ghostscript: CVE-2021-3781

Debian Bug report logs - #994011
ghostscript: CVE-2021-3781

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ghostscript: CVE-2021-3781

Date: Thu, 09 Sep 2021 19:20:08 +0200

Source: ghostscript
Version: 9.53.3~dfsg-7
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=704342
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for ghostscript.

CVE-2021-3781[0].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-3781
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3781
[1] https://bugs.ghostscript.com/show_bug.cgi?id=704342 (not public yet)
[2] https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a9bd3dec9fde

Regards,
Salvatore

Message #10 received at 994011@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <jonas@jones.dk>

To: 994011@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#994011: ghostscript: CVE-2021-3781

Date: Thu, 09 Sep 2021 20:09:42 +0200

[Message part 1 (text/plain, inline)]

Hi Salvatore,

Quoting Salvatore Bonaccorso (2021-09-09 19:20:08)
> The following vulnerability was published for ghostscript.
> 
> CVE-2021-3781[0].

I have prepared a package fixing this issue, available at 
https://salsa.debian.org/printing-team/ghostscript/-/tree/debian/bullseye

Please tell how I should proceed with it - or feel free to proceed 
yourself from here.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 994011@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Jonas Smedegaard <jonas@jones.dk>, 994011@bugs.debian.org

Subject: Re: Bug#994011: ghostscript: CVE-2021-3781

Date: Thu, 9 Sep 2021 20:43:30 +0200

Hi Jonas,

On Thu, Sep 09, 2021 at 08:09:42PM +0200, Jonas Smedegaard wrote:
> Hi Salvatore,
> 
> Quoting Salvatore Bonaccorso (2021-09-09 19:20:08)
> > The following vulnerability was published for ghostscript.
> > 
> > CVE-2021-3781[0].
> 
> I have prepared a package fixing this issue, available at 
> https://salsa.debian.org/printing-team/ghostscript/-/tree/debian/bullseye
> 
> Please tell how I should proceed with it - or feel free to proceed 
> yourself from here.

I did actually already uploaded earlier today to the embargoed queues,
waiting for the builds of mips64el and s390x yet, but then hope to
release the DSA soon.

Regards,
Salvatore

Message #20 received at 994011-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 994011-close@bugs.debian.org

Subject: Bug#994011: fixed in ghostscript 9.53.3~dfsg-8

Date: Thu, 09 Sep 2021 19:10:49 +0000

Source: ghostscript
Source-Version: 9.53.3~dfsg-8
Done: Jonas Smedegaard <dr@jones.dk>

We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 994011@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated ghostscript package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 09 Sep 2021 20:12:26 +0200
Source: ghostscript
Architecture: source
Version: 9.53.3~dfsg-8
Distribution: unstable
Urgency: high
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Closes: 994011
Changes:
 ghostscript (9.53.3~dfsg-8) unstable; urgency=high
 .
   * add patch cherry-picked upstream
     to fix access validationaccess validation;
     closes: bug#994011;
     CVE-2021-3781
   * Set urgency=high due to security fix.
Checksums-Sha1:
 91bf03880e1078d285de68a92a9231243c5d86c4 2677 ghostscript_9.53.3~dfsg-8.dsc
 60a954d0db52d46532885dc475b29f7740eef1ec 120024 ghostscript_9.53.3~dfsg-8.debian.tar.xz
 d99ecdcae3cd8304ea7b666306c3096b230e2a80 11797 ghostscript_9.53.3~dfsg-8_amd64.buildinfo
Checksums-Sha256:
 a8148d19d8d14e467da7492488ef37df0fc086e9f369d87d00b368dba7d2d80a 2677 ghostscript_9.53.3~dfsg-8.dsc
 49069924c3e4add7ddfea38c200fd48e0fe7b9011f57714dbaa233b7fd5f05d9 120024 ghostscript_9.53.3~dfsg-8.debian.tar.xz
 50f35baa305a884ecb34e6a2c75cb53bdc4a4045a3fb43f438c7fbd5d4f19317 11797 ghostscript_9.53.3~dfsg-8_amd64.buildinfo
Files:
 c7b98246a04a7586e5184e575cd51c78 2677 text optional ghostscript_9.53.3~dfsg-8.dsc
 61b28baa18767cf251c55f82be501fcf 120024 text optional ghostscript_9.53.3~dfsg-8.debian.tar.xz
 ed3f930906b3ee5163ee0390d3ec03a7 11797 text optional ghostscript_9.53.3~dfsg-8_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmE6UVYACgkQLHwxRsGg
ASHxGQ//X/kpmGtY8gxUP7hnFJ6UsztVRFNc3kslJCPdo26kxkwf3SMvalMCitGm
HqoUv1fjoGBybQ/QQWgSRLpv8VGWqWihT6YbrCgCP3WAT8P4uRU5dOkL5dWpEQXT
mvrFACGZ4FFV9afChKxFDpd68tfjKNkP3OeTVic6wkBfdUbVkWO4h0Bjfs51vKDe
OpSyqQhpqQjtlEpXkmv+bCFKS3xoQaPm65HQIvD01j6Qb+DLDEIUij3ooR46Cyhc
AyIfgQNSZIVKhNDr/9+uEj0OHGXRQzwhhjSGRx62PT3rBPJeaZdkig+Z8TSLL86P
0xBW5VrvRNzw9mJdvtqwJTSO/EwSzx2H8DqvohXVrkTqMSPc8G4HP60SKAV82jJO
gt4/MfZFyTd1biyhxW4YMArpO03oX6eZcOIxvHKStIflQkJRf2JH+IdfMH02yuKQ
8XmClUaECLN/IXfp9y5pHkL2ngl+N+oHKurKK3RgvZDLwm2mZL1yBtI9qgYD2O+k
06sD5m6Mx6h5HFzdhvPtKXnU2gTdYTAlwfI01rTNLDt4s+qWG3CNUcCqwp5m289J
t6DBkJN4t2jvlJF1/Tdut7YVKfO53zSIA3jW85FuqD/fGDQ/BdVGpSHNDwHjyM08
y2Sc57qSptX1IIkVEZiLxR6AXwn4/E6m8hqZYODUIC4P6/dV2yU=
=+fGS
-----END PGP SIGNATURE-----

Message #25 received at 994011-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 994011-close@bugs.debian.org

Subject: Bug#994011: fixed in ghostscript 9.54.0~dfsg-2

Date: Thu, 09 Sep 2021 19:10:57 +0000

Source: ghostscript
Source-Version: 9.54.0~dfsg-2
Done: Jonas Smedegaard <dr@jones.dk>

We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 994011@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated ghostscript package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 09 Sep 2021 20:41:03 +0200
Source: ghostscript
Architecture: source
Version: 9.54.0~dfsg-2
Distribution: experimental
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Closes: 994011
Changes:
 ghostscript (9.54.0~dfsg-2) experimental; urgency=medium
 .
   * copyright-check: improve progress messages
   * add patch cherry-picked upstream
     to fix access validationaccess validation;
     closes: bug#994011;
     CVE-2021-3781
   * declare compliance with Debian Policy 4.6.0
Checksums-Sha1:
 602bb43437091f0a98ff24a2ebf186d6dd3c2edb 2677 ghostscript_9.54.0~dfsg-2.dsc
 48347ce53fdcb9764f281f243742b329b54969eb 119700 ghostscript_9.54.0~dfsg-2.debian.tar.xz
 75b686cceb4287977f0a1dcc9761b1f24bf6a7eb 11797 ghostscript_9.54.0~dfsg-2_amd64.buildinfo
Checksums-Sha256:
 e5941cd6b3af766f1c5fee0e95c67b8b4eb8c58633ff29531c6462481cf1c17f 2677 ghostscript_9.54.0~dfsg-2.dsc
 b00980106868beb6f296295d23527f1379730b645e1b5cf5fb6e788987e8632f 119700 ghostscript_9.54.0~dfsg-2.debian.tar.xz
 2ec413e4ed473635e152bf6a16c6aef49d98c9800d33bb9ea0fa0d2d0f62ee79 11797 ghostscript_9.54.0~dfsg-2_amd64.buildinfo
Files:
 2aa12939b54c753036077adedf6df31d 2677 text optional ghostscript_9.54.0~dfsg-2.dsc
 ffdda551adbba68430793cc24b49dcd6 119700 text optional ghostscript_9.54.0~dfsg-2.debian.tar.xz
 1689f1842053cc319e20a404b7621ae5 11797 text optional ghostscript_9.54.0~dfsg-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmE6VyEACgkQLHwxRsGg
ASEqOA/+KHgMLUMBDbicDGwN5Gxf3yEi/fvroRZsko2gPJ5c4JxcJ92NyQtt1baT
A9e/sPePC3n0KXbTAlXQslt5Lrm5mjEtwznR5WxrvF0SzukeZcXoTTvPae5HxFiF
SFQ4BEQWFCEsx/UlgfS9deP5dj2Q1Pg/ACueGPJ6UDolXe0vXfG/bulCs4jKwLAW
iUVr0BpcTalzih4wxeKw/KL9sMYPZipD8rrPLO2IEW6gRpokDQ8Yvqo5d2rf7/Tr
d+fHn0UsyrNX9Kq6WEfgzI4TK1isWm+RzBjbxyQADy6dm0euVtN5FciWzMK+TPNt
YQ7EmVnZeSWQBmo3G0jl91/eyy9SAQALBMELjyw1pWGGLa9jvDUVoSYyQBYOGqJu
+Brx6+e/5xioJF/NrL6yHx5UdELuQAefI/1yMu+8kaTIuhslN/C3xcj2qWgaC8o0
Gd4zCM5IwcjoLlEhByghu7nAEBXARhxtkvWGFEnlbZE/BHHbMkN6GafmflOVzjcs
9qTM/ogQf9eLkZ2HOSQw/2a9pzqcnK6Y8ivgk1xF2K5cOrsCkII6IDwH5fJ55DI5
MGHyW1Fhoavj30i9Or4V/wiGB6HiumJ+h4T9eDUbNeAC5EBRLZPE8CjPArsNKBs0
MmlvQ4LQW6zUTNnMMnonDzk8OfS395CehPM94tAVkCvmJ9bl0Ks=
=zQT2
-----END PGP SIGNATURE-----

Message #30 received at 994011@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <jonas@jones.dk>

To: 994011@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#994011: ghostscript: CVE-2021-3781

Date: Thu, 09 Sep 2021 21:16:22 +0200

[Message part 1 (text/plain, inline)]

Quoting Salvatore Bonaccorso (2021-09-09 20:43:30)
> Hi Jonas,
> 
> On Thu, Sep 09, 2021 at 08:09:42PM +0200, Jonas Smedegaard wrote:
> > Hi Salvatore,
> > 
> > Quoting Salvatore Bonaccorso (2021-09-09 19:20:08)
> > > The following vulnerability was published for ghostscript.
> > > 
> > > CVE-2021-3781[0].
> > 
> > I have prepared a package fixing this issue, available at 
> > https://salsa.debian.org/printing-team/ghostscript/-/tree/debian/bullseye
> > 
> > Please tell how I should proceed with it - or feel free to proceed 
> > yourself from here.
> 
> I did actually already uploaded earlier today to the embargoed queues,
> waiting for the builds of mips64el and s390x yet, but then hope to
> release the DSA soon.

Excellent!


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 994011@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Jonas Smedegaard <jonas@jones.dk>

Cc: 994011@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#994011: ghostscript: CVE-2021-3781

Date: Fri, 10 Sep 2021 14:17:14 +0200

Hi Jonas,

On Thu, Sep 09, 2021 at 09:16:22PM +0200, Jonas Smedegaard wrote:
> Quoting Salvatore Bonaccorso (2021-09-09 20:43:30)
> > Hi Jonas,
> > 
> > On Thu, Sep 09, 2021 at 08:09:42PM +0200, Jonas Smedegaard wrote:
> > > Hi Salvatore,
> > > 
> > > Quoting Salvatore Bonaccorso (2021-09-09 19:20:08)
> > > > The following vulnerability was published for ghostscript.
> > > > 
> > > > CVE-2021-3781[0].
> > > 
> > > I have prepared a package fixing this issue, available at 
> > > https://salsa.debian.org/printing-team/ghostscript/-/tree/debian/bullseye
> > > 
> > > Please tell how I should proceed with it - or feel free to proceed 
> > > yourself from here.
> > 
> > I did actually already uploaded earlier today to the embargoed queues,
> > waiting for the builds of mips64el and s390x yet, but then hope to
> > release the DSA soon.
> 
> Excellent!

DSA 4972-1 released for it.

Regards,
Salvatore

Message #40 received at 994011-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 994011-close@bugs.debian.org

Subject: Bug#994011: fixed in ghostscript 9.53.3~dfsg-7+deb11u1

Date: Fri, 10 Sep 2021 16:02:07 +0000

Source: ghostscript
Source-Version: 9.53.3~dfsg-7+deb11u1
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 994011@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ghostscript package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 09 Sep 2021 19:23:11 +0200
Source: ghostscript
Architecture: source
Version: 9.53.3~dfsg-7+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 994011
Changes:
 ghostscript (9.53.3~dfsg-7+deb11u1) bullseye-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Include device specifier strings in access validation (CVE-2021-3781)
     (Closes: #994011)
Checksums-Sha1: 
 4737cfd35503a61ffdad3ee475ce2df32efaae9d 2864 ghostscript_9.53.3~dfsg-7+deb11u1.dsc
 9ce4415e5f37d858b5eb4d11040cf4079f2129c6 23948068 ghostscript_9.53.3~dfsg.orig.tar.xz
 6e303c9863d23dce0cfdcd70b4149ed958714aba 120292 ghostscript_9.53.3~dfsg-7+deb11u1.debian.tar.xz
Checksums-Sha256: 
 701551ac2ffaa9763f4e90d2f0d58719fd59708604f1204506ed258149da09ff 2864 ghostscript_9.53.3~dfsg-7+deb11u1.dsc
 678f99fc6cca9a224f49891b8db5d9a325b8b3fbbffa9f29d44bac9f54603f3d 23948068 ghostscript_9.53.3~dfsg.orig.tar.xz
 b08c4a40ee3731b0d94cf21bcb1bc49bd76818b71ee63c91cab9d34f0b03a021 120292 ghostscript_9.53.3~dfsg-7+deb11u1.debian.tar.xz
Files: 
 48775e509741196d9267f98382d49371 2864 text optional ghostscript_9.53.3~dfsg-7+deb11u1.dsc
 653da2a0bebf9949634c137da72d1e26 23948068 text optional ghostscript_9.53.3~dfsg.orig.tar.xz
 e097902e2b65b9f238c43c41ec5b564b 120292 text optional ghostscript_9.53.3~dfsg-7+deb11u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmE6RLJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EbhMP/1LHmXAGw3LM40A6FQ9DLMeVKe3w+vEM
gMPWJo2jhqMu0Ga9V7FVgfw3cbpScQ7G3e1e0q+sFUNQMYIT+eWs+y0oSbfvOfwd
3KzRhXklc/lR/1Q55/zkYu4wVuM0lrEFPBo7r5dXDSHgm6aP4t+fXA0xLaDs0e3G
Yq27HOqOMvST2mQSCVfX1VVzAlfuRAOrgMbNnNaCZK/aPELuvW6OihiMzP23eMhY
a8pJL3LJgjARq5ODtEL0xOU3bKKDFiIk/L07jGZwQ8df05YhxteggEhIGic6cVIG
BiIQ963fZuNLV5+x18DMacnLY4GSLmM+ZNcLwYKakvOORZTDPc60X8rd631JMcv3
xxYeoBafirITnAqkpEG/JpiBz/YCzuPiry8IsXWnjXEoocykApE34gGHRFcwtnmm
FDFmAX/wf3paNtnFQZWFItk3HAC7w1sPUUKmzoHqJ4329bAsBKAqUwmjvw2lc2pz
UWR63biKtiax9THOF/AZJNeD6PFG53BWhKuufwtWjMBXPln1DgVyRJYyDjyy8atC
PDquAfH7uSNv6SKyG+W2LIXNe4c7NjixXMVlHQostQx20NU4hFMgd44tfTpOta/U
WxPF1LswJI456y0z6GFS//MVbUOM/m8BLs7H0ADNgy3C99oM9IpQPYmGBbzgSXXZ
s2kJHv7FcjNa
=NcKb
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.