.
+ 51 private symbols dropped.
Checksums-Sha1:
4c6633d9afd8b31376bbb49221ed172e6e759f56 2763 ghostscript_9.27~dfsg-1.dsc
ce6d3c89086a238ff6683e3a0fa3a71be7891d94 17723588 ghostscript_9.27~dfsg.orig.tar.xz
8a1498bb08f48dbc73870d4c3c772aded7c3ef5b 109348 ghostscript_9.27~dfsg-1.debian.tar.xz
149bb071b68b64e5dc374b60316ae55fae78871c 11563 ghostscript_9.27~dfsg-1_amd64.buildinfo
Checksums-Sha256:
bad0561b406e5c92c4413f23e900a81f72c0e144e388f6e6d9d6caeeda408c0f 2763 ghostscript_9.27~dfsg-1.dsc
b90d2117e93c63d774a5ab0a4d6a19c5dcbfd877462ee39a405262948e23ff9b 17723588 ghostscript_9.27~dfsg.orig.tar.xz
4aa944a477f218264b6d70644491b4bdf8a7b0f6c18fdfec5e65a99dfaf01e24 109348 ghostscript_9.27~dfsg-1.debian.tar.xz
4f299d749c0f0be29bfefd80de50a1c45b80771fb6d6db54711a938322c79ce5 11563 ghostscript_9.27~dfsg-1_amd64.buildinfo
Files:
99fc8eb26d9a8e27b581e9eca089a462 2763 text optional ghostscript_9.27~dfsg-1.dsc
5fd2cef0eafc9482f96342344faf935f 17723588 text optional ghostscript_9.27~dfsg.orig.tar.xz
fad7f4bed7fd2df51f2992d5e898ebb0 109348 text optional ghostscript_9.27~dfsg-1.debian.tar.xz
8f719015ef3c70bdc32dcd42579702db 11563 text optional ghostscript_9.27~dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlymS0AACgkQLHwxRsGg
ASG6Iw//WjyvSs22s9m6JuPHHgsVMuXndnj+ZsLa2wJ2o3HDgGbSF7CN1KiFA/lA
IjTW15FTKJ2nisox07Wfb1yzv03ZKaOltjf/DGs4ZEUc6FiX/ruyovUFdl+kdGsY
oa5OuOGAMDCEFQ9zkNKlzF/s5acAcC7tzbm40P7ZTz4iI6VyWLyl3gCex8nMBUgF
VnzxOENA2HqojT74b2aJr1HRP7DoKtKn8QKuBa9L7duqKstLq5JUYRKGVXURUdWu
26OklIxVfy9MKwGbgC9UZS41cAd43bhuZF2GOkBF5J9Bk3hh4RvPELgHmJ9nfpt5
qX6VZrK8HZGOMDuU6lWKT78xcsiMfOfKTYCTGsEkEZO16uVCO6YrGopQ5jIXowgB
aXS3qkzr2DRlYHYeA2jjEXvqKU5GVmx71WYGoJHh0rLOi3SxfpmmjPKCp1lugZSC
OpJJZFcwetLgr6jA1V3d7Row8GIWOlZ66EOda3korgtOgnn8WO8aERUGjbG5ShqS
vsLQqW9a4YWKtUkyMzXsOa8bJcgf29/2mGYVVcBAVbWB8lDDYfeqZAzmx2Zw+JZc
RqHOlP5UH5TAgr/l+RgDaaaFCsDjq0XczTecJjcRgaE0mCxs2APKyQiBs8aH+vdy
0IjSMjuzIGrBRjrA8f+dbSrtii0H9+H+qZhvfHASp6T3sZ75b8c=
=XgNU
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Thu, 18 Apr 2019 17:36:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 18 Apr 2019 17:36:15 GMT) (full text, mbox, link).
Message #21 received at 925256-close@bugs.debian.org (full text, mbox, reply):
Source: ghostscript
Source-Version: 9.26a~dfsg-0+deb9u2
We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 925256@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ghostscript package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 13 Apr 2019 16:40:43 +0200
Source: ghostscript
Architecture: source
Version: 9.26a~dfsg-0+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 925256 925257
Changes:
ghostscript (9.26a~dfsg-0+deb9u2) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Have gs_cet.ps run from gs_init.ps
* Undef /odef in gs_init.ps
* Restrict superexec and remove it from internals and gs_cet.ps
(CVE-2019-3835) (Closes: #925256)
* Obliterate "superexec". We don't need it, nor do any known apps
(CVE-2019-3835) (Closes: #925256)
* Make a transient proc executeonly (in DefineResource) (CVE-2019-3838)
(Closes: #925257)
* an extra transient proc needs executeonly'ed (CVE-2019-3838)
(Closes: #925257)
Checksums-Sha1:
a36471ccccfaa5f824feb421b9b8d36a01880ed2 3052 ghostscript_9.26a~dfsg-0+deb9u2.dsc
64988c4bcb2461931ab91c63de5c3c3c7bb14a07 114608 ghostscript_9.26a~dfsg-0+deb9u2.debian.tar.xz
Checksums-Sha256:
f2db945f626273db54377fd2114278e0bedce96310668b6e550b26305ff9d29c 3052 ghostscript_9.26a~dfsg-0+deb9u2.dsc
83f9bf1932c637733e63e293ed822dff0ea9b47914c743d29725ffc2cee839e8 114608 ghostscript_9.26a~dfsg-0+deb9u2.debian.tar.xz
Files:
3eaf5fdf443490ece65b2bf39c69456f 3052 text optional ghostscript_9.26a~dfsg-0+deb9u2.dsc
be65f72beb08cce7f64abd31998ceb20 114608 text optional ghostscript_9.26a~dfsg-0+deb9u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlyx+4JfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EQS0P/AnEA56L6SIYVVNp8S2r0ovQSjiB4QID
DxQrBdlSBIkOkCvx7yGZpW/opZsPHGnJrqZSdm+eqUckzMSg/x4sPlAo0JxTwmMU
7mgonXwHioqGVUk8qZ4q27KsiOjbOJETpVf90LuDm7lnLGvRjDqeE5ySehHnys2J
/63RNYzLAj23H+jwVDsQA7DqLVK1KUHKGqABIyPJzVBnvFzoXAAGdGb9/UouiWsC
5g1TARClQrullhcNz2NcK0PLBbhtN1kxx/CyoBgS8itH3jolqUw4zk03Jx6p7F9f
GqP5mHAMoZo9WQBNKnoTr3xV4elUFvxIkPncFfPHpU5315w2K84n50nLGqYy+5k4
VkVB78BuomMyfRlUKZ4YyXPEsWj0GqLZQUOsb7WEx5NzNW9/1Fc8ib0qbij2DSpg
jVAapY/zRB+mjMB7ZmYdT3iVGQrQQEkQBMq0vrXZqnZyj3PuvPmE6AMj7MuQ8R5r
85Hj2Kvn2Ni4Ioxnz4h5grO5XI4cjDvNlrY4tlrpW/WHmAMZe4jEVJo3pbchlXbn
J3bs2AWiI0J/yEnlcQLjIAgv9mQpFIJLAl8OYj6nSL7Y9xzJjGdVngCB6udS35J1
Bv9mEueZ77YFzBxBJNB+nZFuR7EFDFu94HMqLWDhhIod8432dmHl2m9FzM4YjjlP
3nwxgM0ZrQZZ
=tQiH
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 17 May 2019 07:27:39 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:16:38 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon