Bug#896069: marked as done (ghostscript: CVE-2018-10194: Buffer overflow on pprintg1 due to mishandle postscript file data to pdf)
Your message dated Mon, 28 May 2018 21:17:39 +0000
with message-id <E1fNPWN-000HyQ-UZ@fasolo.debian.org>
and subject line Bug#896069: fixed in ghostscript 9.06~dfsg-2+deb8u7
has caused the Debian Bug report #896069,
regarding ghostscript: CVE-2018-10194: Buffer overflow on pprintg1 due to mishandle postscript file data to pdf
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
896069: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896069
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: ghostscript: CVE-2018-10194: Buffer overflow on pprintg1 due to mishandle postscript file data to pdf
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Thu, 19 Apr 2018 09:48:13 +0200
- Message-id: <152412409361.11200.50672619641243537.reportbug@lorien.valinor.li>
Source: ghostscript
Version: 9.06~dfsg-2
Severity: grave
Tags: patch security upstream
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=699255
Hi,
The following vulnerability was published for ghostscript.
CVE-2018-10194[0]:
| The set_text_distance function in devices/vector/gdevpdts.c in the
| pdfwrite component in Artifex Ghostscript through 9.22 does not prevent
| overflows in text-positioning calculation, which allows remote
| attackers to cause a denial of service (application crash) or possibly
| have unspecified other impact via a crafted PDF document.
Unfortunately the upstream report at [1] ist not (yet) public, but the
commit upstream report association is given by the commit at [2].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10194
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10194
[1] https://bugs.ghostscript.com/show_bug.cgi?id=699255
[2] http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
- To: 896069-close@bugs.debian.org
- Subject: Bug#896069: fixed in ghostscript 9.06~dfsg-2+deb8u7
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Mon, 28 May 2018 21:17:39 +0000
- Message-id: <E1fNPWN-000HyQ-UZ@fasolo.debian.org>
Source: ghostscript
Source-Version: 9.06~dfsg-2+deb8u7
We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 896069@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ghostscript package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 29 Apr 2018 11:58:34 +0200
Source: ghostscript
Binary: ghostscript ghostscript-x ghostscript-doc libgs9 libgs9-common libgs-dev ghostscript-dbg
Architecture: all source
Version: 9.06~dfsg-2+deb8u7
Distribution: jessie
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 860869 896069
Description:
ghostscript - interpreter for the PostScript language and for PDF
ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug symbo
ghostscript-doc - interpreter for the PostScript language and for PDF - Documentati
ghostscript-x - interpreter for the PostScript language and for PDF - X11 support
libgs-dev - interpreter for the PostScript language and for PDF - Development
libgs9 - interpreter for the PostScript language and for PDF - Library
libgs9-common - interpreter for the PostScript language and for PDF - common file
Changes:
ghostscript (9.06~dfsg-2+deb8u7) jessie; urgency=medium
.
* Non-maintainer upload.
* Segfault with fuzzing file in gxht_thresh_image_init
* Buffer overflow in fill_threshold_buffer (CVE-2016-10317)
(Closes: #860869)
* pdfwrite - Guard against trying to output an infinite number
(CVE-2018-10194) (Closes: #896069)
Checksums-Sha1:
a22ce2320d10e74f121f3f7b14192f9d36a62571 3047 ghostscript_9.06~dfsg-2+deb8u7.dsc
00bc5ae83b86c12d02017ca915d56c8a330cbc3a 104224 ghostscript_9.06~dfsg-2+deb8u7.debian.tar.xz
d41c02e653e8e84add9ac587bd73ae67dfb81433 5068100 ghostscript-doc_9.06~dfsg-2+deb8u7_all.deb
a422aa41cab7288480a8bf2501af308652e4d951 1981464 libgs9-common_9.06~dfsg-2+deb8u7_all.deb
Checksums-Sha256:
fead0e9c4fcea9a56203801de578d5de84f71c513ff38454e9c96da3b2f37b16 3047 ghostscript_9.06~dfsg-2+deb8u7.dsc
a3e2b1e2fc5e1c1581f952105f1ec85a28e609dc027bea2c8b4d82c392cdfa24 104224 ghostscript_9.06~dfsg-2+deb8u7.debian.tar.xz
2d128342670d19d9b20e125c0963cbd57662d44fd312f205ca560d498848aa60 5068100 ghostscript-doc_9.06~dfsg-2+deb8u7_all.deb
2ddc623f6bde9c2ac32b6e59190b2ec01afc37d1cde4e0b849af8d3d8d91b501 1981464 libgs9-common_9.06~dfsg-2+deb8u7_all.deb
Files:
46f7d6cef86c990c1a34fcf760ec6231 3047 text optional ghostscript_9.06~dfsg-2+deb8u7.dsc
b53c8f2b8223aafccb8e3362ed3e60a7 104224 text optional ghostscript_9.06~dfsg-2+deb8u7.debian.tar.xz
0e1488d7a21abd82b84ff27a3bfd3af8 5068100 doc optional ghostscript-doc_9.06~dfsg-2+deb8u7_all.deb
22aa9e7953f136e8438c770fb957a71c 1981464 libs optional libgs9-common_9.06~dfsg-2+deb8u7_all.deb
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsJJnNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E/GIP/3pE978Q10vheUMg4V0jNXuYrBAKf/V0
Ju2TA3NDU3pJB+ij7Qqo1hV+SY8cOYpAGMinuyfU2wpj9KyudobUeJRh9rsjQKpk
/ysJRV+W6DRIpFwtutn5tWIY/XUwqAntWDoqrtY4Uy//ctFT7qlk6qkeACFUOuR9
aBDiv5ZgkJV+45/5dYBLU+8S1HIOAiJBo5FFDCRxThooavSgBa/OQdtJy7Sd0xFf
pSy8TRC79SLg9vDQuCv1dwnmyQH5oQalr3VTeAm5cMpoDvQG1sqRV1asAjMXasA1
wATh1lzLqmGGMyl+kYGzAJF8TKfn1bT5YB+2hGOYtKWVuR12ABAjMdn+5+yZpiBQ
xff/guaEuoI0/963TXNfzTatD9Nz7+S3pv6/0S14oXd5AJbkUdzK7p/OwjHXjsWg
XotXbSEDrRjGWATt9PwXKJs3HaBChDgLcxKmouRVKwapI1L8ySJFjHmhJJSWgGwY
knIgNu+2nbuTPJ49SRc4dbvhtOwFKCutjcnYoXSDYwdnQVms0z8mSnb34e9dBibU
YWjM/FgdWqjqfQdKgf7NEI2OTmrOsu/alEt0qi0t7aUZTfg39FdgUbr7qVcaZtq1
1eBm2fWS2oMvHSFXtM1aqIDjNkXrKMeZMHVVGLrbYzN1dhE55KwiNFeAIcLDW4fZ
4DQVRpaNm8nu
=xlc6
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: