[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ghostscript vulnerabilities
|
From: |
Leo Famulari |
|
Subject: |
Re: ghostscript vulnerabilities |
|
Date: |
Wed, 12 Oct 2016 12:20:39 -0400 |
|
User-agent: |
Mutt/1.7.0 (2016-08-17) |
On Wed, Oct 12, 2016 at 11:29:07PM +0800, Alex Vong wrote:
> > Package : ghostscript
> > CVE ID : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978
> > CVE-2016-7979 CVE-2016-8602
> > Debian Bug : 839118 839260 839841 839845 839846 840451
> >
> > Several vulnerabilities were discovered in Ghostscript, the GPL
> > PostScript/PDF interpreter, which may lead to the execution of arbitrary
> > code or information disclosure if a specially crafted Postscript file is
> > processed.
> I've checked just now. GNU Ghostscript is also affected at least by
> CVE-2016-8602. Looking at the patch in this bug report[0] and the
> source[1], one can see that the vulnerable lines are present in GNU
> Ghostscript. What should we do now?
I don't know the relationship between GNU Ghostscript and "upstream"
Ghostscript. Can anyone explain why GNU offers its own distribution?
We can try cherry-picking the upstream commits that fix each of these
bugs [0]. Hopefully they apply to our older Ghostscript version.
If the resulting package's ABI is compatible to our current package, we
can apply it with a graft on the master branch.
We should also apply these patches to the ghostscript package on
core-updates.
Do you want to try it?
Debian helpfully links to the upstream commits corresponding to each
bug:
https://security-tracker.debian.org/tracker/CVE-2013-5653
signature.asc
Description: PGP signature