Bug#1043033: marked as done (ghostscript: CVE-2023-38559)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Thu, 14 Sep 2023 07:08:21 +0200
with message-id <[🔎] ZQKVRYoX-t9Whrwb@eldamar.lan>
and subject line Re: Accepted ghostscript 10.02.0~dfsg-1 (source) into unstable
has caused the Debian Bug report #1043033,
regarding ghostscript: CVE-2023-38559
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1043033: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043033
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: ghostscript: CVE-2023-38559
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Fri, 04 Aug 2023 21:32:52 +0200
• Message-id: <169117757285.908354.16020139191318883098.reportbug@eldamar.lan>

Source: ghostscript
Version: 10.01.2~dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=706897
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 10.0.0~dfsg-11+deb12u1
Control: found -1 10.0.0~dfsg-11
Control: found -1 9.53.3~dfsg-7+deb11u5
Control: found -1 9.53.3~dfsg-7

Hi,

The following vulnerability was published for ghostscript.

CVE-2023-38559[0]:
| A buffer overflow flaw was found in base/gdevdevn.c:1973 in
| devn_pcx_write_rle() in ghostscript. This issue may allow a local
| attacker to cause a denial of service via outputting a crafted PDF
| file for a DEVN device with gs.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-38559
    https://www.cve.org/CVERecord?id=CVE-2023-38559
[1] https://bugs.ghostscript.com/show_bug.cgi?id=706897 (private)
[2] https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1043033@bugs.debian.org, 1043033-done@bugs.debian.org
• Cc: Debian QA Group <packages@qa.debian.org>, Jonas Smedegaard <dr@jones.dk>
• Subject: Re: Accepted ghostscript 10.02.0~dfsg-1 (source) into unstable
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Thu, 14 Sep 2023 07:08:21 +0200
• Message-id: <[🔎] ZQKVRYoX-t9Whrwb@eldamar.lan>
• In-reply-to: <E1qgXIL-002AAc-09@fasolo.debian.org>
• References: <E1qgXIL-002AAc-09@fasolo.debian.org>

Source: ghostscript
Source-Version: 10.02.0~dfsg-1

On Wed, Sep 13, 2023 at 09:21:09PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Wed, 13 Sep 2023 20:18:16 +0200
> Source: ghostscript
> Architecture: source
> Version: 10.02.0~dfsg-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian QA Group <packages@qa.debian.org>
> Changed-By: Jonas Smedegaard <dr@jones.dk>
> Changes:
>  ghostscript (10.02.0~dfsg-1) unstable; urgency=medium
>  .
>    * QA upload
>  .
>    [ upstream ]
>    * new release(s)

This should address as well CVE-2023-38559 / #1043033 . 

Closing with the fixed version accordingly.

Regards,
Salvatore

--- End Message ---