From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: ghostscript vulnerabilities Date: Wed, 12 Oct 2016 12:20:39 -0400 Message-ID: <20161012162039.GA31608@jasmine> References: <87insx37ss.fsf@gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="vkogqOf2sHV7VnPd" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:40533) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1buMH1-0000nO-RK for guix-devel@gnu.org; Wed, 12 Oct 2016 12:20:57 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1buMGx-0007vR-Le for guix-devel@gnu.org; Wed, 12 Oct 2016 12:20:55 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:45578) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1buMGw-0007tJ-CZ for guix-devel@gnu.org; Wed, 12 Oct 2016 12:20:51 -0400 Content-Disposition: inline In-Reply-To: <87insx37ss.fsf@gmail.com> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Alex Vong Cc: guix-devel@gnu.org --vkogqOf2sHV7VnPd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 12, 2016 at 11:29:07PM +0800, Alex Vong wrote: > > Package : ghostscript > > CVE ID : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-797= 8=20 > > CVE-2016-7979 CVE-2016-8602 > > Debian Bug : 839118 839260 839841 839845 839846 840451 > > > > Several vulnerabilities were discovered in Ghostscript, the GPL > > PostScript/PDF interpreter, which may lead to the execution of arbitrary > > code or information disclosure if a specially crafted Postscript file is > > processed. > I've checked just now. GNU Ghostscript is also affected at least by > CVE-2016-8602. Looking at the patch in this bug report[0] and the > source[1], one can see that the vulnerable lines are present in GNU > Ghostscript. What should we do now? I don't know the relationship between GNU Ghostscript and "upstream" Ghostscript. Can anyone explain why GNU offers its own distribution? We can try cherry-picking the upstream commits that fix each of these bugs [0]. Hopefully they apply to our older Ghostscript version. If the resulting package's ABI is compatible to our current package, we can apply it with a graft on the master branch. We should also apply these patches to the ghostscript package on core-updates. Do you want to try it? Debian helpfully links to the upstream commits corresponding to each bug: https://security-tracker.debian.org/tracker/CVE-2013-5653 --vkogqOf2sHV7VnPd Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJX/mLUAAoJECZG+jC6yn8ICr0P/A/gr8atVkZAOwAEoxbDV0b3 p8bvTRjyk3cnV8zsXe6UKz4+vpHkXQgY5I+s0Z8OOURw6KWOwH1VDykyXaqikr+N mO1oesa/B4JbitWqRx9xe3EeK8ewKu1QGdquOc15NTTHzCDjL8RCTMz+VseyM+xi Oivu9HWg6f0quyrEZypLOXgJmoOX2JN47n6IolOnDYcvFyhDbd8sifjD6ms7YkD1 6JpMRNoGlYe/CPOkb1QFIAlnTYvxtguEYsiuaUouqGlO7Yk7HtcfkYzEPmynGhZ8 KG9U+AUe4QiqiCp0ij0UD2cEN+BHFp6fFKRtjzsIX166NRhkIqjhU2E8I85s/fFh WufJt6DEUJ6bJ1A2p1gqnyWDfRM8pAGzMqXx9JMXT0yaXOzcNIdlGNy7+YNXRl92 OzKShL1TS684uOlT1pOU6daCB6hhB3EZRNb73kBLqnq+ub75CkUawqwVtdeCnl9a c3nkVzA1BmIXjhK56pAgzAz+TbxImxtBLRKJ/h2xu/MdCZQhq0sk5SVM8wN9kYqu vgJxCTcLdbWIzsssC4SC1tEu1LXIEIoUD+4lyyW/hlihhn7DlndiFdeweFTy3fZy E599fV9tIiYE3a4N6pR+8f4AClhIHPed8Skbb77t7RONnXDLA4ZhHSypcxzKtc7z ZbT58HJeoI9c2IwxrPO8 =fooh -----END PGP SIGNATURE----- --vkogqOf2sHV7VnPd--