[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#896069: marked as done (ghostscript: CVE-2018-10194: Buffer overflow on pprintg1 due to mishandle postscript file data to pdf)



Your message dated Fri, 20 Apr 2018 18:20:25 +0000
with message-id <E1f9ae1-000BVn-Ek@fasolo.debian.org>
and subject line Bug#896069: fixed in ghostscript 9.22~dfsg-2.1
has caused the Debian Bug report #896069,
regarding ghostscript: CVE-2018-10194: Buffer overflow on pprintg1 due to mishandle postscript file data to pdf
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
896069: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896069
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Source: ghostscript
Version: 9.06~dfsg-2
Severity: grave
Tags: patch security upstream
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=699255

Hi,

The following vulnerability was published for ghostscript.

CVE-2018-10194[0]:
| The set_text_distance function in devices/vector/gdevpdts.c in the
| pdfwrite component in Artifex Ghostscript through 9.22 does not prevent
| overflows in text-positioning calculation, which allows remote
| attackers to cause a denial of service (application crash) or possibly
| have unspecified other impact via a crafted PDF document.

Unfortunately the upstream report at [1] ist not (yet) public, but the
commit upstream report association is given by the commit at [2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-10194
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10194
[1] https://bugs.ghostscript.com/show_bug.cgi?id=699255
[2] http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: ghostscript
Source-Version: 9.22~dfsg-2.1

We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 896069@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ghostscript package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 20 Apr 2018 12:28:29 +0200
Source: ghostscript
Binary: ghostscript ghostscript-x ghostscript-doc libgs9 libgs9-common libgs-dev ghostscript-dbg
Architecture: source
Version: 9.22~dfsg-2.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 860869 896069
Description: 
 ghostscript - interpreter for the PostScript language and for PDF
 ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug symbo
 ghostscript-doc - interpreter for the PostScript language and for PDF - Documentati
 ghostscript-x - interpreter for the PostScript language and for PDF - X11 support
 libgs-dev  - interpreter for the PostScript language and for PDF - Development
 libgs9     - interpreter for the PostScript language and for PDF - Library
 libgs9-common - interpreter for the PostScript language and for PDF - common file
Changes:
 ghostscript (9.22~dfsg-2.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Buffer overflow in fill_threshold_buffer (CVE-2016-10317)
     (Closes: #860869)
   * pdfwrite - Guard against trying to output an infinite number
     (CVE-2018-10194) (Closes: #896069)
Checksums-Sha1: 
 b706d9247a412ef801d4bd2143a4ca24d589ca02 2905 ghostscript_9.22~dfsg-2.1.dsc
 76ef29dfa90800e17dcda8cc315b9580b0765ae3 105956 ghostscript_9.22~dfsg-2.1.debian.tar.xz
Checksums-Sha256: 
 00c0d5ee0651ff6ab96e74ab1d23627fc0ac7a75638043d3f6c82c1d6663cfba 2905 ghostscript_9.22~dfsg-2.1.dsc
 b9ff7049ff223c97c85862172d42a98c01b947c27277ae5f56af9367a2bf7102 105956 ghostscript_9.22~dfsg-2.1.debian.tar.xz
Files: 
 6cc02bb50fd60f4046899482ed087580 2905 text optional ghostscript_9.22~dfsg-2.1.dsc
 6783e389b486f699024d1c7baa6abce5 105956 text optional ghostscript_9.22~dfsg-2.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlraGiJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EPlcP/0twvUG55IDAB7KSQn7KGrfrwVoQQeS8
HxMNgllPj7TMnFsx/OU9Kga51ay0yNGsKavnew1IwG6MjQheTfFoBw7sAWNSC0Hb
qyfvR8ly9yhE/rFPtTPaNmK1FcfF8VRXvZ/jqDrc7EW4iIz6C+rarWz03FYFyOf/
vipD7d418XVBB4ySE1wGqeTXyDYeYO9QUBDlAN9VZBDn1RdFWdqlrUdoQyrJbG1Z
Pvo6pgFGeDMtYGGfLL2vZYauGdW6oZdQAnNBYzgWjrOUJv9lE1SzSPlUdVjiWKNx
LhxaONjq9i5/GmW2IC29uC0MpFa3+SjpZF+EpI/5mInILUyLOY8VjEDIfVEE5RAX
rzoARmt81jx8VU+K1GWVRLLxpbL2ER7Ghs+n1EAlEBX4reJM3AqvXvJXC9KOB0i4
a0ISwKYJgWiYbgjuZ/m1bRnDdIpdjpp+QLDtzPgcsA7Fu+Zgh3QiTpIy+s/4Ntsy
w7NhOtMc4LyaeGO0P46hMIaiSattFaRVY5D1ZzeJ2cMA3NATgcR1l5a423OSWhqx
fXLF4z2hfP0/NIVAP1Y+Q+4gE6AZeQsH3moroGoDBKR39uhhtybr5oD3mac1ji4F
RXY6Gu6Ij6qTD8xP0LU6U3lSyCXBXCbi2j0Uv77i5nLGKpG3R4w11Nn/fHvQyi68
Yyslp/5K4uMd
=blQ1
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: