From mboxrd@z Thu Jan  1 00:00:00 1970
From: Didier Link <didier@famille-link.fr>
Subject: Re: ghostscript vulnerabilities
Date: Sun, 6 Nov 2016 19:34:55 +0100
Message-ID: <85f3d7fe-56e2-be63-3595-929e928220ed@famille-link.fr>
References: <E1buKjg-00057S-2V@master.debian.org> <87insx37ss.fsf@gmail.com>
	<87mvi9l17x.fsf@gnu.org> <87a8e6jc6q.fsf@netris.org>
	<c6ff8743-187b-49d1-8597-bf252bd1fedd@famille-link.fr>
	<87twcc5m90.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature";
	boundary="B1LSHF5sRuuNr3PxPvrDngDGVva1WDGrC"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59517)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <didier@famille-link.fr>) id 1c3SHk-000680-7j
	for guix-devel@gnu.org; Sun, 06 Nov 2016 13:35:17 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <didier@famille-link.fr>) id 1c3SHj-0000zL-1u
	for guix-devel@gnu.org; Sun, 06 Nov 2016 13:35:16 -0500
In-Reply-To: <87twcc5m90.fsf@gmail.com>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: bug-ghostscript@gnu.org
Cc: guix-devel@gnu.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--B1LSHF5sRuuNr3PxPvrDngDGVva1WDGrC
Content-Type: multipart/mixed; boundary="ii2Q4fcS4QtmBp3ScxGWcoJIS1wnaeQtk"
From: Didier Link <didier@famille-link.fr>
To: bug-ghostscript@gnu.org
Cc: Alex Vong <alexvong1995@gmail.com>, Mark H Weaver <mhw@netris.org>,
 =?UTF-8?Q?Ludovic_Court=c3=a8s?= <ludo@gnu.org>, guix-devel@gnu.org
Message-ID: <85f3d7fe-56e2-be63-3595-929e928220ed@famille-link.fr>
Subject: Re: ghostscript vulnerabilities
References: <E1buKjg-00057S-2V@master.debian.org> <87insx37ss.fsf@gmail.com>
 <87mvi9l17x.fsf@gnu.org> <87a8e6jc6q.fsf@netris.org>
 <c6ff8743-187b-49d1-8597-bf252bd1fedd@famille-link.fr>
 <87twcc5m90.fsf@gmail.com>
In-Reply-To: <87twcc5m90.fsf@gmail.com>

--ii2Q4fcS4QtmBp3ScxGWcoJIS1wnaeQtk
Content-Type: multipart/alternative;
 boundary="------------B9CE162A6AB66FFCA20AA20D"

This is a multi-part message in MIME format.
--------------B9CE162A6AB66FFCA20AA20D
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Le 16/10/2016 =C3=A0 17:47, Alex Vong a =C3=A9crit :
> Hello,
>
> I notice the patch for CVE-2016-7977[0] handles the problem differently=

> than GNU Ghostscript[1] does. Maybe you can take a look at it.
>
> [0]: http://git.ghostscript.com/?p=3Dghostpdl.git;a=3Dcommitdiff;h=3D8a=
bd22010eb4db0fb1b10e430d5f5d83e015ef70
> [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zfile.c
>
> Thanks,
> Alex

Hello,

I've just released a gnu-ghostscript point release with the CVE patches
adapted by Mark (really thanks !!!).

For the CVE-2016-7977 I've see that the file concerned was modified in
later release of gpl-ghostscript, I will see in later release of gnu
version ;)

Best regards

Didier

>
> Didier Link <didier@famille-link.fr> writes:
>
>> Hello all
>>
>> I will review the Mark's patches and apply them for a security release=
 next week.
>>
>> Thanks for your help !
>>
>> Best regards
>>
>> Didier
>>
>> Le 15/10/2016 =C3=A0 09:36, Mark H Weaver a =C3=A9crit :
>>
>>  ludo@gnu.org (Ludovic Court=C3=A8s) writes:
>>
>>  Hello Didier and all,
>>
>> We are wondering about the applicability to GNU Ghostscript of the
>> recent vulnerabilities discovered in AGPL Ghostscript:
>>
>> Alex Vong <alexvong1995@gmail.com> skribis:
>>
>>  Salvatore Bonaccorso <carnil@debian.org> writes:
>>
>>  ---------------------------------------------------------------------=
----
>> =20
>> Debian Security Advisory DSA-3691-1                   security@debian.=
org
>> https://www.debian.org/security/                     Salvatore Bonacco=
rso
>> October 12, 2016                      https://www.debian.org/security/=
faq
>> ----------------------------------------------------------------------=
---
>>
>> Package        : ghostscript
>> CVE ID         : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-79=
78=20
>>                  CVE-2016-7979 CVE-2016-8602
>> Debian Bug     : 839118 839260 839841 839845 839846 840451
>>
>> Several vulnerabilities were discovered in Ghostscript, the GPL
>> PostScript/PDF interpreter, which may lead to the execution of arbitra=
ry
>> code or information disclosure if a specially crafted Postscript file =
is
>> processed.
>>
>> [...]
>>
>>  I've checked just now. GNU Ghostscript is also affected at least by
>> CVE-2016-8602. Looking at the patch in this bug report[0] and the
>> source[1], one can see that the vulnerable lines are present in GNU
>> Ghostscript. What should we do now?
>>
>> [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D840451
>> [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c
>>
>> WDYT?  Perhaps a new release incorporating the fixes is in order?
>>
>> FYI, I ported the upstream patches to GNU ghostscript for GNU Guix.
>> You can find them here:
>>
>> http://git.savannah.gnu.org/cgit/guix.git/commit/?id=3D1de17a648fa631f=
0074d315bfff0716220ce4880
>>
>>       Mark



--------------B9CE162A6AB66FFCA20AA20D
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html>
  <head>

    <meta http-equiv=3D"content-type" content=3D"text/html; charset=3Dutf=
-8">
  </head>
  <body bgcolor=3D"#FFFFFF" text=3D"#000000">
    <div class=3D"moz-cite-prefix">Le 16/10/2016 =C3=A0 17:47, Alex Vong =
a
      =C3=A9crit=C2=A0:<br>
    </div>
    <blockquote class=3D" cite" id=3D"mid_87twcc5m90_fsf_gmail_com"
      cite=3D"mid:87twcc5m90.fsf@gmail.com" type=3D"cite">
      <pre wrap=3D"">Hello,

I notice the patch for CVE-2016-7977[0] handles the problem differently
than GNU Ghostscript[1] does. Maybe you can take a look at it.

[0]: <a class=3D"moz-txt-link-freetext" href=3D"http://git.ghostscript.co=
m/?p=3Dghostpdl.git;a=3Dcommitdiff;h=3D8abd22010eb4db0fb1b10e430d5f5d83e0=
15ef70">http://git.ghostscript.com/?p=3Dghostpdl.git;a=3Dcommitdiff;h=3D8=
abd22010eb4db0fb1b10e430d5f5d83e015ef70</a>
[1]: <a class=3D"moz-txt-link-freetext" href=3D"http://git.savannah.gnu.o=
rg/cgit/ghostscript.git/tree/psi/zfile.c">http://git.savannah.gnu.org/cgi=
t/ghostscript.git/tree/psi/zfile.c</a>

Thanks,
Alex</pre>
    </blockquote>
    <br>
    Hello,<br>
    <br>
    I've just released a gnu-ghostscript point release with the CVE
    patches adapted by Mark (really thanks !!!).<br>
    <br>
    For the CVE-2016-7977 I've see that the file concerned was modified
    in later release of gpl-ghostscript, I will see in later release of
    gnu version ;)<br>
    <br>
    Best regards<br>
    <br>
    Didier<br>
    <br>
    <blockquote class=3D" cite" id=3D"mid_87twcc5m90_fsf_gmail_com"
      cite=3D"mid:87twcc5m90.fsf@gmail.com" type=3D"cite">
      <pre wrap=3D"">

Didier Link <a class=3D"moz-txt-link-rfc2396E" href=3D"mailto:didier@fami=
lle-link.fr">&lt;didier@famille-link.fr&gt;</a> writes:

</pre>
      <blockquote class=3D" cite" id=3D"Cite_9616606" type=3D"cite">
        <pre wrap=3D"">Hello all

I will review the Mark's patches and apply them for a security release ne=
xt week.

Thanks for your help !

Best regards

Didier

Le 15/10/2016 =C3=A0 09:36, Mark H Weaver a =C3=A9crit :

 <a class=3D"moz-txt-link-abbreviated" href=3D"mailto:ludo@gnu.org">ludo@=
gnu.org</a> (Ludovic Court=C3=A8s) writes:

 Hello Didier and all,

We are wondering about the applicability to GNU=C2=A0Ghostscript of the
recent vulnerabilities discovered in AGPL=C2=A0Ghostscript:

Alex Vong <a class=3D"moz-txt-link-rfc2396E" href=3D"mailto:alexvong1995@=
gmail.com">&lt;alexvong1995@gmail.com&gt;</a> skribis:

 Salvatore Bonaccorso <a class=3D"moz-txt-link-rfc2396E" href=3D"mailto:c=
arnil@debian.org">&lt;carnil@debian.org&gt;</a> writes:

 ------------------------------------------------------------------------=
-
=20
Debian Security Advisory DSA-3691-1                   <a class=3D"moz-txt=
-link-abbreviated" href=3D"mailto:security@debian.org">security@debian.or=
g</a>
<a class=3D"moz-txt-link-freetext" href=3D"https://www.debian.org/securit=
y/">https://www.debian.org/security/</a>                     Salvatore Bo=
naccorso
October 12, 2016                      <a class=3D"moz-txt-link-freetext" =
href=3D"https://www.debian.org/security/faq">https://www.debian.org/secur=
ity/faq</a>
-------------------------------------------------------------------------=


Package        : ghostscript
CVE ID         : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 =

                 CVE-2016-7979 CVE-2016-8602
Debian Bug     : 839118 839260 839841 839845 839846 840451

Several vulnerabilities were discovered in Ghostscript, the GPL
PostScript/PDF interpreter, which may lead to the execution of arbitrary
code or information disclosure if a specially crafted Postscript file is
processed.

[...]

 I've checked just now. GNU Ghostscript is also affected at least by
CVE-2016-8602. Looking at the patch in this bug report[0] and the
source[1], one can see that the vulnerable lines are present in GNU
Ghostscript. What should we do now?

[0]: <a class=3D"moz-txt-link-freetext" href=3D"https://bugs.debian.org/c=
gi-bin/bugreport.cgi?bug=3D840451">https://bugs.debian.org/cgi-bin/bugrep=
ort.cgi?bug=3D840451</a>
[1]: <a class=3D"moz-txt-link-freetext" href=3D"http://git.savannah.gnu.o=
rg/cgit/ghostscript.git/tree/psi/zht2.c">http://git.savannah.gnu.org/cgit=
/ghostscript.git/tree/psi/zht2.c</a>

WDYT?  Perhaps a new release incorporating the fixes is in order?

FYI, I ported the upstream patches to GNU ghostscript for GNU Guix.
You can find them here:

<a class=3D"moz-txt-link-freetext" href=3D"http://git.savannah.gnu.org/cg=
it/guix.git/commit/?id=3D1de17a648fa631f0074d315bfff0716220ce4880">http:/=
/git.savannah.gnu.org/cgit/guix.git/commit/?id=3D1de17a648fa631f0074d315b=
fff0716220ce4880</a>

      Mark
</pre>
      </blockquote>
    </blockquote>
    <p><br>
    </p>
  </body>
</html>

--------------B9CE162A6AB66FFCA20AA20D--

--ii2Q4fcS4QtmBp3ScxGWcoJIS1wnaeQtk--

--B1LSHF5sRuuNr3PxPvrDngDGVva1WDGrC
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQI0BAEBCgAeBQJYH3fVFxxkaWRpZXJAZmFtaWxsZS1saW5rLmZyAAoJELN7uGQS
fYWjOo0QAIokYNA+eswGclQjtqx4M0JQ9gXUWWj5IoIrCEiizyGvgHt7RQASW/Kg
zaAnNJ6CXwwn+IxEnf4zsl2qRxp17i9MDjBNG6EjBusXZKINsx0hHI8lDNSqSK0Y
4LoBCeqvJxTp4eRecMMACiyPftx3Gzo72ITwSedFNbpXw1D7sqUCiZByRqHqnbF6
GuI4IeU3ccA7UYGpCKp/nTy5nc+oiKUmUbBQsC19wRj0OvFQteUzEVas8IlE9PIH
8qGt+iKLtPg9a79UVWTA88XWCfM7HqBNyU8RkyOnOGdosO+D5yhx4O/DnqLQpwch
UgdsxgYj+rWMRb5sCqnv/RVWAccwNwNWbTWSUULvncE5n/3VUmmg/5fND2X/odaV
W53QNjR0bZHdiCrkZ/9v0dICr2r6NWK9lEFptbbBu0lRgfe9XuUpYk4FiyUxUbRS
hrt9rXz4DyPgAJQXMLHEuXCApDxLRFOX2CIbMaW5csTkcODsqSjPYAoXP3llRwW0
dmjOrj62qwG/zYI4j9jp+Z3PqibzaaaETTr7dGg2urSXCWzZGnAZzONNmzyNpx/x
cHqnobow948MRAnjT1zhPpkibYL1pLft8WFU6SD1uERAv1NLh/x49FSE2j4QUt6T
CYGzVbZ9p+XUXyMwXSNHCRwguQJGFfWJ8cCS/8Ie2RunjCZgppOO
=dIga
-----END PGP SIGNATURE-----

--B1LSHF5sRuuNr3PxPvrDngDGVva1WDGrC--