Bug#1033757: marked as done (ghostscript: CVE-2023-28879)
Your message dated Sat, 01 Apr 2023 08:49:12 +0000
with message-id <E1piWvA-00FYXv-KY@fasolo.debian.org>
and subject line Bug#1033757: fixed in ghostscript 10.0.0~dfsg-11
has caused the Debian Bug report #1033757,
regarding ghostscript: CVE-2023-28879
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1033757: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033757
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: ghostscript: CVE-2023-28879
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Fri, 31 Mar 2023 21:19:42 +0200
- Message-id: <168029038217.1982392.13125138041379405317.reportbug@eldamar.lan>
Source: ghostscript
Version: 10.0.0~dfsg-9
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=706494
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for ghostscript.
CVE-2023-28879[0]:
| In Artifex Ghostscript through 10.01.0, there is a buffer overflow
| leading to potential corruption of data internal to the PostScript
| interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode,
| TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte
| less than full, and one then tries to write an escaped character, two
| bytes are written.
I'm preparing an update for this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-28879
https://www.cve.org/CVERecord?id=CVE-2023-28879
[1] https://bugs.ghostscript.com/show_bug.cgi?id=706494 (not public)
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ghostscript
Source-Version: 10.0.0~dfsg-11
Done: Salvatore Bonaccorso <carnil@debian.org>
We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1033757@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ghostscript package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 01 Apr 2023 09:48:32 +0200
Source: ghostscript
Architecture: source
Version: 10.0.0~dfsg-11
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1033757
Changes:
ghostscript (10.0.0~dfsg-11) unstable; urgency=medium
.
* QA upload.
* Prevent buffer overrun in (T)BCP encoding (CVE-2023-28879)
(Closes: #1033757)
Checksums-Sha1:
d979e4f9cc8f632fc786f69bbc715a10757ce093 2987 ghostscript_10.0.0~dfsg-11.dsc
7946dd26efb4274e62d31d6d955a839f34f135c5 85428 ghostscript_10.0.0~dfsg-11.debian.tar.xz
7f47fd6c6a2baa5f0772ff6454ed61b7525cc239 7081 ghostscript_10.0.0~dfsg-11_source.buildinfo
Checksums-Sha256:
e4e6af2e982228ea452f5dbd64f29f79db10f731571174adf3b37b0b913a5c97 2987 ghostscript_10.0.0~dfsg-11.dsc
41861b53c348ce9b9cbe64cac2ecbba44d3bbb16c87a8cb807336f3107fc4650 85428 ghostscript_10.0.0~dfsg-11.debian.tar.xz
dd83d1e03ac9b7d8cf139ab182a49843cd1acadbf84239970b2a8bf9aaf2e804 7081 ghostscript_10.0.0~dfsg-11_source.buildinfo
Files:
202c53a276ed471f7e7333c15ae6f99b 2987 text optional ghostscript_10.0.0~dfsg-11.dsc
360c629443995dd5aee569a840efe8cf 85428 text optional ghostscript_10.0.0~dfsg-11.debian.tar.xz
4cf2a2c9332621fb66e496d7f7a16b39 7081 text optional ghostscript_10.0.0~dfsg-11_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmQn7XFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EP6YP/RFxxbXSCnNnNnFsKiF/dn6jV3+JLwir
wuiBweug4zyGhAcFd1m6+nyVlLg/PHQxDNREF792XWoNl2wrU4hTSq/uovvkMHTQ
w3Dk3X/t0lrcXfsIOofjAbYWQX0zVhn8Ood1DCTuhtzk1i3AThlZb1xNSI3IWEVp
UvBBBuKm4nPFOtlTRyHuz0tOYmDhh52mgCNbmNek4fI14bqHOLw/rev+L8eeVtJz
/7zHk/fTc4+O8GXCufrcvAGCvUDxso7F9arbNUJ0we3GgU6F7P+TxyIs5SfLwsMw
NNuSWYZaj6eBxh5Cl+NZx7dx6dRyvq96DkrGsjIM14PyYDV/LfPFi+eSdPKQ9yzs
+0IK5dvISzZHMH5eXUpkjTwUo3Tr5f/YoXstL/MmMGzFYruqfvNvmkV4AJLiN/JO
hvQgLS6Eq7N5xt69X0y+GFvDU1IsnRf2rrm/UY42EK/NFN3ztXyuBD+kxyCeeQR0
xvsz5hu5j5YztmdkTGLjp2IYFayez+NKpTvSFRSI4Q6zvlhkiBKJ41tRBp8nKK8N
f3AR1PAVvtgTkoum/7AJCb8FrpbhPEw8Tjz8v5nfHAuucQ/9BINswsy7QHJju7F4
Tluxfx3L9Pv+j6z8etfwXVKn41DCU6qlOyLOO1yt/gQaaYUY3xYMYnEq2xo+dzbY
k26BIO5+/jci
=9F78
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: