Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER

To: Jonas Smedegaard <jonas@jones.dk>, 907332@bugs.debian.org
Cc: Nicolas Braud-Santoni <nicolas@braud-santoni.eu>
Subject: Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 27 Aug 2018 22:27:05 +0200
Message-id: <[🔎] 20180827202705.GA29501@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 907332@bugs.debian.org
In-reply-to: <[🔎] 153539486575.6753.4564447154183170577@auryn.jones.dk>
References: <[🔎] 153530333844.30062.15148412983907947587.reportbug@neon.citronna.de> <[🔎] 153530333844.30062.15148412983907947587.reportbug@neon.citronna.de> <[🔎] 20180826195514.GA9377@eldamar.local> <[🔎] 153530333844.30062.15148412983907947587.reportbug@neon.citronna.de> <[🔎] 153539486575.6753.4564447154183170577@auryn.jones.dk> <[🔎] 153530333844.30062.15148412983907947587.reportbug@neon.citronna.de>

Hi,

On Mon, Aug 27, 2018 at 08:34:25PM +0200, Jonas Smedegaard wrote:
> Quoting Salvatore Bonaccorso (2018-08-26 21:55:14)
> > Hi,
> > 
> > On Sun, Aug 26, 2018 at 06:08:58PM +0100, Nicolas Braud-Santoni wrote:
> > > Tavis Ormandy disclosed a new ghoscript security issue, leading directly to code
> > > execution:  http://openwall.com/lists/oss-security/2018/08/21/2
> > 
> > There are actually several issues, see the whole thread. For now since
> > you filled this bug will track all those with this bug entry. Proper
> > evaluation though is still pending (and Moritz is taking care of
> > strech, adding this note to dsa-needed file ("needs some research on
> > issues found by Tavis").
> > 
> > See
> > 
> > https://www.kb.cert.org/vuls/id/332928
> > 
> > the current set of fixes:
> > 
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce501
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d9111
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d390118
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614
> 
> Also http://git.ghostscript.com/?p=ghostpdl.git;h=0b6cd19

A first set of CVEs has now been assigned already:

CVE-2018-15908, CVE-2018-15909 and CVE-2018-15910.

Regards,
Salvatore

Reply to:

References:
- Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER
  - From: Nicolas Braud-Santoni <nicolas@braud-santoni.eu>
- Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER
  - From: Jonas Smedegaard <jonas@jones.dk>

Prev by Date: Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER
Next by Date: Bug#907332: marked as done (ghostscript has a new code execution issue, even when used with -dSAFER)
Previous by thread: Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER
Next by thread: Bug#907332: marked as done (ghostscript has a new code execution issue, even when used with -dSAFER)
Index(es):
- Date
- Thread