* ghostscript vulnerabilities
[not found] <E1buKjg-00057S-2V@master.debian.org>
@ 2016-10-12 15:29 ` Alex Vong
2016-10-12 16:20 ` Leo Famulari
2016-10-12 21:13 ` Ludovic Courtès
0 siblings, 2 replies; 9+ messages in thread
From: Alex Vong @ 2016-10-12 15:29 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1775 bytes --]
Hello,
Below are from the security announcement list:
Salvatore Bonaccorso <carnil@debian.org> writes:
> -------------------------------------------------------------------------
> Debian Security Advisory DSA-3691-1 security@debian.org
> https://www.debian.org/security/ Salvatore Bonaccorso
> October 12, 2016 https://www.debian.org/security/faq
> -------------------------------------------------------------------------
>
> Package : ghostscript
> CVE ID : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978
> CVE-2016-7979 CVE-2016-8602
> Debian Bug : 839118 839260 839841 839845 839846 840451
>
> Several vulnerabilities were discovered in Ghostscript, the GPL
> PostScript/PDF interpreter, which may lead to the execution of arbitrary
> code or information disclosure if a specially crafted Postscript file is
> processed.
>
> For the stable distribution (jessie), these problems have been fixed in
> version 9.06~dfsg-2+deb8u3.
>
> We recommend that you upgrade your ghostscript packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://www.debian.org/security/
>
> Mailing list: debian-security-announce@lists.debian.org
I've checked just now. GNU Ghostscript is also affected at least by
CVE-2016-8602. Looking at the patch in this bug report[0] and the
source[1], one can see that the vulnerable lines are present in GNU
Ghostscript. What should we do now?
[0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840451
[1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c
Thanks,
Alex
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 454 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ghostscript vulnerabilities
2016-10-12 15:29 ` ghostscript vulnerabilities Alex Vong
@ 2016-10-12 16:20 ` Leo Famulari
2016-10-12 16:26 ` Leo Famulari
2016-10-12 21:13 ` Ludovic Courtès
1 sibling, 1 reply; 9+ messages in thread
From: Leo Famulari @ 2016-10-12 16:20 UTC (permalink / raw)
To: Alex Vong; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1436 bytes --]
On Wed, Oct 12, 2016 at 11:29:07PM +0800, Alex Vong wrote:
> > Package : ghostscript
> > CVE ID : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978
> > CVE-2016-7979 CVE-2016-8602
> > Debian Bug : 839118 839260 839841 839845 839846 840451
> >
> > Several vulnerabilities were discovered in Ghostscript, the GPL
> > PostScript/PDF interpreter, which may lead to the execution of arbitrary
> > code or information disclosure if a specially crafted Postscript file is
> > processed.
> I've checked just now. GNU Ghostscript is also affected at least by
> CVE-2016-8602. Looking at the patch in this bug report[0] and the
> source[1], one can see that the vulnerable lines are present in GNU
> Ghostscript. What should we do now?
I don't know the relationship between GNU Ghostscript and "upstream"
Ghostscript. Can anyone explain why GNU offers its own distribution?
We can try cherry-picking the upstream commits that fix each of these
bugs [0]. Hopefully they apply to our older Ghostscript version.
If the resulting package's ABI is compatible to our current package, we
can apply it with a graft on the master branch.
We should also apply these patches to the ghostscript package on
core-updates.
Do you want to try it?
Debian helpfully links to the upstream commits corresponding to each
bug:
https://security-tracker.debian.org/tracker/CVE-2013-5653
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ghostscript vulnerabilities
2016-10-12 16:20 ` Leo Famulari
@ 2016-10-12 16:26 ` Leo Famulari
0 siblings, 0 replies; 9+ messages in thread
From: Leo Famulari @ 2016-10-12 16:26 UTC (permalink / raw)
To: Alex Vong; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 337 bytes --]
On Wed, Oct 12, 2016 at 12:20:39PM -0400, Leo Famulari wrote:
> I don't know the relationship between GNU Ghostscript and "upstream"
> Ghostscript. Can anyone explain why GNU offers its own distribution?
Some history here:
https://en.wikipedia.org/wiki/Ghostscript#History
Hopefully the upstream patches will apply to our source code.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ghostscript vulnerabilities
2016-10-12 15:29 ` ghostscript vulnerabilities Alex Vong
2016-10-12 16:20 ` Leo Famulari
@ 2016-10-12 21:13 ` Ludovic Courtès
2016-10-15 7:36 ` Mark H Weaver
1 sibling, 1 reply; 9+ messages in thread
From: Ludovic Courtès @ 2016-10-12 21:13 UTC (permalink / raw)
To: bug-ghostscript, didier; +Cc: guix-devel
Hello Didier and all,
We are wondering about the applicability to GNU Ghostscript of the
recent vulnerabilities discovered in AGPL Ghostscript:
Alex Vong <alexvong1995@gmail.com> skribis:
> Salvatore Bonaccorso <carnil@debian.org> writes:
>
>> -------------------------------------------------------------------------
>> Debian Security Advisory DSA-3691-1 security@debian.org
>> https://www.debian.org/security/ Salvatore Bonaccorso
>> October 12, 2016 https://www.debian.org/security/faq
>> -------------------------------------------------------------------------
>>
>> Package : ghostscript
>> CVE ID : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978
>> CVE-2016-7979 CVE-2016-8602
>> Debian Bug : 839118 839260 839841 839845 839846 840451
>>
>> Several vulnerabilities were discovered in Ghostscript, the GPL
>> PostScript/PDF interpreter, which may lead to the execution of arbitrary
>> code or information disclosure if a specially crafted Postscript file is
>> processed.
[...]
> I've checked just now. GNU Ghostscript is also affected at least by
> CVE-2016-8602. Looking at the patch in this bug report[0] and the
> source[1], one can see that the vulnerable lines are present in GNU
> Ghostscript. What should we do now?
>
> [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840451
> [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c
WDYT? Perhaps a new release incorporating the fixes is in order?
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ghostscript vulnerabilities
2016-10-12 21:13 ` Ludovic Courtès
@ 2016-10-15 7:36 ` Mark H Weaver
2016-10-16 9:16 ` Didier Link
0 siblings, 1 reply; 9+ messages in thread
From: Mark H Weaver @ 2016-10-15 7:36 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: didier, guix-devel, bug-ghostscript
ludo@gnu.org (Ludovic Courtès) writes:
> Hello Didier and all,
>
> We are wondering about the applicability to GNU Ghostscript of the
> recent vulnerabilities discovered in AGPL Ghostscript:
>
> Alex Vong <alexvong1995@gmail.com> skribis:
>
>> Salvatore Bonaccorso <carnil@debian.org> writes:
>>
>>> -------------------------------------------------------------------------
>>> Debian Security Advisory DSA-3691-1 security@debian.org
>>> https://www.debian.org/security/ Salvatore Bonaccorso
>>> October 12, 2016 https://www.debian.org/security/faq
>>> -------------------------------------------------------------------------
>>>
>>> Package : ghostscript
>>> CVE ID : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978
>>> CVE-2016-7979 CVE-2016-8602
>>> Debian Bug : 839118 839260 839841 839845 839846 840451
>>>
>>> Several vulnerabilities were discovered in Ghostscript, the GPL
>>> PostScript/PDF interpreter, which may lead to the execution of arbitrary
>>> code or information disclosure if a specially crafted Postscript file is
>>> processed.
>
> [...]
>
>> I've checked just now. GNU Ghostscript is also affected at least by
>> CVE-2016-8602. Looking at the patch in this bug report[0] and the
>> source[1], one can see that the vulnerable lines are present in GNU
>> Ghostscript. What should we do now?
>>
>> [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840451
>> [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c
>
> WDYT? Perhaps a new release incorporating the fixes is in order?
FYI, I ported the upstream patches to GNU ghostscript for GNU Guix.
You can find them here:
http://git.savannah.gnu.org/cgit/guix.git/commit/?id=1de17a648fa631f0074d315bfff0716220ce4880
Mark
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ghostscript vulnerabilities
2016-10-15 7:36 ` Mark H Weaver
@ 2016-10-16 9:16 ` Didier Link
2016-10-16 15:47 ` Alex Vong
0 siblings, 1 reply; 9+ messages in thread
From: Didier Link @ 2016-10-16 9:16 UTC (permalink / raw)
To: Mark H Weaver, Ludovic Courtès; +Cc: didier, guix-devel, bug-ghostscript
[-- Attachment #1.1.1: Type: text/plain, Size: 2122 bytes --]
Hello all
I will review the Mark's patches and apply them for a security release
next week.
Thanks for your help !
Best regards
Didier
Le 15/10/2016 à 09:36, Mark H Weaver a écrit :
> ludo@gnu.org (Ludovic Courtès) writes:
>
>> Hello Didier and all,
>>
>> We are wondering about the applicability to GNU Ghostscript of the
>> recent vulnerabilities discovered in AGPL Ghostscript:
>>
>> Alex Vong <alexvong1995@gmail.com> skribis:
>>
>>> Salvatore Bonaccorso <carnil@debian.org> writes:
>>>
>>>> -------------------------------------------------------------------------
>>>> Debian Security Advisory DSA-3691-1 security@debian.org
>>>> https://www.debian.org/security/ Salvatore Bonaccorso
>>>> October 12, 2016 https://www.debian.org/security/faq
>>>> -------------------------------------------------------------------------
>>>>
>>>> Package : ghostscript
>>>> CVE ID : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978
>>>> CVE-2016-7979 CVE-2016-8602
>>>> Debian Bug : 839118 839260 839841 839845 839846 840451
>>>>
>>>> Several vulnerabilities were discovered in Ghostscript, the GPL
>>>> PostScript/PDF interpreter, which may lead to the execution of arbitrary
>>>> code or information disclosure if a specially crafted Postscript file is
>>>> processed.
>> [...]
>>
>>> I've checked just now. GNU Ghostscript is also affected at least by
>>> CVE-2016-8602. Looking at the patch in this bug report[0] and the
>>> source[1], one can see that the vulnerable lines are present in GNU
>>> Ghostscript. What should we do now?
>>>
>>> [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840451
>>> [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c
>> WDYT? Perhaps a new release incorporating the fixes is in order?
> FYI, I ported the upstream patches to GNU ghostscript for GNU Guix.
> You can find them here:
>
> http://git.savannah.gnu.org/cgit/guix.git/commit/?id=1de17a648fa631f0074d315bfff0716220ce4880
>
> Mark
[-- Attachment #1.1.2: Type: text/html, Size: 3875 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ghostscript vulnerabilities
2016-10-16 9:16 ` Didier Link
@ 2016-10-16 15:47 ` Alex Vong
2016-11-06 18:34 ` Didier Link
0 siblings, 1 reply; 9+ messages in thread
From: Alex Vong @ 2016-10-16 15:47 UTC (permalink / raw)
To: Didier Link; +Cc: guix-devel, bug-ghostscript
[-- Attachment #1: Type: text/plain, Size: 2474 bytes --]
Hello,
I notice the patch for CVE-2016-7977[0] handles the problem differently
than GNU Ghostscript[1] does. Maybe you can take a look at it.
[0]: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8abd22010eb4db0fb1b10e430d5f5d83e015ef70
[1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zfile.c
Thanks,
Alex
Didier Link <didier@famille-link.fr> writes:
> Hello all
>
> I will review the Mark's patches and apply them for a security release next week.
>
> Thanks for your help !
>
> Best regards
>
> Didier
>
> Le 15/10/2016 à 09:36, Mark H Weaver a écrit :
>
> ludo@gnu.org (Ludovic Courtès) writes:
>
> Hello Didier and all,
>
> We are wondering about the applicability to GNU Ghostscript of the
> recent vulnerabilities discovered in AGPL Ghostscript:
>
> Alex Vong <alexvong1995@gmail.com> skribis:
>
> Salvatore Bonaccorso <carnil@debian.org> writes:
>
> -------------------------------------------------------------------------
>
> Debian Security Advisory DSA-3691-1 security@debian.org
> https://www.debian.org/security/ Salvatore Bonaccorso
> October 12, 2016 https://www.debian.org/security/faq
> -------------------------------------------------------------------------
>
> Package : ghostscript
> CVE ID : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978
> CVE-2016-7979 CVE-2016-8602
> Debian Bug : 839118 839260 839841 839845 839846 840451
>
> Several vulnerabilities were discovered in Ghostscript, the GPL
> PostScript/PDF interpreter, which may lead to the execution of arbitrary
> code or information disclosure if a specially crafted Postscript file is
> processed.
>
> [...]
>
> I've checked just now. GNU Ghostscript is also affected at least by
> CVE-2016-8602. Looking at the patch in this bug report[0] and the
> source[1], one can see that the vulnerable lines are present in GNU
> Ghostscript. What should we do now?
>
> [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840451
> [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c
>
> WDYT? Perhaps a new release incorporating the fixes is in order?
>
> FYI, I ported the upstream patches to GNU ghostscript for GNU Guix.
> You can find them here:
>
> http://git.savannah.gnu.org/cgit/guix.git/commit/?id=1de17a648fa631f0074d315bfff0716220ce4880
>
> Mark
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 800 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ghostscript vulnerabilities
2016-10-16 15:47 ` Alex Vong
@ 2016-11-06 18:34 ` Didier Link
2016-11-06 21:38 ` Ludovic Courtès
0 siblings, 1 reply; 9+ messages in thread
From: Didier Link @ 2016-11-06 18:34 UTC (permalink / raw)
To: bug-ghostscript; +Cc: guix-devel
[-- Attachment #1.1.1: Type: text/plain, Size: 2908 bytes --]
Le 16/10/2016 à 17:47, Alex Vong a écrit :
> Hello,
>
> I notice the patch for CVE-2016-7977[0] handles the problem differently
> than GNU Ghostscript[1] does. Maybe you can take a look at it.
>
> [0]: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8abd22010eb4db0fb1b10e430d5f5d83e015ef70
> [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zfile.c
>
> Thanks,
> Alex
Hello,
I've just released a gnu-ghostscript point release with the CVE patches
adapted by Mark (really thanks !!!).
For the CVE-2016-7977 I've see that the file concerned was modified in
later release of gpl-ghostscript, I will see in later release of gnu
version ;)
Best regards
Didier
>
> Didier Link <didier@famille-link.fr> writes:
>
>> Hello all
>>
>> I will review the Mark's patches and apply them for a security release next week.
>>
>> Thanks for your help !
>>
>> Best regards
>>
>> Didier
>>
>> Le 15/10/2016 à 09:36, Mark H Weaver a écrit :
>>
>> ludo@gnu.org (Ludovic Courtès) writes:
>>
>> Hello Didier and all,
>>
>> We are wondering about the applicability to GNU Ghostscript of the
>> recent vulnerabilities discovered in AGPL Ghostscript:
>>
>> Alex Vong <alexvong1995@gmail.com> skribis:
>>
>> Salvatore Bonaccorso <carnil@debian.org> writes:
>>
>> -------------------------------------------------------------------------
>>
>> Debian Security Advisory DSA-3691-1 security@debian.org
>> https://www.debian.org/security/ Salvatore Bonaccorso
>> October 12, 2016 https://www.debian.org/security/faq
>> -------------------------------------------------------------------------
>>
>> Package : ghostscript
>> CVE ID : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978
>> CVE-2016-7979 CVE-2016-8602
>> Debian Bug : 839118 839260 839841 839845 839846 840451
>>
>> Several vulnerabilities were discovered in Ghostscript, the GPL
>> PostScript/PDF interpreter, which may lead to the execution of arbitrary
>> code or information disclosure if a specially crafted Postscript file is
>> processed.
>>
>> [...]
>>
>> I've checked just now. GNU Ghostscript is also affected at least by
>> CVE-2016-8602. Looking at the patch in this bug report[0] and the
>> source[1], one can see that the vulnerable lines are present in GNU
>> Ghostscript. What should we do now?
>>
>> [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840451
>> [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c
>>
>> WDYT? Perhaps a new release incorporating the fixes is in order?
>>
>> FYI, I ported the upstream patches to GNU ghostscript for GNU Guix.
>> You can find them here:
>>
>> http://git.savannah.gnu.org/cgit/guix.git/commit/?id=1de17a648fa631f0074d315bfff0716220ce4880
>>
>> Mark
[-- Attachment #1.1.2: Type: text/html, Size: 4660 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ghostscript vulnerabilities
2016-11-06 18:34 ` Didier Link
@ 2016-11-06 21:38 ` Ludovic Courtès
0 siblings, 0 replies; 9+ messages in thread
From: Ludovic Courtès @ 2016-11-06 21:38 UTC (permalink / raw)
To: Didier Link; +Cc: guix-devel, bug-ghostscript
Hi Didier,
Didier Link <didier@famille-link.fr> skribis:
> I've just released a gnu-ghostscript point release with the CVE patches
> adapted by Mark (really thanks !!!).
Thank you!
> For the CVE-2016-7977 I've see that the file concerned was modified in
> later release of gpl-ghostscript, I will see in later release of gnu
> version ;)
So is GNU Ghostscript 9.14.1 still vulnerable to CVE-2016-7977?
Cheers,
Ludo’.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2016-11-06 21:39 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <E1buKjg-00057S-2V@master.debian.org>
2016-10-12 15:29 ` ghostscript vulnerabilities Alex Vong
2016-10-12 16:20 ` Leo Famulari
2016-10-12 16:26 ` Leo Famulari
2016-10-12 21:13 ` Ludovic Courtès
2016-10-15 7:36 ` Mark H Weaver
2016-10-16 9:16 ` Didier Link
2016-10-16 15:47 ` Alex Vong
2016-11-06 18:34 ` Didier Link
2016-11-06 21:38 ` Ludovic Courtès
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.