Bug#447188: marked as done (CVE-2007-2721 remote denial of service with possibly heap corruption)

Debian Bug Tracking System Sun, 21 Oct 2007 04:38:45 -0700

Your message dated Sun, 21 Oct 2007 11:32:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#447188: fixed in ghostscript 8.61.dfsg.1~svn8187-1.1
has caused the attached Bug report to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

Package: ghostscript
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ghostscript.

CVE-2007-2721[0]:
| The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer
| JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted
| attackers to cause a denial of service (crash) and possibly corrupt
| the heap via malformed image files, as originally demonstrated using
| imagemagick convert.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

This vulnerability is present in the embedded copy of 
jasper.

See patch on: http://ghostscript.com/pipermail/gs-cvs/2007-October/007877.html

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2721

Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

pgpX7nPnCzLOO.pgp
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: ghostscript
Source-Version: 8.61.dfsg.1~svn8187-1.1

We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive:

ghostscript-doc_8.61.dfsg.1~svn8187-1.1_all.deb
  to pool/main/g/ghostscript/ghostscript-doc_8.61.dfsg.1~svn8187-1.1_all.deb
ghostscript-x_8.61.dfsg.1~svn8187-1.1_i386.deb
  to pool/main/g/ghostscript/ghostscript-x_8.61.dfsg.1~svn8187-1.1_i386.deb
ghostscript_8.61.dfsg.1~svn8187-1.1.diff.gz
  to pool/main/g/ghostscript/ghostscript_8.61.dfsg.1~svn8187-1.1.diff.gz
ghostscript_8.61.dfsg.1~svn8187-1.1.dsc
  to pool/main/g/ghostscript/ghostscript_8.61.dfsg.1~svn8187-1.1.dsc
ghostscript_8.61.dfsg.1~svn8187-1.1_i386.deb
  to pool/main/g/ghostscript/ghostscript_8.61.dfsg.1~svn8187-1.1_i386.deb
gs-afpl_8.61.dfsg.1~svn8187-1.1_all.deb
  to pool/main/g/ghostscript/gs-afpl_8.61.dfsg.1~svn8187-1.1_all.deb
gs-aladdin_8.61.dfsg.1~svn8187-1.1_all.deb
  to pool/main/g/ghostscript/gs-aladdin_8.61.dfsg.1~svn8187-1.1_all.deb
gs-common_8.61.dfsg.1~svn8187-1.1_all.deb
  to pool/main/g/ghostscript/gs-common_8.61.dfsg.1~svn8187-1.1_all.deb
gs-esp_8.61.dfsg.1~svn8187-1.1_all.deb
  to pool/main/g/ghostscript/gs-esp_8.61.dfsg.1~svn8187-1.1_all.deb
gs-gpl_8.61.dfsg.1~svn8187-1.1_all.deb
  to pool/main/g/ghostscript/gs-gpl_8.61.dfsg.1~svn8187-1.1_all.deb
gs_8.61.dfsg.1~svn8187-1.1_all.deb
  to pool/main/g/ghostscript/gs_8.61.dfsg.1~svn8187-1.1_all.deb
libgs-dev_8.61.dfsg.1~svn8187-1.1_i386.deb
  to pool/main/g/ghostscript/libgs-dev_8.61.dfsg.1~svn8187-1.1_i386.deb
libgs8_8.61.dfsg.1~svn8187-1.1_i386.deb
  to pool/main/g/ghostscript/libgs8_8.61.dfsg.1~svn8187-1.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated ghostscript package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 20 Oct 2007 12:46:44 +0200
Source: ghostscript
Binary: gs-esp libgs-dev ghostscript-x gs-common libgs8 ghostscript gs-gpl gs 
gs-afpl gs-aladdin ghostscript-doc
Architecture: source all i386
Version: 8.61.dfsg.1~svn8187-1.1
Distribution: unstable
Urgency: high
Maintainer: Masayuki Hatta (mhatta) <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description: 
 ghostscript - The GPL Ghostscript PostScript/PDF interpreter
 ghostscript-doc - The GPL Ghostscript PostScript/PDF interpreter - 
Documentation
 ghostscript-x - The GPL Ghostscript PostScript/PDF interpreter - X Display 
suppor
 gs         - Transitional package
 gs-afpl    - Transitional package
 gs-aladdin - Transitional package
 gs-common  - Transitional package
 gs-esp     - Transitional package
 gs-gpl     - Transitional package
 libgs-dev  - The Ghostscript PostScript Library - Development Files
 libgs8     - The Ghostscript PostScript/PDF interpreter Library
Closes: 447188
Changes: 
 ghostscript (8.61.dfsg.1~svn8187-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by testing security team.
   * Included 31-CVE-2007-2721.dpatch to fix remote
     user-assisted denial of service via malformed image
     files in embedded copy of jasper (Closes: #447188)
Files: 
 4b6636c63ded187012f66fbbab5645a6 1093 text optional 
ghostscript_8.61.dfsg.1~svn8187-1.1.dsc
 387052a12219b7b82de5a8da797f75f7 45976 text optional 
ghostscript_8.61.dfsg.1~svn8187-1.1.diff.gz
 aaee883bd746e5d348c385416e2546de 22580 text extra 
gs_8.61.dfsg.1~svn8187-1.1_all.deb
 dc492d85d14be7784bea8d60397aead6 22586 text extra 
gs-esp_8.61.dfsg.1~svn8187-1.1_all.deb
 d67f33e04da72840ae7fe4ec1d364e4d 22588 text extra 
gs-gpl_8.61.dfsg.1~svn8187-1.1_all.deb
 f7abc80aeb584a7789c844711047c1dd 22586 text extra 
gs-afpl_8.61.dfsg.1~svn8187-1.1_all.deb
 dfeee861ef77b6dbd7b97bbc2d2afe2d 22594 text extra 
gs-aladdin_8.61.dfsg.1~svn8187-1.1_all.deb
 a9e410cb09828d29a9582e69adcc4a93 22598 text extra 
gs-common_8.61.dfsg.1~svn8187-1.1_all.deb
 08381e81a32ea1a2e348927231305649 2651130 doc optional 
ghostscript-doc_8.61.dfsg.1~svn8187-1.1_all.deb
 a96a8e5fda8f0f8b2b392c317455a7b9 772986 text optional 
ghostscript_8.61.dfsg.1~svn8187-1.1_i386.deb
 3c7184831e3de19c836dc946b700e06d 54952 text optional 
ghostscript-x_8.61.dfsg.1~svn8187-1.1_i386.deb
 eedce8689d31ce01568c9bdb2cd0b48b 2185572 libs optional 
libgs8_8.61.dfsg.1~svn8187-1.1_i386.deb
 20e548fdcaa9d4e505118c2049ee9508 30668 libdevel optional 
libgs-dev_8.61.dfsg.1~svn8187-1.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHGzRSHYflSXNkfP8RAm55AJ4901iXBaDAQc3NUIoaZshNIjn9QQCcCYbb
6Qk2dDJ6kL4F3+/nZahTi/A=
=51jh
-----END PGP SIGNATURE-----

--- End Message ---

Bug#447188: marked as done (CVE-2007-2721 remote denial of service with possibly heap corruption)

Reply via email to