Bug#793489: marked as done (ghostscript: CVE-2015-3228: Integer overflow)

To: Salvatore Bonaccorso <carnil@debian.org>
Subject: Bug#793489: marked as done (ghostscript: CVE-2015-3228: Integer overflow)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 04 Aug 2015 21:21:10 +0000
Message-id: <[🔎] handler.793489.D793489.143872308031222.ackdone@bugs.debian.org>
References: <E1ZMjax-0007Vb-LY@franck.debian.org> <20150724143704.GA11559@home.ouaza.com>

Your message dated Tue, 04 Aug 2015 21:17:59 +0000
with message-id <E1ZMjax-0007Vb-LY@franck.debian.org>
and subject line Bug#793489: fixed in ghostscript 9.05~dfsg-6.3+deb7u2
has caused the Debian Bug report #793489,
regarding ghostscript: CVE-2015-3228: Integer overflow
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
793489: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793489
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: ghostscript: CVE-2015-3228: Integer overflow
From: Raphael Hertzog <hertzog@debian.org>
Date: Fri, 24 Jul 2015 16:37:04 +0200
Message-id: <20150724143704.GA11559@home.ouaza.com>

Package: ghostscript
Severity: important
Tags: security patch

Hi,

the following vulnerability was published for ghostscript.

CVE-2015-3228[0]: Integer overflow

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-3228
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3228
    Please adjust the affected versions in the BTS as needed.

All the versions in Debian are affected by the underlying problem
in the memory allocation (see
http://bugs.ghostscript.com/show_bug.cgi?id=696070) but experimental
(9.15~rc1~dfsg-1) does not trigger the segfault due do other changes.

You can reproduce the problem with this:
$ wget http://bugs.ghostscript.com/attachment.cgi?id=11776 -O /tmp/test.ps
$ ps2pdf /tmp/test.ps
Segmentation fault

The suggested patch is here:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0c0b0859

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

--- End Message ---

--- Begin Message ---

To: 793489-close@bugs.debian.org
Subject: Bug#793489: fixed in ghostscript 9.05~dfsg-6.3+deb7u2
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 04 Aug 2015 21:17:59 +0000
Message-id: <E1ZMjax-0007Vb-LY@franck.debian.org>

Source: ghostscript
Source-Version: 9.05~dfsg-6.3+deb7u2

We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 793489@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ghostscript package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 01 Aug 2015 08:14:20 +0200
Source: ghostscript
Binary: ghostscript ghostscript-cups ghostscript-x ghostscript-doc libgs9 libgs9-common libgs-dev ghostscript-dbg
Architecture: source all amd64
Version: 9.05~dfsg-6.3+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 ghostscript - interpreter for the PostScript language and for PDF
 ghostscript-cups - interpreter for the PostScript language and for PDF - CUPS filter
 ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug symbo
 ghostscript-doc - interpreter for the PostScript language and for PDF - Documentati
 ghostscript-x - interpreter for the PostScript language and for PDF - X11 support
 libgs-dev  - interpreter for the PostScript language and for PDF - Development
 libgs9     - interpreter for the PostScript language and for PDF - Library
 libgs9-common - interpreter for the PostScript language and for PDF - common file
Closes: 793489
Changes: 
 ghostscript (9.05~dfsg-6.3+deb7u2) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add CVE-2015-3228.patch patch.
     CVE-2015-3228: Integer overflow in gs_heap_alloc_bytes() (Closes: #793489)
Checksums-Sha1: 
 f34d6d2b5f3c7d4961c4c1eeec6d53c286611116 2884 ghostscript_9.05~dfsg-6.3+deb7u2.dsc
 be53c2fd66535d39b979afe8cc83660e2ca7d48e 18417954 ghostscript_9.05~dfsg.orig.tar.gz
 d7b05378810b88a53dfbb9c4d251fdbbd8bd1205 89128 ghostscript_9.05~dfsg-6.3+deb7u2.debian.tar.xz
 df1cf15531a019863d2a57896384ccd97697e52e 2452416 ghostscript-doc_9.05~dfsg-6.3+deb7u2_all.deb
 3c43487d58e80afa91249e13dfeed6dd70a45ac6 1976984 libgs9-common_9.05~dfsg-6.3+deb7u2_all.deb
 538fbfd1c1d2dc112b292d8d011d1a4cfa281a42 80302 ghostscript_9.05~dfsg-6.3+deb7u2_amd64.deb
 bc8a4b539e99dab372927ec7061930eca6b76830 59754 ghostscript-cups_9.05~dfsg-6.3+deb7u2_amd64.deb
 9fa758ee57bbf207e61bd946ab42879140b2f38a 71974 ghostscript-x_9.05~dfsg-6.3+deb7u2_amd64.deb
 f19d8df03ac2c777d138276b8f8f6e3064a67ebc 1844340 libgs9_9.05~dfsg-6.3+deb7u2_amd64.deb
 4a35c114a0b7021a521ddc9f48d10c1b5395a4ce 2036650 libgs-dev_9.05~dfsg-6.3+deb7u2_amd64.deb
 6aeca6e3662ad5338d169cb523d8dc009b0b9c4f 5314542 ghostscript-dbg_9.05~dfsg-6.3+deb7u2_amd64.deb
Checksums-Sha256: 
 1cafef23b84bf9c16ea423c6d3417e183e088f091583cc2c051cb884e3d9bfd0 2884 ghostscript_9.05~dfsg-6.3+deb7u2.dsc
 fb9dd30c0889d3c9cce94b7b0e0964efafacbbd662a7b2577f626e8a75e9b84b 18417954 ghostscript_9.05~dfsg.orig.tar.gz
 67c3f458d23aaa7273a8a3401c0a2187aa6871f59a9ed59d3614d6412ea35fdb 89128 ghostscript_9.05~dfsg-6.3+deb7u2.debian.tar.xz
 43adf4d94d0f44219092faba09e20eca33c2502c0cdc44ef3f6ad4d6c79b6d4b 2452416 ghostscript-doc_9.05~dfsg-6.3+deb7u2_all.deb
 945a38c9ed86903442375cc61381ba6cdfea63dda9fb1d0d1000a6e64d5c7d29 1976984 libgs9-common_9.05~dfsg-6.3+deb7u2_all.deb
 dbc194509b013e2ec06d374d667dae9cadb7950c87735804a59400f9b55168d6 80302 ghostscript_9.05~dfsg-6.3+deb7u2_amd64.deb
 ec4806c185675f4347ede92f4758343c0ce88ffc2ac4b500ee8e88afc7110c27 59754 ghostscript-cups_9.05~dfsg-6.3+deb7u2_amd64.deb
 1bb727d37b448bb741e64eb099a4467e10d0b1ad7dee50e83d98ce77430d5031 71974 ghostscript-x_9.05~dfsg-6.3+deb7u2_amd64.deb
 365fc1c73e3fc9c7776edfe7fc4d0552ca16f0cdb09627a754c0fa51ad5db4dd 1844340 libgs9_9.05~dfsg-6.3+deb7u2_amd64.deb
 f1a0d29a32f8ba4d7ea2a07938496f7171de6613b78973d23b838468f5a8851e 2036650 libgs-dev_9.05~dfsg-6.3+deb7u2_amd64.deb
 785256ece09987057e9765807d8d978648658dce42024700439491c080d36430 5314542 ghostscript-dbg_9.05~dfsg-6.3+deb7u2_amd64.deb
Files: 
 b2a52588d6a9319dab251fa789ba1bbb 2884 text optional ghostscript_9.05~dfsg-6.3+deb7u2.dsc
 db2b6394d4f7c801f15201340521890a 18417954 text optional ghostscript_9.05~dfsg.orig.tar.gz
 22a317d9205ff5ec6d76410ce2526f18 89128 text optional ghostscript_9.05~dfsg-6.3+deb7u2.debian.tar.xz
 16c0d7e962b738a90289d88a1e262159 2452416 doc optional ghostscript-doc_9.05~dfsg-6.3+deb7u2_all.deb
 b8313544364768f29aff88aa861fb865 1976984 libs optional libgs9-common_9.05~dfsg-6.3+deb7u2_all.deb
 3cc74120a466391f67f68a0bfcb5a54a 80302 text optional ghostscript_9.05~dfsg-6.3+deb7u2_amd64.deb
 8a0404772e9109b8a202e6834cf14ecf 59754 text optional ghostscript-cups_9.05~dfsg-6.3+deb7u2_amd64.deb
 10f904aa50c5385e8cdd31d977569269 71974 text optional ghostscript-x_9.05~dfsg-6.3+deb7u2_amd64.deb
 76f22dca6dbd36c47c94b0f0a482e054 1844340 libs optional libgs9_9.05~dfsg-6.3+deb7u2_amd64.deb
 8bf610ae92b9af7bd8529fea6b8929d3 2036650 libdevel optional libgs-dev_9.05~dfsg-6.3+deb7u2_amd64.deb
 432fe6d9ab0d7b435a4f388be6a498ab 5314542 debug extra ghostscript-dbg_9.05~dfsg-6.3+deb7u2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVvGW5AAoJEAVMuPMTQ89EMXEQAJh/3kEmSnBh0zeRYEo6QIJR
CAOy2wbpzNsriPZ34Ad4d5E4uykZu0O4i0/3pfwzOwJwHCKwhyjGZC2iFzxvE9pY
zdm7mYNeCLToW93ZJwZNfVJzXvOZghTDgSz+E/taD8s1CpiIyon6Jq37TyXAAHt+
RFSLSgOjdfdKwuoV1S/xWVaoMqCWK+ZHGabu7A8Nu+9SEe+LNI5+q+dRcmDGbbDK
myvLh4AzetkORdUE5uTf2Gp41R5Fh7PF1qe7sBTkZKO8iqSGsbZNHDpVkp/W4+fo
T7sM0QcpwWHpYcOSvhMfh3QvKIm3lUcYCeN2yUuCICeuhI6DxFMs6x8b/4auakXu
9c14jarmdctjawPX55nTKUbGr8XpJqAEoziQpwDziMnE0Cnd3dm5ApDlsytbzL64
cIyNTH6g7zE4tIFgpCiAtg97q56GigMu82pVE7XKiCVUNNNq3xnh581nWPtxHl5i
JmQcCWjwK0jVx0zaoOWVRE3N2lR/T6kuIziQ0RBNiDJFVn0fefukRmmKukG0MAn7
b2ctEdDuH5yDkqhPiy1QhRao3tYBfHwBNVm8F8lmj9MUaem/l27Hjgfmab4q6OBZ
qMbR4ZUJHS0OcgvN3DNP99wGkefbgv3t7R8MX+CUlyM/3lrdkdwq4YX6FGcpFQ36
6GPUtCYbUxORi1iUCQ7H
=luvG
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#793825: marked as done (ghostscript: ps2pdf fails to open EPS file with "Error: /undefinedresource in resourcestatus")
Next by Date: ghostscript_9.05~dfsg-6.3+deb7u2_amd64.changes ACCEPTED into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates
Previous by thread: Bug#793489: marked as done (ghostscript: CVE-2015-3228: Integer overflow)
Next by thread: ghostscript_9.06~dfsg-2+deb8u1_allonly.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Index(es):
- Date
- Thread