[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of ghostscript?

[Adding debian-lts@lists.debian.org to CC]

Ola Lundqvist wrote:

> I started to look into ghostscript but I could not find any CVE for
> it. Do you remember which CVE that you had in mind?

It was CVE-2016-9601, but:

commit 3999fc68814dbeb21394d0f49d4cb424bee59da8
Author: jmm <jmm@e39458fd-73e7-0310-bf30-c45bca0a0e42>
Date:   Thu Jan 5 12:17:38 2017 +0000

    fix source package, the vulnerability seems to be in jbig2dec, which is used by ghostscript these days

    git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@47750 e39458fd-73e7-0310-bf30-c45bca0a0e42

diff --git a/data/CVE/list b/data/CVE/list
index adbfb066..24d2f097 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -11310,7 +11310,7 @@ CVE-2016-9602
 CVE-2016-9601 [Heap-buffer overflow due to Integer overflow in jbig2_image_new function]
-       - ghostscript <unfixed>
+       - jbig2dec <unfixed>
        NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697457
 CVE-2016-9600 [Null Pointer Dereference due to missing check for UNKNOWN color space in JP2 encoder]


     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk

Reply to: