[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1620-1] ghostscript security update



Package        : ghostscript
Version        : 9.06~dfsg-2+deb8u13
CVE ID         : CVE-2018-19134 CVE-2018-19478


Some vulnerabilities were discovered in ghostscript, an interpreter for the
PostScript language and for PDF.

CVE-2018-19134

    The setpattern operator did not properly validate certain types. A specially
    crafted PostScript document could exploit this to crash Ghostscript or,
    possibly, execute arbitrary code in the context of the Ghostscript process.
    This is a type confusion issue because of failure to check whether the
    Implementation of a pattern dictionary was a structure type.

CVE-2018-19478

    Attempting to open a carefully crafted PDF file results in long-running
    computation. A sufficiently bad page tree can lead to us taking significant
    amounts of time when checking the tree for recursion.

For Debian 8 "Jessie", these problems have been fixed in version
9.06~dfsg-2+deb8u13.

We recommend that you upgrade your ghostscript packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature


Reply to: