Your message dated Mon, 04 May 2009 17:47:33 +0000
with message-id <e1m12gl-0004vh...@ries.debian.org>
and subject line Bug#524803: fixed in ghostscript 8.64~dfsg-1+squeeze1
has caused the Debian Bug report #524803,
regarding ghostscript: multiple vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
524803: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=524803
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: ghostscript
severity: grave
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for ghostscript.
CVE-2007-6725[0]:
| The CCITTFax decoding filter in Ghostscript 8.60, 8.61, and possibly
| other versions, allows remote attackers to cause a denial of service
| (crash) and possibly execute arbitrary code via a crafted PDF file
| that triggers a buffer underflow in the cf_decode_2d function.
CVE-2008-6679[1]:
| Buffer overflow in the BaseFont writer module in Ghostscript 8.62, and
| possibly other versions, allows remote attackers to cause a denial of
| service (ps2pdf crash) and possibly execute arbitrary code via a
| crafted Postscript file.
CVE-2009-0196[2]:
| Heap-based buffer overflow in the big2_decode_symbol_dict function
| (jbig2_symbol_dict.c) in the JBIG2 decoding library (jbig2dec) in
| Ghostscript 8.64, and probably earlier versions, allows remote
| attackers to execute arbitrary code via a PDF file with a JBIG2 symbol
| dictionary segment with a large run length value.
Please coordinate with the security team (t...@security.debian.org)
to prepare fixes for the stable releases.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6725
http://security-tracker.debian.net/tracker/CVE-2007-6725
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6679
http://security-tracker.debian.net/tracker/CVE-2008-6679
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0196
http://security-tracker.debian.net/tracker/CVE-2009-0196
--- End Message ---
--- Begin Message ---
Source: ghostscript
Source-Version: 8.64~dfsg-1+squeeze1
We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive:
ghostscript-doc_8.64~dfsg-1+squeeze1_all.deb
to pool/main/g/ghostscript/ghostscript-doc_8.64~dfsg-1+squeeze1_all.deb
ghostscript-x_8.64~dfsg-1+squeeze1_amd64.deb
to pool/main/g/ghostscript/ghostscript-x_8.64~dfsg-1+squeeze1_amd64.deb
ghostscript_8.64~dfsg-1+squeeze1.diff.gz
to pool/main/g/ghostscript/ghostscript_8.64~dfsg-1+squeeze1.diff.gz
ghostscript_8.64~dfsg-1+squeeze1.dsc
to pool/main/g/ghostscript/ghostscript_8.64~dfsg-1+squeeze1.dsc
ghostscript_8.64~dfsg-1+squeeze1_amd64.deb
to pool/main/g/ghostscript/ghostscript_8.64~dfsg-1+squeeze1_amd64.deb
gs-aladdin_8.64~dfsg-1+squeeze1_all.deb
to pool/main/g/ghostscript/gs-aladdin_8.64~dfsg-1+squeeze1_all.deb
gs-common_8.64~dfsg-1+squeeze1_all.deb
to pool/main/g/ghostscript/gs-common_8.64~dfsg-1+squeeze1_all.deb
gs-esp_8.64~dfsg-1+squeeze1_all.deb
to pool/main/g/ghostscript/gs-esp_8.64~dfsg-1+squeeze1_all.deb
gs-gpl_8.64~dfsg-1+squeeze1_all.deb
to pool/main/g/ghostscript/gs-gpl_8.64~dfsg-1+squeeze1_all.deb
gs_8.64~dfsg-1+squeeze1_all.deb
to pool/main/g/ghostscript/gs_8.64~dfsg-1+squeeze1_all.deb
libgs-dev_8.64~dfsg-1+squeeze1_amd64.deb
to pool/main/g/ghostscript/libgs-dev_8.64~dfsg-1+squeeze1_amd64.deb
libgs8_8.64~dfsg-1+squeeze1_amd64.deb
to pool/main/g/ghostscript/libgs8_8.64~dfsg-1+squeeze1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 524...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <n...@debian.org> (supplier of updated ghostscript package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 22 Apr 2009 00:19:51 +0200
Source: ghostscript
Binary: ghostscript gs gs-esp gs-gpl gs-aladdin gs-common ghostscript-x
ghostscript-doc libgs8 libgs-dev
Architecture: source all amd64
Version: 8.64~dfsg-1+squeeze1
Distribution: testing-security
Urgency: high
Maintainer: Masayuki Hatta (mhatta) <mha...@debian.org>
Changed-By: Nico Golde <n...@debian.org>
Description:
ghostscript - The GPL Ghostscript PostScript/PDF interpreter
ghostscript-doc - The GPL Ghostscript PostScript/PDF interpreter -
Documentation
ghostscript-x - The GPL Ghostscript PostScript/PDF interpreter - X Display
suppor
gs - Transitional package
gs-aladdin - Transitional package
gs-common - Dummy package depending on ghostscript
gs-esp - Transitional package
gs-gpl - Transitional package
libgs-dev - The Ghostscript PostScript Library - Development Files
libgs8 - The Ghostscript PostScript/PDF interpreter Library
Closes: 522416 524803 524915
Changes:
ghostscript (8.64~dfsg-1+squeeze1) testing-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* This update fixes various security issues:
- CVE-2009-0792: multiple integer overflows in the icc library
can cause a heap-based buffer overflow possibly leading to arbitray
code execution.
- CVE-2009-0584/CVE-2009-0583: Multiple integer overflows causing an
application crash or possibly arbitrary code execution.
- CVE-2009-0196: heap-based buffer overflow in big2_decode_symbol_dict()
leading to arbitrary code execution via a crafted JBIG2 symbol
dictionary segment.
.
(Closes: #524915, #522416, #524803)
Checksums-Sha1:
14f32b8d9f0d6c080fb9ab5b0dbe0c83d452af3e 1686
ghostscript_8.64~dfsg-1+squeeze1.dsc
5bb48646a61d9453e5fa669d229a847136c8a680 11996078
ghostscript_8.64~dfsg.orig.tar.gz
913cbe48f8d931f00968d8be58d56f7222340566 86715
ghostscript_8.64~dfsg-1+squeeze1.diff.gz
cb910dc645de359b9f13a8e90ae1ba9a856d911c 30622 gs_8.64~dfsg-1+squeeze1_all.deb
0205d82d28da9eda5b7f75e890a78e6be209b461 30618
gs-esp_8.64~dfsg-1+squeeze1_all.deb
3fcbcb09f962e19874d28f61688b951a1ba56d02 30624
gs-gpl_8.64~dfsg-1+squeeze1_all.deb
b0f2a16b66fe5f09412e05db57ac2b43d62bfff4 30630
gs-aladdin_8.64~dfsg-1+squeeze1_all.deb
04b894385452935eebdde7e0b6b8749d481e6781 30884
gs-common_8.64~dfsg-1+squeeze1_all.deb
b6365abfbb00d01c9d3b9114f85003a0640101b0 2964652
ghostscript-doc_8.64~dfsg-1+squeeze1_all.deb
cdc5cab5ebf97796492541fcf5d39cd180463394 769912
ghostscript_8.64~dfsg-1+squeeze1_amd64.deb
f7d778d1f20b7e307119f0616be377b9a096055b 64032
ghostscript-x_8.64~dfsg-1+squeeze1_amd64.deb
bffa3343304c13c99a124f0b0b0a9868208039ee 2399554
libgs8_8.64~dfsg-1+squeeze1_amd64.deb
f7c3486f9feb13599c6d5c6285e05b0cc88ab208 38320
libgs-dev_8.64~dfsg-1+squeeze1_amd64.deb
Checksums-Sha256:
c1b0b105c97e6519e799576b77ec122e1398ca68e1f0664ab6f1dd4994cb8fea 1686
ghostscript_8.64~dfsg-1+squeeze1.dsc
cc856d33cb781cdc3383b8eb4e0f390997f8359fe144a906b84297b5d377f03d 11996078
ghostscript_8.64~dfsg.orig.tar.gz
56f7f81acef3de7dcd242ff64a762840d59b05f1c16247047dfb6dd11b6a0983 86715
ghostscript_8.64~dfsg-1+squeeze1.diff.gz
879dcaf08ca16d38a3bdbaa6ad825746075045fce6058dc682609bf1d4febc6e 30622
gs_8.64~dfsg-1+squeeze1_all.deb
ee6930582ea9e8dc63dad0ea19f665fb557ea212dec2732e1c212a546fdf75e6 30618
gs-esp_8.64~dfsg-1+squeeze1_all.deb
1b47ef59970e8ed3fa8c5b295c85d7778d54260225491a76a53b2c5bb7a03e1e 30624
gs-gpl_8.64~dfsg-1+squeeze1_all.deb
4727d743dec40e284543eb485b747d863fd64a7d5dc4a3b5961988ece54974c2 30630
gs-aladdin_8.64~dfsg-1+squeeze1_all.deb
c2a54af4b0f8371a9bd69256f3c360f3b997eab56b7c645443026fdee1dab797 30884
gs-common_8.64~dfsg-1+squeeze1_all.deb
d855b88533b6f4f2d8fbd14eb75c8c2e6789e838c7b0fc9a96c2f18bf61b5fd5 2964652
ghostscript-doc_8.64~dfsg-1+squeeze1_all.deb
0220ad7802e7e36bf4b2332bf8e9bdcbba74bc635c2c04757c1b9b2899007543 769912
ghostscript_8.64~dfsg-1+squeeze1_amd64.deb
8fb3d594f4316e64749697a55b11601d8793d891cf8edf89ee8be595ca58f4d5 64032
ghostscript-x_8.64~dfsg-1+squeeze1_amd64.deb
5d0a1eea0c034b170fcdfe71355d79341240f906dd4be3f8cb81b832734cecf2 2399554
libgs8_8.64~dfsg-1+squeeze1_amd64.deb
4e0f12ff40de8f7a333a8f44ead78409822824c6ae96738be86068c121854578 38320
libgs-dev_8.64~dfsg-1+squeeze1_amd64.deb
Files:
f2487113efaedd0869b033e5dfd49cdd 1686 text optional
ghostscript_8.64~dfsg-1+squeeze1.dsc
e42706c2409815df5c959484080fd4a3 11996078 text optional
ghostscript_8.64~dfsg.orig.tar.gz
8317ffc09f923368e4305f025c6bfcd9 86715 text optional
ghostscript_8.64~dfsg-1+squeeze1.diff.gz
9e8022883ec4f35e22ac030fbd79a622 30622 text extra
gs_8.64~dfsg-1+squeeze1_all.deb
ff1f6644769114b644842cfb2456497f 30618 text extra
gs-esp_8.64~dfsg-1+squeeze1_all.deb
12c3bd09877de8c8fc2def9431d82d79 30624 text extra
gs-gpl_8.64~dfsg-1+squeeze1_all.deb
b295fb9a4d18c3ada094cd259f69cfe9 30630 text extra
gs-aladdin_8.64~dfsg-1+squeeze1_all.deb
20e9c0290d09dded49e1e0feccdc3368 30884 text extra
gs-common_8.64~dfsg-1+squeeze1_all.deb
10ed6579ecce2302b647bf7df16ef46c 2964652 doc optional
ghostscript-doc_8.64~dfsg-1+squeeze1_all.deb
61542d159ad18b46640761470dc85712 769912 text optional
ghostscript_8.64~dfsg-1+squeeze1_amd64.deb
9942a8959be5eb58fa12b4e6d2b0635e 64032 text optional
ghostscript-x_8.64~dfsg-1+squeeze1_amd64.deb
d1b5c3846dac054078fbb2548c216ae0 2399554 libs optional
libgs8_8.64~dfsg-1+squeeze1_amd64.deb
15158c213b74cab80a7c30bc4fbdc837 38320 libdevel optional
libgs-dev_8.64~dfsg-1+squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkn0fsgACgkQHYflSXNkfP8SrgCgi6VY5Ec67mZn5zjuXwiAOpnC
5AAAnR7J/I4ycrFr8Xc4gvglnHj7deQ6
=B/Kg
-----END PGP SIGNATURE-----
--- End Message ---
