From mboxrd@z Thu Jan  1 00:00:00 1970
From: Didier Link <didier@famille-link.fr>
Subject: Re: ghostscript vulnerabilities
Date: Sun, 16 Oct 2016 11:16:44 +0200
Message-ID: <c6ff8743-187b-49d1-8597-bf252bd1fedd@famille-link.fr>
References: <E1buKjg-00057S-2V@master.debian.org> <87insx37ss.fsf@gmail.com>
	<87mvi9l17x.fsf@gnu.org> <87a8e6jc6q.fsf@netris.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature";
	boundary="xDCbhA718IPxKSsTJXM7I4gM4h8xDWpqm"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54271)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <didier@famille-link.fr>) id 1bvhZ0-0000LU-Vt
	for guix-devel@gnu.org; Sun, 16 Oct 2016 05:17:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <didier@famille-link.fr>) id 1bvhYz-0000vK-PN
	for guix-devel@gnu.org; Sun, 16 Oct 2016 05:17:02 -0400
In-Reply-To: <87a8e6jc6q.fsf@netris.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Mark H Weaver <mhw@netris.org>, =?UTF-8?Q?Ludovic_Court=c3=a8s?= <ludo@gnu.org>
Cc: didier@famille-link.fr, guix-devel@gnu.org, bug-ghostscript@gnu.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--xDCbhA718IPxKSsTJXM7I4gM4h8xDWpqm
Content-Type: multipart/mixed; boundary="ws44giSFH3wAfhu4HsjITiiRCBbJ1U8WU"
From: Didier Link <didier@famille-link.fr>
To: Mark H Weaver <mhw@netris.org>, =?UTF-8?Q?Ludovic_Court=c3=a8s?=
 <ludo@gnu.org>
Cc: bug-ghostscript@gnu.org, didier@famille-link.fr, guix-devel@gnu.org
Message-ID: <c6ff8743-187b-49d1-8597-bf252bd1fedd@famille-link.fr>
Subject: Re: ghostscript vulnerabilities
References: <E1buKjg-00057S-2V@master.debian.org> <87insx37ss.fsf@gmail.com>
 <87mvi9l17x.fsf@gnu.org> <87a8e6jc6q.fsf@netris.org>
In-Reply-To: <87a8e6jc6q.fsf@netris.org>

--ws44giSFH3wAfhu4HsjITiiRCBbJ1U8WU
Content-Type: multipart/alternative;
 boundary="------------ED9478D3860690CE1DCD96E6"

This is a multi-part message in MIME format.
--------------ED9478D3860690CE1DCD96E6
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


Hello all

I will review the Mark's patches and apply them for a security release
next week.

Thanks for your help !

Best regards

Didier


Le 15/10/2016 =C3=A0 09:36, Mark H Weaver a =C3=A9crit :
> ludo@gnu.org (Ludovic Court=C3=A8s) writes:
>
>> Hello Didier and all,
>>
>> We are wondering about the applicability to GNU Ghostscript of the
>> recent vulnerabilities discovered in AGPL Ghostscript:
>>
>> Alex Vong <alexvong1995@gmail.com> skribis:
>>
>>> Salvatore Bonaccorso <carnil@debian.org> writes:
>>>
>>>> --------------------------------------------------------------------=
-----
>>>> Debian Security Advisory DSA-3691-1                   security@debia=
n.org
>>>> https://www.debian.org/security/                     Salvatore Bonac=
corso
>>>> October 12, 2016                      https://www.debian.org/securit=
y/faq
>>>> --------------------------------------------------------------------=
-----
>>>>
>>>> Package        : ghostscript
>>>> CVE ID         : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-=
7978=20
>>>>                  CVE-2016-7979 CVE-2016-8602
>>>> Debian Bug     : 839118 839260 839841 839845 839846 840451
>>>>
>>>> Several vulnerabilities were discovered in Ghostscript, the GPL
>>>> PostScript/PDF interpreter, which may lead to the execution of arbit=
rary
>>>> code or information disclosure if a specially crafted Postscript fil=
e is
>>>> processed.
>> [...]
>>
>>> I've checked just now. GNU Ghostscript is also affected at least by
>>> CVE-2016-8602. Looking at the patch in this bug report[0] and the
>>> source[1], one can see that the vulnerable lines are present in GNU
>>> Ghostscript. What should we do now?
>>>
>>> [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D840451
>>> [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c=

>> WDYT?  Perhaps a new release incorporating the fixes is in order?
> FYI, I ported the upstream patches to GNU ghostscript for GNU Guix.
> You can find them here:
>
> http://git.savannah.gnu.org/cgit/guix.git/commit/?id=3D1de17a648fa631f0=
074d315bfff0716220ce4880
>
>       Mark



--------------ED9478D3860690CE1DCD96E6
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html>
  <head>

    <meta http-equiv=3D"content-type" content=3D"text/html; charset=3Dutf=
-8">
  </head>
  <body bgcolor=3D"#FFFFFF" text=3D"#000000">
    <div class=3D"moz-cite-prefix"><br>
      Hello all<br>
      <br>
      I will review the Mark's patches and apply them for a security
      release next week.<br>
      <br>
      Thanks for your help !<br>
      <br>
      Best regards<br>
      <br>
      Didier<br>
      <br>
      <br>
      Le 15/10/2016 =C3=A0 09:36, Mark H Weaver a =C3=A9crit=C2=A0:<br>
    </div>
    <blockquote class=3D" cite" id=3D"mid_87a8e6jc6q_fsf_netris_org"
      cite=3D"mid:87a8e6jc6q.fsf@netris.org" type=3D"cite">
      <pre wrap=3D""><a class=3D"moz-txt-link-abbreviated" href=3D"mailto=
:ludo@gnu.org">ludo@gnu.org</a> (Ludovic Court=C3=A8s) writes:

</pre>
      <blockquote class=3D" cite" id=3D"Cite_4116165" type=3D"cite">
        <pre wrap=3D"">Hello Didier and all,

We are wondering about the applicability to GNU=C2=A0Ghostscript of the
recent vulnerabilities discovered in AGPL=C2=A0Ghostscript:

Alex Vong <a class=3D"moz-txt-link-rfc2396E" href=3D"mailto:alexvong1995@=
gmail.com">&lt;alexvong1995@gmail.com&gt;</a> skribis:

</pre>
        <blockquote class=3D" cite" id=3D"Cite_6398427" type=3D"cite">
          <pre wrap=3D"">Salvatore Bonaccorso <a class=3D"moz-txt-link-rf=
c2396E" href=3D"mailto:carnil@debian.org">&lt;carnil@debian.org&gt;</a> w=
rites:

</pre>
          <blockquote class=3D" cite" id=3D"Cite_2768069" type=3D"cite">
            <pre wrap=3D"">----------------------------------------------=
---------------------------
Debian Security Advisory DSA-3691-1                   <a class=3D"moz-txt=
-link-abbreviated" href=3D"mailto:security@debian.org">security@debian.or=
g</a>
<a class=3D"moz-txt-link-freetext" href=3D"https://www.debian.org/securit=
y/">https://www.debian.org/security/</a>                     Salvatore Bo=
naccorso
October 12, 2016                      <a class=3D"moz-txt-link-freetext" =
href=3D"https://www.debian.org/security/faq">https://www.debian.org/secur=
ity/faq</a>
-------------------------------------------------------------------------=


Package        : ghostscript
CVE ID         : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 =

                 CVE-2016-7979 CVE-2016-8602
Debian Bug     : 839118 839260 839841 839845 839846 840451

Several vulnerabilities were discovered in Ghostscript, the GPL
PostScript/PDF interpreter, which may lead to the execution of arbitrary
code or information disclosure if a specially crafted Postscript file is
processed.
</pre>
          </blockquote>
        </blockquote>
        <pre wrap=3D"">[...]

</pre>
        <blockquote class=3D" cite" id=3D"Cite_2227641" type=3D"cite">
          <pre wrap=3D"">I've checked just now. GNU Ghostscript is also a=
ffected at least by
CVE-2016-8602. Looking at the patch in this bug report[0] and the
source[1], one can see that the vulnerable lines are present in GNU
Ghostscript. What should we do now?

[0]: <a class=3D"moz-txt-link-freetext" href=3D"https://bugs.debian.org/c=
gi-bin/bugreport.cgi?bug=3D840451">https://bugs.debian.org/cgi-bin/bugrep=
ort.cgi?bug=3D840451</a>
[1]: <a class=3D"moz-txt-link-freetext" href=3D"http://git.savannah.gnu.o=
rg/cgit/ghostscript.git/tree/psi/zht2.c">http://git.savannah.gnu.org/cgit=
/ghostscript.git/tree/psi/zht2.c</a>
</pre>
        </blockquote>
        <pre wrap=3D"">WDYT?  Perhaps a new release incorporating the fix=
es is in order?
</pre>
      </blockquote>
      <pre wrap=3D"">FYI, I ported the upstream patches to GNU ghostscrip=
t for GNU Guix.
You can find them here:

<a class=3D"moz-txt-link-freetext" href=3D"http://git.savannah.gnu.org/cg=
it/guix.git/commit/?id=3D1de17a648fa631f0074d315bfff0716220ce4880">http:/=
/git.savannah.gnu.org/cgit/guix.git/commit/?id=3D1de17a648fa631f0074d315b=
fff0716220ce4880</a>

      Mark
</pre>
    </blockquote>
    <p><br>
    </p>
  </body>
</html>

--------------ED9478D3860690CE1DCD96E6--

--ws44giSFH3wAfhu4HsjITiiRCBbJ1U8WU--

--xDCbhA718IPxKSsTJXM7I4gM4h8xDWpqm
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQI0BAEBCgAeBQJYA0WCFxxkaWRpZXJAZmFtaWxsZS1saW5rLmZyAAoJELN7uGQS
fYWjWe4QAIv+qJXpRMyUe4MFWRHBRvunW7XtN+/vKUuUgjp+U9JoLopUiUSNSmui
wA0DGERYESRnOVE7970VSQLJwDAQaauYwo1MfnsVNlJnANv2+z7/RFVX2FLs78jm
nAb0+FsulNTyXQB2yDDGaRGdlaLJzqdV9t6EbMbalXDgr/1ycfmmue3778ZcygvK
o2PKkVwnpVFGkd/87n9qIWbgSClkzF7KVUF+BcF3HXbn9GxJqpRbYs4/2rfNH+g+
9l8dMYq8RRIzqVRQEvJ7OSK4Fi0TScAKOpWyTTy7Lo+lwJ4BgKiaX6T0XLOxjTN4
HPZoO/nH+kXnkwc942PyT0igP7b8eAyyheKXgpambC0/yBjNld/Khr8onjwK6EPW
QJ1vfDG4iNa97SVsjqCSYOHGxJt+AHp4euEhwQHBD9ZlR2yjwI1raT0ymooH9Gyn
eFSrYiELRIs67U3T7xo69LnVmtCTjWx/wYaNIh0+C8McsA0jPAc26eKlgsTH0eeL
yiK/t3ye9NT0QcrbQ65BmMWToNK6HnsfF68V8BhXCSj8P9Ygj+2O2SBJ3sVeOsVR
A680CzD8FcsUTG54EKiNo4QQOkLwCwZgcJCsgemTMVsa+HHW/o2ckzHfs4S0V/Wn
unia7I0krHq9MvabQrnEEzeVz8GBbFettGIRVRSTVcXXTkMSt7pu
=51wy
-----END PGP SIGNATURE-----

--xDCbhA718IPxKSsTJXM7I4gM4h8xDWpqm--