Debian Bug report logs -
#468190
ghostscript: CVE-2008-0411 buffer overflow via crafted .ps file
Reported by: Nico Golde <nion@debian.org>
Date: Wed, 27 Feb 2008 15:36:02 UTC
Severity: grave
Tags: patch, security
Found in version ghostscript/8.61.dfsg.1-1
Fixed in version ghostscript/8.61.dfsg.1-1.1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>
:
Bug#468190
; Package ghostscript
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
New Bug report received and forwarded. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: ghostscript
Version: 8.61.dfsg.1-1
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ghostscript.
CVE-2008-0411[0]:
| This advisory notes a stack-based buffer overflow in the zseticcspace()
| function in zicc.c. The issue is over-trust of the length of a postscript array
| which an attacker can set to an arbitrary length. One slight amusement is that
| the overflowed type is "float", leading to machine code -> float conversion in
| any exploit.
Mitre has not yet put any vulnerability text on their website.
In the meantime you can get a verbose description on:
http://scary.beasts.org/security/ea9fde3e0e58b7b6/CESA-2008-001.html
A patch is attached.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0411
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[ghostscript-8.60-CESA-2008-001.diff (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>
:
Bug#468190
; Package ghostscript
.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>
:
Extra info received and forwarded to list. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>
.
(full text, mbox, link).
Message #10 received at 468190@bugs.debian.org (full text, mbox, reply):
The permanent link to the advisory text:
http://scary.beasts.org/security/CESA-2008-001.html
Note that this issue has already been fixed in stable/oldstable in DSA-1510-1.
Information forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>
:
Bug#468190
; Package ghostscript
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>
.
(full text, mbox, link).
Message #15 received at 468190@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
uploading a 0-day NMU to fix this as the maintainer is
listed in the LowThresholdNmu list.
Attached is the patch to fix this.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/ghostscript-8.61.dfsg.1-1_8.61.dfsg.1-1.1.patch
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[ghostscript-8.61.dfsg.1-1_8.61.dfsg.1-1.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Reply sent to Nico Golde <nion@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #20 received at 468190-close@bugs.debian.org (full text, mbox, reply):
Source: ghostscript
Source-Version: 8.61.dfsg.1-1.1
We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive:
ghostscript-doc_8.61.dfsg.1-1.1_all.deb
to pool/main/g/ghostscript/ghostscript-doc_8.61.dfsg.1-1.1_all.deb
ghostscript-x_8.61.dfsg.1-1.1_i386.deb
to pool/main/g/ghostscript/ghostscript-x_8.61.dfsg.1-1.1_i386.deb
ghostscript_8.61.dfsg.1-1.1.diff.gz
to pool/main/g/ghostscript/ghostscript_8.61.dfsg.1-1.1.diff.gz
ghostscript_8.61.dfsg.1-1.1.dsc
to pool/main/g/ghostscript/ghostscript_8.61.dfsg.1-1.1.dsc
ghostscript_8.61.dfsg.1-1.1_i386.deb
to pool/main/g/ghostscript/ghostscript_8.61.dfsg.1-1.1_i386.deb
gs-aladdin_8.61.dfsg.1-1.1_all.deb
to pool/main/g/ghostscript/gs-aladdin_8.61.dfsg.1-1.1_all.deb
gs-common_8.61.dfsg.1-1.1_all.deb
to pool/main/g/ghostscript/gs-common_8.61.dfsg.1-1.1_all.deb
gs-esp_8.61.dfsg.1-1.1_all.deb
to pool/main/g/ghostscript/gs-esp_8.61.dfsg.1-1.1_all.deb
gs-gpl_8.61.dfsg.1-1.1_all.deb
to pool/main/g/ghostscript/gs-gpl_8.61.dfsg.1-1.1_all.deb
gs_8.61.dfsg.1-1.1_all.deb
to pool/main/g/ghostscript/gs_8.61.dfsg.1-1.1_all.deb
libgs-dev_8.61.dfsg.1-1.1_i386.deb
to pool/main/g/ghostscript/libgs-dev_8.61.dfsg.1-1.1_i386.deb
libgs8_8.61.dfsg.1-1.1_i386.deb
to pool/main/g/ghostscript/libgs8_8.61.dfsg.1-1.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 468190@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated ghostscript package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 01 Mar 2008 11:18:27 +0100
Source: ghostscript
Binary: ghostscript gs gs-esp gs-gpl gs-aladdin gs-common ghostscript-x ghostscript-doc libgs8 libgs-dev
Architecture: source all i386
Version: 8.61.dfsg.1-1.1
Distribution: unstable
Urgency: high
Maintainer: Masayuki Hatta (mhatta) <mhatta@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
ghostscript - The GPL Ghostscript PostScript/PDF interpreter
ghostscript-doc - The GPL Ghostscript PostScript/PDF interpreter - Documentation
ghostscript-x - The GPL Ghostscript PostScript/PDF interpreter - X Display suppor
gs - Transitional package
gs-aladdin - Transitional package
gs-common - Transitional package
gs-esp - Transitional package
gs-gpl - Transitional package
libgs-dev - The Ghostscript PostScript Library - Development Files
libgs8 - The Ghostscript PostScript/PDF interpreter Library
Closes: 468190
Changes:
ghostscript (8.61.dfsg.1-1.1) unstable; urgency=high
.
* Non-maintainer upload by security team.
* Fix stack based buffer overflow in the zseticcspace() function possibly
leading to arbitrary code exeuction via a crafted ps file.
(31_CVE-2008-0411.dpatch; Closes: #468190).
* Adjusting libgs shlibs file to match the new version number.
Files:
4b13d5e051399481cc4f627a8e9a5e00 1075 text optional ghostscript_8.61.dfsg.1-1.1.dsc
facf21877c387072d6c3a2942403b8c9 100431 text optional ghostscript_8.61.dfsg.1-1.1.diff.gz
06a4fba09a1ad3466271c7730c9049d8 26318 text extra gs_8.61.dfsg.1-1.1_all.deb
deda1d324e052b036389be84920ed323 26320 text extra gs-esp_8.61.dfsg.1-1.1_all.deb
aa6a52b47b97b16cc109ca3aff0a7bbd 26318 text extra gs-gpl_8.61.dfsg.1-1.1_all.deb
e5ceb8c4993e3ea9a0123141dc3a6809 26320 text extra gs-aladdin_8.61.dfsg.1-1.1_all.deb
cf5e7d220594453bf2208bd48d288b40 26326 text extra gs-common_8.61.dfsg.1-1.1_all.deb
5b8795861c2c1c3f58064f16ccd1eda3 2757942 doc optional ghostscript-doc_8.61.dfsg.1-1.1_all.deb
2ca343539641651e42c04f6b9cb13edd 794260 text optional ghostscript_8.61.dfsg.1-1.1_i386.deb
164952e1c8d85ca58cff776e893d69c9 58582 text optional ghostscript-x_8.61.dfsg.1-1.1_i386.deb
ccdf6e61e0ce1ef563d0fd30f3dcd0e8 2193984 libs optional libgs8_8.61.dfsg.1-1.1_i386.deb
a66592348519a92715d1c103872dd5c0 35042 libdevel optional libgs-dev_8.61.dfsg.1-1.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHyTWTHYflSXNkfP8RAqMEAJoCrC8YH6kqlKzWBG32QyXfKbQ5xQCfVkqm
eTg0nRXN5GXVRyHN4QHgksA=
=rZKj
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 02 Apr 2008 07:33:57 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:23:13 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.