* ghostscript vulnerabilities [not found] <E1buKjg-00057S-2V@master.debian.org> @ 2016-10-12 15:29 ` Alex Vong 2016-10-12 16:20 ` Leo Famulari 2016-10-12 21:13 ` Ludovic Courtès 0 siblings, 2 replies; 9+ messages in thread From: Alex Vong @ 2016-10-12 15:29 UTC (permalink / raw) To: guix-devel [-- Attachment #1: Type: text/plain, Size: 1775 bytes --] Hello, Below are from the security announcement list: Salvatore Bonaccorso <carnil@debian.org> writes: > ------------------------------------------------------------------------- > Debian Security Advisory DSA-3691-1 security@debian.org > https://www.debian.org/security/ Salvatore Bonaccorso > October 12, 2016 https://www.debian.org/security/faq > ------------------------------------------------------------------------- > > Package : ghostscript > CVE ID : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 > CVE-2016-7979 CVE-2016-8602 > Debian Bug : 839118 839260 839841 839845 839846 840451 > > Several vulnerabilities were discovered in Ghostscript, the GPL > PostScript/PDF interpreter, which may lead to the execution of arbitrary > code or information disclosure if a specially crafted Postscript file is > processed. > > For the stable distribution (jessie), these problems have been fixed in > version 9.06~dfsg-2+deb8u3. > > We recommend that you upgrade your ghostscript packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: debian-security-announce@lists.debian.org I've checked just now. GNU Ghostscript is also affected at least by CVE-2016-8602. Looking at the patch in this bug report[0] and the source[1], one can see that the vulnerable lines are present in GNU Ghostscript. What should we do now? [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840451 [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c Thanks, Alex [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 454 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ghostscript vulnerabilities 2016-10-12 15:29 ` ghostscript vulnerabilities Alex Vong @ 2016-10-12 16:20 ` Leo Famulari 2016-10-12 16:26 ` Leo Famulari 2016-10-12 21:13 ` Ludovic Courtès 1 sibling, 1 reply; 9+ messages in thread From: Leo Famulari @ 2016-10-12 16:20 UTC (permalink / raw) To: Alex Vong; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 1436 bytes --] On Wed, Oct 12, 2016 at 11:29:07PM +0800, Alex Vong wrote: > > Package : ghostscript > > CVE ID : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 > > CVE-2016-7979 CVE-2016-8602 > > Debian Bug : 839118 839260 839841 839845 839846 840451 > > > > Several vulnerabilities were discovered in Ghostscript, the GPL > > PostScript/PDF interpreter, which may lead to the execution of arbitrary > > code or information disclosure if a specially crafted Postscript file is > > processed. > I've checked just now. GNU Ghostscript is also affected at least by > CVE-2016-8602. Looking at the patch in this bug report[0] and the > source[1], one can see that the vulnerable lines are present in GNU > Ghostscript. What should we do now? I don't know the relationship between GNU Ghostscript and "upstream" Ghostscript. Can anyone explain why GNU offers its own distribution? We can try cherry-picking the upstream commits that fix each of these bugs [0]. Hopefully they apply to our older Ghostscript version. If the resulting package's ABI is compatible to our current package, we can apply it with a graft on the master branch. We should also apply these patches to the ghostscript package on core-updates. Do you want to try it? Debian helpfully links to the upstream commits corresponding to each bug: https://security-tracker.debian.org/tracker/CVE-2013-5653 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ghostscript vulnerabilities 2016-10-12 16:20 ` Leo Famulari @ 2016-10-12 16:26 ` Leo Famulari 0 siblings, 0 replies; 9+ messages in thread From: Leo Famulari @ 2016-10-12 16:26 UTC (permalink / raw) To: Alex Vong; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 337 bytes --] On Wed, Oct 12, 2016 at 12:20:39PM -0400, Leo Famulari wrote: > I don't know the relationship between GNU Ghostscript and "upstream" > Ghostscript. Can anyone explain why GNU offers its own distribution? Some history here: https://en.wikipedia.org/wiki/Ghostscript#History Hopefully the upstream patches will apply to our source code. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ghostscript vulnerabilities 2016-10-12 15:29 ` ghostscript vulnerabilities Alex Vong 2016-10-12 16:20 ` Leo Famulari @ 2016-10-12 21:13 ` Ludovic Courtès 2016-10-15 7:36 ` Mark H Weaver 1 sibling, 1 reply; 9+ messages in thread From: Ludovic Courtès @ 2016-10-12 21:13 UTC (permalink / raw) To: bug-ghostscript, didier; +Cc: guix-devel Hello Didier and all, We are wondering about the applicability to GNU Ghostscript of the recent vulnerabilities discovered in AGPL Ghostscript: Alex Vong <alexvong1995@gmail.com> skribis: > Salvatore Bonaccorso <carnil@debian.org> writes: > >> ------------------------------------------------------------------------- >> Debian Security Advisory DSA-3691-1 security@debian.org >> https://www.debian.org/security/ Salvatore Bonaccorso >> October 12, 2016 https://www.debian.org/security/faq >> ------------------------------------------------------------------------- >> >> Package : ghostscript >> CVE ID : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 >> CVE-2016-7979 CVE-2016-8602 >> Debian Bug : 839118 839260 839841 839845 839846 840451 >> >> Several vulnerabilities were discovered in Ghostscript, the GPL >> PostScript/PDF interpreter, which may lead to the execution of arbitrary >> code or information disclosure if a specially crafted Postscript file is >> processed. [...] > I've checked just now. GNU Ghostscript is also affected at least by > CVE-2016-8602. Looking at the patch in this bug report[0] and the > source[1], one can see that the vulnerable lines are present in GNU > Ghostscript. What should we do now? > > [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840451 > [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c WDYT? Perhaps a new release incorporating the fixes is in order? Thanks, Ludo’. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ghostscript vulnerabilities 2016-10-12 21:13 ` Ludovic Courtès @ 2016-10-15 7:36 ` Mark H Weaver 2016-10-16 9:16 ` Didier Link 0 siblings, 1 reply; 9+ messages in thread From: Mark H Weaver @ 2016-10-15 7:36 UTC (permalink / raw) To: Ludovic Courtès; +Cc: didier, guix-devel, bug-ghostscript ludo@gnu.org (Ludovic Courtès) writes: > Hello Didier and all, > > We are wondering about the applicability to GNU Ghostscript of the > recent vulnerabilities discovered in AGPL Ghostscript: > > Alex Vong <alexvong1995@gmail.com> skribis: > >> Salvatore Bonaccorso <carnil@debian.org> writes: >> >>> ------------------------------------------------------------------------- >>> Debian Security Advisory DSA-3691-1 security@debian.org >>> https://www.debian.org/security/ Salvatore Bonaccorso >>> October 12, 2016 https://www.debian.org/security/faq >>> ------------------------------------------------------------------------- >>> >>> Package : ghostscript >>> CVE ID : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 >>> CVE-2016-7979 CVE-2016-8602 >>> Debian Bug : 839118 839260 839841 839845 839846 840451 >>> >>> Several vulnerabilities were discovered in Ghostscript, the GPL >>> PostScript/PDF interpreter, which may lead to the execution of arbitrary >>> code or information disclosure if a specially crafted Postscript file is >>> processed. > > [...] > >> I've checked just now. GNU Ghostscript is also affected at least by >> CVE-2016-8602. Looking at the patch in this bug report[0] and the >> source[1], one can see that the vulnerable lines are present in GNU >> Ghostscript. What should we do now? >> >> [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840451 >> [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c > > WDYT? Perhaps a new release incorporating the fixes is in order? FYI, I ported the upstream patches to GNU ghostscript for GNU Guix. You can find them here: http://git.savannah.gnu.org/cgit/guix.git/commit/?id=1de17a648fa631f0074d315bfff0716220ce4880 Mark ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ghostscript vulnerabilities 2016-10-15 7:36 ` Mark H Weaver @ 2016-10-16 9:16 ` Didier Link 2016-10-16 15:47 ` Alex Vong 0 siblings, 1 reply; 9+ messages in thread From: Didier Link @ 2016-10-16 9:16 UTC (permalink / raw) To: Mark H Weaver, Ludovic Courtès; +Cc: didier, guix-devel, bug-ghostscript [-- Attachment #1.1.1: Type: text/plain, Size: 2122 bytes --] Hello all I will review the Mark's patches and apply them for a security release next week. Thanks for your help ! Best regards Didier Le 15/10/2016 à 09:36, Mark H Weaver a écrit : > ludo@gnu.org (Ludovic Courtès) writes: > >> Hello Didier and all, >> >> We are wondering about the applicability to GNU Ghostscript of the >> recent vulnerabilities discovered in AGPL Ghostscript: >> >> Alex Vong <alexvong1995@gmail.com> skribis: >> >>> Salvatore Bonaccorso <carnil@debian.org> writes: >>> >>>> ------------------------------------------------------------------------- >>>> Debian Security Advisory DSA-3691-1 security@debian.org >>>> https://www.debian.org/security/ Salvatore Bonaccorso >>>> October 12, 2016 https://www.debian.org/security/faq >>>> ------------------------------------------------------------------------- >>>> >>>> Package : ghostscript >>>> CVE ID : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 >>>> CVE-2016-7979 CVE-2016-8602 >>>> Debian Bug : 839118 839260 839841 839845 839846 840451 >>>> >>>> Several vulnerabilities were discovered in Ghostscript, the GPL >>>> PostScript/PDF interpreter, which may lead to the execution of arbitrary >>>> code or information disclosure if a specially crafted Postscript file is >>>> processed. >> [...] >> >>> I've checked just now. GNU Ghostscript is also affected at least by >>> CVE-2016-8602. Looking at the patch in this bug report[0] and the >>> source[1], one can see that the vulnerable lines are present in GNU >>> Ghostscript. What should we do now? >>> >>> [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840451 >>> [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c >> WDYT? Perhaps a new release incorporating the fixes is in order? > FYI, I ported the upstream patches to GNU ghostscript for GNU Guix. > You can find them here: > > http://git.savannah.gnu.org/cgit/guix.git/commit/?id=1de17a648fa631f0074d315bfff0716220ce4880 > > Mark [-- Attachment #1.1.2: Type: text/html, Size: 3875 bytes --] [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ghostscript vulnerabilities 2016-10-16 9:16 ` Didier Link @ 2016-10-16 15:47 ` Alex Vong 2016-11-06 18:34 ` Didier Link 0 siblings, 1 reply; 9+ messages in thread From: Alex Vong @ 2016-10-16 15:47 UTC (permalink / raw) To: Didier Link; +Cc: guix-devel, bug-ghostscript [-- Attachment #1: Type: text/plain, Size: 2474 bytes --] Hello, I notice the patch for CVE-2016-7977[0] handles the problem differently than GNU Ghostscript[1] does. Maybe you can take a look at it. [0]: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8abd22010eb4db0fb1b10e430d5f5d83e015ef70 [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zfile.c Thanks, Alex Didier Link <didier@famille-link.fr> writes: > Hello all > > I will review the Mark's patches and apply them for a security release next week. > > Thanks for your help ! > > Best regards > > Didier > > Le 15/10/2016 à 09:36, Mark H Weaver a écrit : > > ludo@gnu.org (Ludovic Courtès) writes: > > Hello Didier and all, > > We are wondering about the applicability to GNU Ghostscript of the > recent vulnerabilities discovered in AGPL Ghostscript: > > Alex Vong <alexvong1995@gmail.com> skribis: > > Salvatore Bonaccorso <carnil@debian.org> writes: > > ------------------------------------------------------------------------- > > Debian Security Advisory DSA-3691-1 security@debian.org > https://www.debian.org/security/ Salvatore Bonaccorso > October 12, 2016 https://www.debian.org/security/faq > ------------------------------------------------------------------------- > > Package : ghostscript > CVE ID : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 > CVE-2016-7979 CVE-2016-8602 > Debian Bug : 839118 839260 839841 839845 839846 840451 > > Several vulnerabilities were discovered in Ghostscript, the GPL > PostScript/PDF interpreter, which may lead to the execution of arbitrary > code or information disclosure if a specially crafted Postscript file is > processed. > > [...] > > I've checked just now. GNU Ghostscript is also affected at least by > CVE-2016-8602. Looking at the patch in this bug report[0] and the > source[1], one can see that the vulnerable lines are present in GNU > Ghostscript. What should we do now? > > [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840451 > [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c > > WDYT? Perhaps a new release incorporating the fixes is in order? > > FYI, I ported the upstream patches to GNU ghostscript for GNU Guix. > You can find them here: > > http://git.savannah.gnu.org/cgit/guix.git/commit/?id=1de17a648fa631f0074d315bfff0716220ce4880 > > Mark [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 800 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ghostscript vulnerabilities 2016-10-16 15:47 ` Alex Vong @ 2016-11-06 18:34 ` Didier Link 2016-11-06 21:38 ` Ludovic Courtès 0 siblings, 1 reply; 9+ messages in thread From: Didier Link @ 2016-11-06 18:34 UTC (permalink / raw) To: bug-ghostscript; +Cc: guix-devel [-- Attachment #1.1.1: Type: text/plain, Size: 2908 bytes --] Le 16/10/2016 à 17:47, Alex Vong a écrit : > Hello, > > I notice the patch for CVE-2016-7977[0] handles the problem differently > than GNU Ghostscript[1] does. Maybe you can take a look at it. > > [0]: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8abd22010eb4db0fb1b10e430d5f5d83e015ef70 > [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zfile.c > > Thanks, > Alex Hello, I've just released a gnu-ghostscript point release with the CVE patches adapted by Mark (really thanks !!!). For the CVE-2016-7977 I've see that the file concerned was modified in later release of gpl-ghostscript, I will see in later release of gnu version ;) Best regards Didier > > Didier Link <didier@famille-link.fr> writes: > >> Hello all >> >> I will review the Mark's patches and apply them for a security release next week. >> >> Thanks for your help ! >> >> Best regards >> >> Didier >> >> Le 15/10/2016 à 09:36, Mark H Weaver a écrit : >> >> ludo@gnu.org (Ludovic Courtès) writes: >> >> Hello Didier and all, >> >> We are wondering about the applicability to GNU Ghostscript of the >> recent vulnerabilities discovered in AGPL Ghostscript: >> >> Alex Vong <alexvong1995@gmail.com> skribis: >> >> Salvatore Bonaccorso <carnil@debian.org> writes: >> >> ------------------------------------------------------------------------- >> >> Debian Security Advisory DSA-3691-1 security@debian.org >> https://www.debian.org/security/ Salvatore Bonaccorso >> October 12, 2016 https://www.debian.org/security/faq >> ------------------------------------------------------------------------- >> >> Package : ghostscript >> CVE ID : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 >> CVE-2016-7979 CVE-2016-8602 >> Debian Bug : 839118 839260 839841 839845 839846 840451 >> >> Several vulnerabilities were discovered in Ghostscript, the GPL >> PostScript/PDF interpreter, which may lead to the execution of arbitrary >> code or information disclosure if a specially crafted Postscript file is >> processed. >> >> [...] >> >> I've checked just now. GNU Ghostscript is also affected at least by >> CVE-2016-8602. Looking at the patch in this bug report[0] and the >> source[1], one can see that the vulnerable lines are present in GNU >> Ghostscript. What should we do now? >> >> [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840451 >> [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c >> >> WDYT? Perhaps a new release incorporating the fixes is in order? >> >> FYI, I ported the upstream patches to GNU ghostscript for GNU Guix. >> You can find them here: >> >> http://git.savannah.gnu.org/cgit/guix.git/commit/?id=1de17a648fa631f0074d315bfff0716220ce4880 >> >> Mark [-- Attachment #1.1.2: Type: text/html, Size: 4660 bytes --] [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ghostscript vulnerabilities 2016-11-06 18:34 ` Didier Link @ 2016-11-06 21:38 ` Ludovic Courtès 0 siblings, 0 replies; 9+ messages in thread From: Ludovic Courtès @ 2016-11-06 21:38 UTC (permalink / raw) To: Didier Link; +Cc: guix-devel, bug-ghostscript Hi Didier, Didier Link <didier@famille-link.fr> skribis: > I've just released a gnu-ghostscript point release with the CVE patches > adapted by Mark (really thanks !!!). Thank you! > For the CVE-2016-7977 I've see that the file concerned was modified in > later release of gpl-ghostscript, I will see in later release of gnu > version ;) So is GNU Ghostscript 9.14.1 still vulnerable to CVE-2016-7977? Cheers, Ludo’. ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2016-11-06 21:39 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <E1buKjg-00057S-2V@master.debian.org>
2016-10-12 15:29 ` ghostscript vulnerabilities Alex Vong
2016-10-12 16:20 ` Leo Famulari
2016-10-12 16:26 ` Leo Famulari
2016-10-12 21:13 ` Ludovic Courtès
2016-10-15 7:36 ` Mark H Weaver
2016-10-16 9:16 ` Didier Link
2016-10-16 15:47 ` Alex Vong
2016-11-06 18:34 ` Didier Link
2016-11-06 21:38 ` Ludovic Courtès
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).