From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Vong Subject: ghostscript vulnerabilities Date: Wed, 12 Oct 2016 23:29:07 +0800 Message-ID: <87insx37ss.fsf@gmail.com> References: Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:54143) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1buLTC-0000iH-Go for guix-devel@gnu.org; Wed, 12 Oct 2016 11:29:27 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1buLT8-0006W4-Hv for guix-devel@gnu.org; Wed, 12 Oct 2016 11:29:26 -0400 Received: from mail-pf0-x244.google.com ([2607:f8b0:400e:c00::244]:36224) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1buLT8-0006VN-6t for guix-devel@gnu.org; Wed, 12 Oct 2016 11:29:22 -0400 Received: by mail-pf0-x244.google.com with SMTP id r16so2963401pfg.3 for ; Wed, 12 Oct 2016 08:29:21 -0700 (PDT) In-Reply-To: (Salvatore Bonaccorso's message of "Wed, 12 Oct 2016 14:42:24 +0000") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hello, Below are from the security announcement list: Salvatore Bonaccorso writes: > ------------------------------------------------------------------------- > Debian Security Advisory DSA-3691-1 security@debian.org > https://www.debian.org/security/ Salvatore Bonaccorso > October 12, 2016 https://www.debian.org/security/faq > ------------------------------------------------------------------------- > > Package : ghostscript > CVE ID : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978= =20 > CVE-2016-7979 CVE-2016-8602 > Debian Bug : 839118 839260 839841 839845 839846 840451 > > Several vulnerabilities were discovered in Ghostscript, the GPL > PostScript/PDF interpreter, which may lead to the execution of arbitrary > code or information disclosure if a specially crafted Postscript file is > processed. > > For the stable distribution (jessie), these problems have been fixed in > version 9.06~dfsg-2+deb8u3. > > We recommend that you upgrade your ghostscript packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: debian-security-announce@lists.debian.org I've checked just now. GNU Ghostscript is also affected at least by CVE-2016-8602. Looking at the patch in this bug report[0] and the source[1], one can see that the vulnerable lines are present in GNU Ghostscript. What should we do now? [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D840451 [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c Thanks, Alex --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJX/lbDAAoJEG6w5RGTUYWAb80H/1oGCNqmPkZvMpw8wOiP3IY0 lNykFO8TBCurMyDqt3fIriRUDs5MIdGTsHOiLdvDw5Gv7s/DAQp89NzYeMtD0G4/ CrWgH3KcOg+V/3D/91PmC1uNeyldk4InWdL0HrxUqOUHoy+/CosV9al44GDmw2P2 a6jUDs6CqyP1J+RYqtACF79+1S8u9gDY0HEDYBEwsxU9DzCEm64xKs1f5i9i4LHT zmitOS5V3EkhkwDIN+4BpV/Z0Gv13V7bKNknQ0pdKKcduubxczN9hXZU9mPtWLSW lcovixpusu9P5q3AQqXNjlzbViuVcagNVLpHS4OCnLzrpauXOMKuXm/83UNk0o0= =MpPE -----END PGP SIGNATURE----- --=-=-=--