Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ghostscript: CVE-2019-10216

Related Vulnerabilities: CVE-2019-10216  

Source

Debian Bug report logs - #934638
ghostscript: CVE-2019-10216

version graph

Package: src:ghostscript; Maintainer for src:ghostscript is Debian Printing Team <debian-printing@lists.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Mon, 12 Aug 2019 19:30:02 UTC

Severity: grave

Tags: patch, security, upstream

Found in versions ghostscript/9.06~dfsg-2, ghostscript/9.27~dfsg-2, ghostscript/9.26a~dfsg-0+deb9u3, ghostscript/9.26a~dfsg-0+deb9u2, ghostscript/9.27~dfsg-3

Fixed in versions ghostscript/9.26a~dfsg-0+deb9u4, ghostscript/9.27~dfsg-2+deb10u1, ghostscript/9.27~dfsg-3.1

Done: Salvatore Bonaccorso <carnil@debian.org>

Forwarded to https://bugs.ghostscript.com/show_bug.cgi?id=701394

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#934638; Package src:ghostscript. (Mon, 12 Aug 2019 19:30:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Printing Team <debian-printing@lists.debian.org>. (Mon, 12 Aug 2019 19:30:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ghostscript: CVE-2019-10216
Date: Mon, 12 Aug 2019 21:27:11 +0200
Source: ghostscript
Version: 9.27~dfsg-3
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=701394
Control: found -1 9.27~dfsg-2
Control: found -1 9.26a~dfsg-0+deb9u2
Control: found -1 9.26a~dfsg-0+deb9u3
Control: found -1 9.06~dfsg-2
Control: fixed -1 9.26a~dfsg-0+deb9u4
Control: fixed -1 9.27~dfsg-2+deb10u1

Hi,

The following vulnerability was published for ghostscript.

CVE-2019-10216[0]:
| -dSAFER escape via .buildfont1

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-10216
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10216
[1] https://bugs.ghostscript.com/show_bug.cgi?id=701394
[2] http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19a8420a1bd2d5529325be35d78e94234

Regards,
Salvatore

Marked as found in versions ghostscript/9.27~dfsg-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Mon, 12 Aug 2019 19:30:05 GMT) (full text, mbox, link).

Marked as found in versions ghostscript/9.26a~dfsg-0+deb9u2. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Mon, 12 Aug 2019 19:30:05 GMT) (full text, mbox, link).

Marked as found in versions ghostscript/9.26a~dfsg-0+deb9u3. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Mon, 12 Aug 2019 19:30:06 GMT) (full text, mbox, link).

Marked as found in versions ghostscript/9.06~dfsg-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Mon, 12 Aug 2019 19:30:07 GMT) (full text, mbox, link).

Marked as fixed in versions ghostscript/9.26a~dfsg-0+deb9u4. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Mon, 12 Aug 2019 19:30:08 GMT) (full text, mbox, link).

Marked as fixed in versions ghostscript/9.27~dfsg-2+deb10u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Mon, 12 Aug 2019 19:30:08 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#934638; Package src:ghostscript. (Tue, 13 Aug 2019 08:39:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>. (Tue, 13 Aug 2019 08:39:04 GMT) (full text, mbox, link).

Message #22 received at 934638@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 934638@bugs.debian.org
Subject: ghostscript: diff for NMU version 9.27~dfsg-3.1
Date: Tue, 13 Aug 2019 10:37:30 +0200
[Message part 1 (text/plain, inline)]
Control: tags 934638 + patch
Control: tags 934638 + pending

Dear Jonas,

I've prepared an NMU for ghostscript (versioned as 9.27~dfsg-3.1) and
uploaded it to according to your ack.

Merge request is as well in
https://salsa.debian.org/printing-team/ghostscript/merge_requests/7
(as the others for the respective versions in buster- and
stretch-security).

Regards,
Salvatore

[ghostscript-9.27~dfsg-3.1-nmu.diff (text/x-diff, attachment)]

Added tag(s) patch. Request was from Salvatore Bonaccorso <carnil@debian.org> to 934638-submit@bugs.debian.org. (Tue, 13 Aug 2019 08:39:05 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Salvatore Bonaccorso <carnil@debian.org> to 934638-submit@bugs.debian.org. (Tue, 13 Aug 2019 08:39:05 GMT) (full text, mbox, link).

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Tue, 13 Aug 2019 08:42:09 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 13 Aug 2019 08:42:09 GMT) (full text, mbox, link).

Message #31 received at 934638-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 934638-close@bugs.debian.org
Subject: Bug#934638: fixed in ghostscript 9.27~dfsg-3.1
Date: Tue, 13 Aug 2019 08:40:14 +0000
Source: ghostscript
Source-Version: 9.27~dfsg-3.1

We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 934638@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ghostscript package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 13 Aug 2019 09:49:11 +0200
Source: ghostscript
Architecture: source
Version: 9.27~dfsg-3.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 934638
Changes:
 ghostscript (9.27~dfsg-3.1) unstable; urgency=medium
 .
   * Non-maintainer upload (with maintainers approval).
   * protect use of .forceput with executeonly (CVE-2019-10216)
     (Closes: #934638)
Checksums-Sha1: 
 4d5894c6a76860fe0fe2b24de1362e35016dd399 2965 ghostscript_9.27~dfsg-3.1.dsc
 e7b97c0d670c702d30a81764eff3a10c8a4b6582 111316 ghostscript_9.27~dfsg-3.1.debian.tar.xz
Checksums-Sha256: 
 8c44649907b3480c45ddcd9e2f2ea685351a5ed3a9cfc934f1ec272a881318fd 2965 ghostscript_9.27~dfsg-3.1.dsc
 002431936315ed31541d6f62541e83a899d8edd3b9e2da84ed157bb218101a2f 111316 ghostscript_9.27~dfsg-3.1.debian.tar.xz
Files: 
 305561f0bb72faf83d3542f6ad15b5b2 2965 text optional ghostscript_9.27~dfsg-3.1.dsc
 d8373e08b9df33ec898c549e961a8b33 111316 text optional ghostscript_9.27~dfsg-3.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl1ScoNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EJkYP/2vF/VF8CosTnQnm/B/qbw6ycu2qwGMF
L5WAktAA+58G+3hRgo/Z7TTQDidYXyPQKcz0tQ3GGC+AhwOAGAt7Qy7nBX0RL+wr
IPEbZDeredjZMR89W6JQ0uVV4gWSY4cJxKw6U442XAKHU2bySY4Jae7JVESwtW6j
tgk2dR9Vtfovo+3ZyvtU2p46N/wTRLEftiaSwwqP+tmH14Odk3MLv6CkfpDWMRps
ntKKPKdNrseWiRQ6T5TW2JCkHWHXDFNWuUn53kZsGjikMoe2KZYN1TPRP0rVdjZl
f/BQ3vIhgzjwQPuZKWJnX0JaTS5Itr1hr1PBWgMipxZDKsoLij3Je/mzoXzF+P2l
egsn1CskjuJov1RHPIbkMYIFqYJt4nGE2X6Tm3aQV0LqpfPXSqvV9JnR4G5p+M9t
UpSlIKFgZIdmkMDLUZSprbA5vuvdHkExKJ4dL5oo5Eij4EzdDs5ReH0iltqwSIm3
JWkUqSQVQIf+FpOsbX+XM7C6w457bwYEnP8ymZ0zCkaJzVMokiXGxSRp6CMF6+Xj
bkq8s+PMQakuUTdoYHJZFhRBc5dOp1BvmrLU4taTy9fZ9MZSAXiYNPEu6/s9/I9T
XntXmcCw9TZyDE2+vPvwv9h/NHLfM2JzP/OUCzk46e+vJo3B8H2+wkPur6Q0YJVo
2FaRXGkTWjsM
=bXVF
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Aug 13 09:34:32 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started