Debian Bug report logs -
#908305
ghostscript: CVE-2018-16585
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#908305; Package src:ghostscript.
(Sat, 08 Sep 2018 09:06:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Printing Team <debian-printing@lists.debian.org>.
(Sat, 08 Sep 2018 09:06:24 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ghostscript
Version: 9.20~dfsg-3.2
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=699663
Control: fixed -1 9.20~dfsg-3.2+deb9u3
Hi,
The following vulnerability was published for ghostscript.
CVE-2018-16585[0]:
| An issue was discovered in Artifex Ghostscript before 9.24. The
| .setdistillerkeys PostScript command is accepted even though it is not
| intended for use during document processing (e.g., after the startup
| phase). This leads to memory corruption, allowing remote attackers able
| to supply crafted PostScript to crash the interpreter or possibly have
| unspecified other impact.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-16585
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16585
[1] http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=1497d65039885a52b598b137dd8622bd4672f9be
[2] http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=971472c83a345a16dac9f90f91258bb22dd77f22
[3] https://bugs.ghostscript.com/show_bug.cgi?id=699663
Please adjust the affected versions in the BTS as needed.
Regards,
Salvtore
Marked as fixed in versions ghostscript/9.20~dfsg-3.2+deb9u3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sat, 08 Sep 2018 09:06:26 GMT) (full text, mbox, link).
Reply sent
to Jonas Smedegaard <dr@jones.dk>:
You have taken responsibility.
(Fri, 14 Sep 2018 17:09:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 14 Sep 2018 17:09:11 GMT) (full text, mbox, link).
Message #12 received at 908305-close@bugs.debian.org (full text, mbox, reply):
Source: ghostscript
Source-Version: 9.25~dfsg-1~exp1
We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 908305@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated ghostscript package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 14 Sep 2018 18:39:11 +0200
Source: ghostscript
Binary: ghostscript ghostscript-x ghostscript-doc libgs9 libgs9-common libgs-dev ghostscript-dbg
Architecture: source
Version: 9.25~dfsg-1~exp1
Distribution: experimental
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description:
ghostscript - interpreter for the PostScript language and for PDF
ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug symbo
ghostscript-doc - interpreter for the PostScript language and for PDF - Documentati
ghostscript-x - interpreter for the PostScript language and for PDF - X11 support
libgs-dev - interpreter for the PostScript language and for PDF - Development
libgs9 - interpreter for the PostScript language and for PDF - Library
libgs9-common - interpreter for the PostScript language and for PDF - common file
Closes: 907703 908300 908303 908304 908305
Changes:
ghostscript (9.25~dfsg-1~exp1) experimental; urgency=medium
.
[ upstream ]
* New bugfix release(s).
Closes: Bug#907703, #908300, #908303, #908304, #908305
(CVE-2018-16509, CVE-2018-16543, CVE-2018-16510, CVE-2018-16585).
Thanks to Salvatore Bonaccorso.
.
* Update copyright info:
+ Stop exclude image containing non-DFSG ICC profile when
repackaging upstream source: Fixed upstream.
+ Fix cover license FTL.
* Set Rules-Requires-Root: no.
* Update symbols:
+ Drop commented out obsolete symbols.
+ Flag as optional symbols not declared in public header files.
* Avoid privacy breach linking documentation to jquery:
+ Add patch 2009 to use local jquery.
+ Add symlink from relative link to system-shared jquery library.
+ Have ghostscript-doc depend on libjs-jquery.
* Avoid privacy breach linking documentation to font:
+ Avoid linking to remote fonts in documentation.
* Avoid privacy breach linking documentation with Google:
+ Strip googletagmanager code from documentation.
Checksums-Sha1:
3bffe18729eeac8146b0e8567478db9334fecbb2 2765 ghostscript_9.25~dfsg-1~exp1.dsc
6801ed2321af28a60cad6b39da07813b9d4c8840 17577772 ghostscript_9.25~dfsg.orig.tar.xz
87bc40e0b7ead6664482a4a2e3105c3ab02bcf1b 106640 ghostscript_9.25~dfsg-1~exp1.debian.tar.xz
4209318532b3776f8a51cb79e2275ef8fa8129e7 11818 ghostscript_9.25~dfsg-1~exp1_amd64.buildinfo
Checksums-Sha256:
799f47facbc6ef2b11d9846a23330c74c8cc7d60163d9e2b0fd7c6831839bdde 2765 ghostscript_9.25~dfsg-1~exp1.dsc
d35949fe5c4e827d9468f29d395dd05c273d2482c703259084c8aff0a0ca6d82 17577772 ghostscript_9.25~dfsg.orig.tar.xz
6b3006bbcc6528aa1034fc1d73bf5fbd0451e9dc12607b6a67e25eeeedf062f5 106640 ghostscript_9.25~dfsg-1~exp1.debian.tar.xz
fe0c26419a55e60d679231e5df4a281f27c62865b4f57c16dc25b14bea5467a6 11818 ghostscript_9.25~dfsg-1~exp1_amd64.buildinfo
Files:
e728b22207588f4f237e7d0b209934d0 2765 text optional ghostscript_9.25~dfsg-1~exp1.dsc
f9b9532d6bf70b615824293e7557a623 17577772 text optional ghostscript_9.25~dfsg.orig.tar.xz
ff40800143ed11c68f95d48700823b71 106640 text optional ghostscript_9.25~dfsg-1~exp1.debian.tar.xz
e5f3e09824728e7100b0c827563a2038 11818 text optional ghostscript_9.25~dfsg-1~exp1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlub5PAACgkQLHwxRsGg
ASF2pQ/+N/eD0f7leVeRbwKEnhPqdqelIwx0UgQWXlc8X7MNa0NXom+2zMXvWJEG
HR3V/tprF+UViy2r4rDeFPRdn+UZJpHtCt474PMel96CjaEsCYbk8LHQCQ3b5Ey7
mDw/4Mwtub5d0PKA8zNm+XoxeWM1qg0xRiDw8DAIF/89sQDRzRl4ApQsLkh4Bw48
QIceelOYnGflgtcrzd85ZoXT6+5O8pHMhFdELBnokNwKDUTNKtGLeQodFLFr8II8
qvMdzzdahNYQqFlgt1YdSciZzwRdV5uzUQaxPZ1M3sXaADPGk8crqEhlfhPwt/En
5Uv6F4Mr3lPeXK7ypiMOYTA8s6mII5YZ7xaZYwXbU6hBhB2fS6HxrWTQ9WoLF2Aq
judEU7BLVCNUR6bSzs4su71GgIIRAkwT1IUL2FQDnB78aQyhvYLaBx6sbz6Jf7Uh
Akm5Hu3+jj/hni0SmTbIenn2MnrC2V05oGQV6FRjPn04klRDoNmkNZF17ISXIjEq
bu/Ndkzod+FjkS4aFyx65FxWxneq5zgu13mX8r+nTromE6G262xyiOKrWqrZLuia
w2KUeXc8+YgZetFSrtFl6eCcgyZ9ticumBYCq4kEb2f2gq7oZ7me//w8jbIAqPPc
tNTS8/wJq2z/E5c7dpcy2Dvh42x3GNh7t7hZbT2i9p0KocNXYO8=
=t7ND
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 11 Nov 2018 07:26:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:00:39 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon