Bug#869913: marked as done (ghostscript: CVE-2017-9727: heap-buffer-overflow in gx_ttfReader__Read(base/gxttfb.c))
Your message dated Sun, 08 Oct 2017 11:33:49 +0000
with message-id <E1e19q9-000D7W-JD@fasolo.debian.org>
and subject line Bug#869913: fixed in ghostscript 9.06~dfsg-2+deb8u6
has caused the Debian Bug report #869913,
regarding ghostscript: CVE-2017-9727: heap-buffer-overflow in gx_ttfReader__Read(base/gxttfb.c)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
869913: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869913
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: ghostscript: CVE-2017-9727: heap-buffer-overflow in gx_ttfReader__Read(base/gxttfb.c)
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Thu, 27 Jul 2017 17:04:13 +0200
- Message-id: <150116785371.7203.5551897616163213471.reportbug@eldamar.local>
Source: ghostscript
Version: 9.06~dfsg-2
Severity: important
Tags: upstream patch security fixed-upstream
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=698056
Hi,
the following vulnerability was published for ghostscript.
CVE-2017-9727[0]:
| The gx_ttfReader__Read function in base/gxttfb.c in Artifex Ghostscript
| GhostXPS 9.22 allows remote attackers to cause a denial of service
| (heap-based buffer over-read and application crash) or possibly have
| unspecified other impact via a crafted document.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9727
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9727
[1] https://bugs.ghostscript.com/show_bug.cgi?id=698056
[2] http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=937ccd17ac
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
- To: 869913-close@bugs.debian.org
- Subject: Bug#869913: fixed in ghostscript 9.06~dfsg-2+deb8u6
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 08 Oct 2017 11:33:49 +0000
- Message-id: <E1e19q9-000D7W-JD@fasolo.debian.org>
Source: ghostscript
Source-Version: 9.06~dfsg-2+deb8u6
We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 869913@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ghostscript package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 28 Sep 2017 21:55:37 +0200
Source: ghostscript
Binary: ghostscript ghostscript-x ghostscript-doc libgs9 libgs9-common libgs-dev ghostscript-dbg
Architecture: all source
Version: 9.06~dfsg-2+deb8u6
Distribution: jessie-security
Urgency: high
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 869907 869910 869913 869915 869916 869917 869977
Description:
ghostscript - interpreter for the PostScript language and for PDF
ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug symbo
ghostscript-doc - interpreter for the PostScript language and for PDF - Documentati
ghostscript-x - interpreter for the PostScript language and for PDF - X11 support
libgs-dev - interpreter for the PostScript language and for PDF - Development
libgs9 - interpreter for the PostScript language and for PDF - Library
libgs9-common - interpreter for the PostScript language and for PDF - common file
Changes:
ghostscript (9.06~dfsg-2+deb8u6) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Bounds check the array allocations methods (CVE-2017-9835)
(Closes: #869907)
* Bounds check zone pointer in Ins_MIRP() (CVE-2017-9611) (Closes: #869917)
* Bounds check zone pointers in Ins_IP() (CVE-2017-9612) (Closes: #869916)
* Bounds check zone pointer in Ins_MDRP (CVE-2017-9726) (Closes: #869915)
* Make bounds check in gx_ttfReader__Read more robust (CVE-2017-9727)
(Closes: #869913)
* Bounds check Ins_JMPR (CVE-2017-9739) (Closes: #869910)
* Prevent trying to reloc a freed object (CVE-2017-11714) (Closes: #869977)
Checksums-Sha1:
1c8a4f1c3b0b2588cd34115d793b40dbf00e7271 3047 ghostscript_9.06~dfsg-2+deb8u6.dsc
7a98ed931ce351d6825f9d2e8271761c61173052 102468 ghostscript_9.06~dfsg-2+deb8u6.debian.tar.xz
3dcd1775cdada514468e7233339c23a8d7360c8c 5067528 ghostscript-doc_9.06~dfsg-2+deb8u6_all.deb
163a310efbe0b6f2c6c04778bc51d2057487adaf 1979944 libgs9-common_9.06~dfsg-2+deb8u6_all.deb
Checksums-Sha256:
0b9b99f5f83eebbc94ed5427e962e80a60d2902baee585f85abab11305a22ab0 3047 ghostscript_9.06~dfsg-2+deb8u6.dsc
bba080e49e7a75c8b9f67ee0a5367e80e58e1b6939143964c26df4e59b90b072 102468 ghostscript_9.06~dfsg-2+deb8u6.debian.tar.xz
8c9f3bb98d91393a6775e07d5f3499c5f51dda967782ae84e65bfc2b4a9c3c31 5067528 ghostscript-doc_9.06~dfsg-2+deb8u6_all.deb
b4f9b901a090cb1d4e4b62f01c07f9c5c45d469c11505c8dbaf8b8dd42ed3d7a 1979944 libgs9-common_9.06~dfsg-2+deb8u6_all.deb
Files:
45742412d62f72491d73e847230df4e5 3047 text optional ghostscript_9.06~dfsg-2+deb8u6.dsc
4aba5629803610999fae9ae4fc312454 102468 text optional ghostscript_9.06~dfsg-2+deb8u6.debian.tar.xz
341df47ee100cf2804b914f8c907fd75 5067528 doc optional ghostscript-doc_9.06~dfsg-2+deb8u6_all.deb
6c0ffc5f0c6d1cb33bb4a200e1285301 1979944 libs optional libgs9-common_9.06~dfsg-2+deb8u6_all.deb
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlnNVeNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EcbcP/iW41A+XZoaK1xHl/Jgmr0Cp4M9nOqjO
FOwY+b8seRzfuFtFrxbipl8eBxWkausM4TEJtRJIdGUMPEOwJNYiW6e26vJeMx0W
4CvbrI+0MiSHbIEnaxaxAnY0MdHeDk4ZfrWYHlY1l8Fx1FXDw9lTo+z9fuxZYpjF
ZC1CQvW+Wx9I79ht4a7bw+Mr/WgzOZAakx+qHhdzBR0NiWb3Tk9VddRNKbOJ1MqE
IE2tNoSfwU4VL7uFYPbWpPzDafw2rV99AYRyRNjqY8FyLfm5IOAc5ldt9M7EKfCG
9iOk2pQRx5+/pViz3Ira4OUxq+gbxCSmXCxHEl+HXE4RSMDOwqycoQOhfBZorG8v
1wqfm0CZG2ramTZyVSL9qDO9vYtKzcMm6HkcuwU+1Kq8U7RyliabIe2f+48fxAQO
kYuQvqS68yL2tQfpACz6uGe5ubbJjXek00futMAqdqoWPIthwROAUlOPpdBHdtCz
SH77AZX5tCDNG/oJIhWfvLiszpV7LS18mpjoF14of2YsKfFmS+VUCIOLbiT4bTYk
k83RX3SIlPQZNNkvK0cj+S0mHqQo9MvwHcexRkEKgTzfMplYnbhHA7lC5wsncZ+E
R3qL7md+80Z4TasWOn/p60TpGaO24rAGNMPRuHUDtEhcLxzx/m5JoMYiaXtata1U
/G43JfEppNPY
=+ODd
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: