Bug#944760: marked as done (ghostscript: CVE-2019-14869)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 27 Nov 2019 00:04:34 +0000
with message-id <E1iZkos-0004zx-KI@fasolo.debian.org>
and subject line Bug#944760: fixed in ghostscript 9.50~dfsg-3
has caused the Debian Bug report #944760,
regarding ghostscript: CVE-2019-14869
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
944760: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944760
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: ghostscript: CVE-2019-14869
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Thu, 14 Nov 2019 22:47:49 +0100
• Message-id: <[🔎] 157376806939.43608.7523497752981426909.reportbug@eldamar.local>

Source: ghostscript
Version: 9.50~dfsg-2
Severity: grave
Tags: security upstream
Control: found -1 9.26a~dfsg-0+deb9u5
Control: found -1 9.26a~dfsg-0+deb9u1
Control: found -1 9.27~dfsg-2+deb10u2
Control: found -1 9.27~dfsg-1
Control: found -1 9.27~dfsg-3.1
Control: fixed -1 9.26a~dfsg-0+deb9u6
Control: fixed -1 9.27~dfsg-2+deb10u3

Hi,

The following vulnerability was published for ghostscript. I can agree
the severity is not exaclty matching, as for 9.50 itself, it's not
anymore directly exploitable (unless with -dOLDSAFER). Still it cannot
be considred fixed, only after applying [1].

CVE-2019-14869[0]:
|-dSAFER escape in .charkeys

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-14869
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14869
[1] https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904772c5f0aa1140032746e5a0abf
[2] https://bugs.ghostscript.com/show_bug.cgi?id=701841

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 944760-close@bugs.debian.org
• Subject: Bug#944760: fixed in ghostscript 9.50~dfsg-3
• From: Jonas Smedegaard <dr@jones.dk>
• Date: Wed, 27 Nov 2019 00:04:34 +0000
• Message-id: <E1iZkos-0004zx-KI@fasolo.debian.org>

Source: ghostscript
Source-Version: 9.50~dfsg-3

We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 944760@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated ghostscript package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 27 Nov 2019 00:13:36 +0100
Source: ghostscript
Architecture: source
Version: 9.50~dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Closes: 944760
Changes:
 ghostscript (9.50~dfsg-3) unstable; urgency=medium
 .
   * add patch cherry-picked upstream to remove .forceput from /.charkeys;
     closes: bug#944760 (CVE-2019-10216); thanks to Salvatore Bonaccorso
   * unfuzz patches 2007 2009
Checksums-Sha1:
 cfb3c8afc7ba4daf47a9a2344b38cdf1daffc31f 2809 ghostscript_9.50~dfsg-3.dsc
 055b4da42d9ea7b02ccc1ee22a755b80f6a11f2a 111156 ghostscript_9.50~dfsg-3.debian.tar.xz
 7929f6e1fd1cb30f770f5327d330772a5528529d 11740 ghostscript_9.50~dfsg-3_amd64.buildinfo
Checksums-Sha256:
 a8ca41455c05de16fd05571ebfc2ee4cba849de5be4bd07ea34207e2760c6ead 2809 ghostscript_9.50~dfsg-3.dsc
 21e356ffe006d70478e839a7fcf0d6bea33860b7e8d73e9dbba72e6ccab773e1 111156 ghostscript_9.50~dfsg-3.debian.tar.xz
 225483ebce39e659eef059d6f939322a3de5078ed14479f6492ca99dad8d6724 11740 ghostscript_9.50~dfsg-3_amd64.buildinfo
Files:
 a7382f6443e24539caf4a2a6ffa9e303 2809 text optional ghostscript_9.50~dfsg-3.dsc
 dec3bef925edf0a86f6d69225a87e6f7 111156 text optional ghostscript_9.50~dfsg-3.debian.tar.xz
 281aadb08ee659e312ddabfe78370562 11740 text optional ghostscript_9.50~dfsg-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAl3dulsACgkQLHwxRsGg
ASGQ3Q//f5HeZSuFnfjUgBm+nijTzqKq5W5orLzhXfZ4l/scWG69cIch6li+sn2E
40deo92rMwEIyiMszrtVLr/mXxAM5QmYdqwh918FHvGWdwUZmzWuGvPWAJ6z5AvF
OYV5mvGF2bYx4hArTpAaO+MMBUE7c62L0Cww9ZaaHTo8n8s0Nh+HIrJUMJ7cSlOf
HQC13NubWjhe+YaDXTRsswtxW4SWnjGqXFxAb1Ro1cRxnsFwTsin5JRYJFE8HyPm
kYPKqnXzBRiCvaQtc3jZiSQ6AYrTLkH0ill9mwZ0gVLRUg/zAENPDG47ZVVb0F0g
NHlNqZ4DoDemeP2jt1t/ADtcNRh4EF5ehSEBNU3XB4ERWwkyAskeYN9asZ14mqeR
j+dAUrYAuZ8oPS/9ieJHwXbttLkNg84wQ5zbFnQORbyun1ZvNcJsei9SPn8XReW1
o0tt1ZdVAQ3ruxyZNKUL69gaHnKlUlzJOzzwzs9qsyyvawrUZxNWp0YQj0YZHQ2u
44sUTAoocYg9qkeBOjjwQJf8/ZxFGhZ5V577+WUxOd3zkLh9WLe6cXpq1kM03q1b
DWzP++UL9UbBlX621AeNNqUpiiWpYa4coWieTSnDzvZ3ERUC7TYNm8ibl7mdfVGN
NzJMG7IouyNxGk2V4aLRqqe76/ObJclf+7mCmw+1nhN6vWhRcLU=
=xv6+
-----END PGP SIGNATURE-----

--- End Message ---