Your message dated Sun, 28 Feb 2010 17:33:26 +0000
with message-id <e1nln1c-0005mo...@ries.debian.org>
and subject line Bug#560930: fixed in ghostscript 8.71~dfsg-2
has caused the Debian Bug report #560930,
regarding CVE-2009-3560 and CVE-2009-3720 denial-of-services
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
560930: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560930
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: ghostscript
severity: serious
tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for expat. I have determined that this package embeds a
vulnerable copy of xmlparse.c and xmltok_impl.c. However, since this is
a mass bug filing (due to so many packages embedding expat), I have
not had time to determine whether the vulnerable code is actually
present in any of the binary packages derived from this source package.
Please determine whether this is the case. If the binary packages are
not affected, please feel free to close the bug with a message
containing the details of what you did to check.
CVE-2009-3560[0]:
| The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,
| as used in the XML-Twig module for Perl, allows context-dependent
| attackers to cause a denial of service (application crash) via an XML
| document with malformed UTF-8 sequences that trigger a buffer
| over-read, related to the doProlog function in lib/xmlparse.c, a
| different vulnerability than CVE-2009-2625 and CVE-2009-3720.
CVE-2009-3720[1]:
| The updatePosition function in lib/xmltok_impl.c in libexpat in Expat
| 2.0.1, as used in Python, PyXML, w3c-libwww, and other software,
| allows context-dependent attackers to cause a denial of service
| (application crash) via an XML document with crafted UTF-8 sequences
| that trigger a buffer over-read, a different vulnerability than
| CVE-2009-2625.
These issues also affect old versions of expat, so this package in etch
and lenny is very likely affected. This is a low-severity security
issue, so DSAs will not be issued to correct these problems. However,
you can optionally submit a proposed-update to the release team for
inclusion in the next stable point releases. If you plan to do this,
please open new bugs and include the security tag so we are aware that
you are working on that.
For further information see [0],[1],[2],[3]. In particular, [2] and [3]
are links to the patches for CVE-2009-3560 and CVE-2009-3720
respectively. Note that the ideal solution would be to make use of the
system expat so only one package will need to be updated for future
security issues. Preferably in your update to unstable, alter your
package to make use of the system expat.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
http://security-tracker.debian.org/tracker/CVE-2009-3560
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://security-tracker.debian.org/tracker/CVE-2009-3720
[2]
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165
[3]
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch
--- End Message ---
--- Begin Message ---
Source: ghostscript
Source-Version: 8.71~dfsg-2
We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive:
ghostscript-cups_8.71~dfsg-2_amd64.deb
to main/g/ghostscript/ghostscript-cups_8.71~dfsg-2_amd64.deb
ghostscript-doc_8.71~dfsg-2_all.deb
to main/g/ghostscript/ghostscript-doc_8.71~dfsg-2_all.deb
ghostscript-x_8.71~dfsg-2_amd64.deb
to main/g/ghostscript/ghostscript-x_8.71~dfsg-2_amd64.deb
ghostscript_8.71~dfsg-2.debian.tar.gz
to main/g/ghostscript/ghostscript_8.71~dfsg-2.debian.tar.gz
ghostscript_8.71~dfsg-2.dsc
to main/g/ghostscript/ghostscript_8.71~dfsg-2.dsc
ghostscript_8.71~dfsg-2_amd64.deb
to main/g/ghostscript/ghostscript_8.71~dfsg-2_amd64.deb
gs-common_8.71~dfsg-2_all.deb
to main/g/ghostscript/gs-common_8.71~dfsg-2_all.deb
gs-esp_8.71~dfsg-2_all.deb
to main/g/ghostscript/gs-esp_8.71~dfsg-2_all.deb
gs-gpl_8.71~dfsg-2_all.deb
to main/g/ghostscript/gs-gpl_8.71~dfsg-2_all.deb
libgs-dev_8.71~dfsg-2_amd64.deb
to main/g/ghostscript/libgs-dev_8.71~dfsg-2_amd64.deb
libgs8_8.71~dfsg-2_amd64.deb
to main/g/ghostscript/libgs8_8.71~dfsg-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 560...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <d...@jones.dk> (supplier of updated ghostscript package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Format: 1.8
Date: Sun, 28 Feb 2010 18:06:54 +0100
Source: ghostscript
Binary: ghostscript gs-esp gs-gpl gs-common ghostscript-cups ghostscript-x
ghostscript-doc libgs8 libgs-dev
Architecture: source all amd64
Version: 8.71~dfsg-2
Distribution: unstable
Urgency: low
Maintainer: Masayuki Hatta (mhatta) <mha...@debian.org>
Changed-By: Jonas Smedegaard <d...@jones.dk>
Description:
ghostscript - The GPL Ghostscript PostScript/PDF interpreter
ghostscript-cups - The GPL Ghostscript PostScript/PDF interpreter - CUPS
filters
ghostscript-doc - The GPL Ghostscript PostScript/PDF interpreter -
Documentation
ghostscript-x - The GPL Ghostscript PostScript/PDF interpreter - X Display
suppor
gs-common - Dummy package depending on ghostscript
gs-esp - Transitional package
gs-gpl - Transitional package
libgs-dev - The Ghostscript PostScript Library - Development Files
libgs8 - The Ghostscript PostScript/PDF interpreter Library
Closes: 560930
Changes:
ghostscript (8.71~dfsg-2) unstable; urgency=low
.
* Update copyright file:
+ Fix license section GPL-2+ to add refer to actual license at
/usr/share/common-licenses/GPL-2.
+ Strip from license section other-GPL-3+-Artifex partly outdated
non-license part.
+ Fix replace bogus license section "GPL-2+ or AFPL" with AFPL one.
+ Fix change license "GPL-2+ with Autoconf exception" to "GPL-2+ or
other-sa-Autoconf", and add new license section other-sa-Autoconf.
+ Fix change license "GPL-2+ with Libtool exception" to "GPL-2+ or
other-sa-Libtool", and add new license section other-sa-Libtool.
+ Extend license section GPL-2+ to cover more variants (reducing
verbatim copies by documenting file/program/library variations).
+ Change GPL license sections to refer to FSF website (as in
py-compile, not postal address as common in other (older?) cases).
Place the website reference below Debian-specific reference to
actual license file, to slightly emphasize that it is a local edit
(not copied verbatim from an upstream file).
* Build-depend on libexpat-dev and enable SHARE_EXPAT. Closes:
bug#560930 (CVE-2009-3560 and CVE-2009-3720), thanks to Michael
Gilbert and Moritz Muehlenhoff.
* Tighten watch file to not include macosx flavor, and simplify to no
longer mangle upstream gpl extension.
* Apply bug-fixing patches cherry-picked from upstream SVN:
+ 0751: Add missing dereferencing of indirect objects in /Mask array
+ 0778: Fix PDF trailer attributes undefined error
+ 0780: Add cast to bmpcmp.c to quiet useless compiler warning
+ 0782: Fix signedness and other wrong var comparisons in T2 dict
+ 0785: Fix pdfwrite UTF16 handling in PDF/A output
+ 0788: Fix error passing setscreen read-only Halftone type1 dict
+ 0794: Fix ignore a class of broken TrueType font
+ 0810: Fix pdfwrite widths for CIDFont with unusual FontMatrix
+ 0821: Add missing newline in a TTF debug message
+ 0822: Upgrade Adobe Glyph List to v. 2.0.
+ 0823: Fix drop wrong raster optimization in gxipixel.c
+ 0824: Fix PDF crop /TrimBox and /CropBox by the /MediaBox
* Refresh all patches with quilt option --no-timestamp.
Checksums-Sha1:
8ee659f20521c95caf7f10c24bf68800ae18d1d4 1770 ghostscript_8.71~dfsg-2.dsc
417451f2762c4997cef95f199340a61a5b350278 198072
ghostscript_8.71~dfsg-2.debian.tar.gz
76b99314c97589e560dfa4071827f130d92d7ad6 42518 gs-esp_8.71~dfsg-2_all.deb
0054e0caf0daa9e1ecb90951140643157e6ea0e3 42520 gs-gpl_8.71~dfsg-2_all.deb
2e1d699ca8ac56b643a9608205a24644c526949e 42544 gs-common_8.71~dfsg-2_all.deb
d69a1b49b94e01dae55aae897436f4aaaea30c93 3231518
ghostscript-doc_8.71~dfsg-2_all.deb
715e79964df5e9a9afd58a05ece180628fe46ba7 4117266
ghostscript_8.71~dfsg-2_amd64.deb
c1ea432a83aa7650a3333e3cbb44b38e324ff29c 57728
ghostscript-cups_8.71~dfsg-2_amd64.deb
43a7579ee98e4d8895742bd31b647774c38ed548 77204
ghostscript-x_8.71~dfsg-2_amd64.deb
197cc34d14070196475ab14681cd61e3495f059a 2230480 libgs8_8.71~dfsg-2_amd64.deb
70f6b402cc7a05a9913c6bd4d49ab5551c046311 2816422
libgs-dev_8.71~dfsg-2_amd64.deb
Checksums-Sha256:
1db4ea3b9f56a581d0aeafc45a8ca43f1beacf59a76b7b04749b5eab1899b10d 1770
ghostscript_8.71~dfsg-2.dsc
3d97a3e460f4d71c4ac9736ea6403dcbd9415f3cc950d052a91d6de9e9e52cff 198072
ghostscript_8.71~dfsg-2.debian.tar.gz
f7f4024904e2061848c2573c8c7a60d5ff97f2e995d3db807f34038140157229 42518
gs-esp_8.71~dfsg-2_all.deb
36bed3d6dd9529b44f501db63ad2d2e0a965b23936623431ddc1b4a5c1d04692 42520
gs-gpl_8.71~dfsg-2_all.deb
a1f3d34b09a771cf7ec356186da2955c0917056a0d4b5105946550ee179d81b3 42544
gs-common_8.71~dfsg-2_all.deb
56c8ae72af46e1f5e98ebe26b25c7296f1e4b16db085f1c31b820c00682bb1e0 3231518
ghostscript-doc_8.71~dfsg-2_all.deb
bb04ded545e317dcd7fca6092d97507404b85422d0429ffd48db85929a3cde76 4117266
ghostscript_8.71~dfsg-2_amd64.deb
4d6a415a43d41c656037a98e0409ffb2610b596556b70d816fa09864c83feda9 57728
ghostscript-cups_8.71~dfsg-2_amd64.deb
17c4baf1c5a08af96ef58dfea537b8b02d8365ad7a1dd77cf9cef7399bba16c8 77204
ghostscript-x_8.71~dfsg-2_amd64.deb
af8a9ebd2390ccdcc8c6031c25822b101adc44e60deefc8a9f0b1e0b04cb5c11 2230480
libgs8_8.71~dfsg-2_amd64.deb
b9c386192bca3ea0ee231b7b9c8ff84346805b1555d82679e030637d894cb84a 2816422
libgs-dev_8.71~dfsg-2_amd64.deb
Files:
d6a75019cc874ac0e8adafb2c5d6334c 1770 text optional ghostscript_8.71~dfsg-2.dsc
f9e407060bed9cdc8f4e3b4f2f5a8300 198072 text optional
ghostscript_8.71~dfsg-2.debian.tar.gz
77cf564305715c568197b757eef3fc15 42518 text extra gs-esp_8.71~dfsg-2_all.deb
9a478e131f56b4f2bcf258255689c3fb 42520 text extra gs-gpl_8.71~dfsg-2_all.deb
d3fea5532a19aa1be5ad0c3e4b5321eb 42544 text extra gs-common_8.71~dfsg-2_all.deb
4ef232137e176a20fbf804ad3e07bceb 3231518 doc optional
ghostscript-doc_8.71~dfsg-2_all.deb
2b12561427403404317a882f5bd46951 4117266 text optional
ghostscript_8.71~dfsg-2_amd64.deb
7869934f8211801527d4646519b771df 57728 text optional
ghostscript-cups_8.71~dfsg-2_amd64.deb
c0213123ec8be554f8731bd66803c6b8 77204 text optional
ghostscript-x_8.71~dfsg-2_amd64.deb
e0cdb3a9814373238b39b5f045e0a684 2230480 libs optional
libgs8_8.71~dfsg-2_amd64.deb
67e7f02f98bef26ef981eaa1a1807f9b 2816422 libdevel optional
libgs-dev_8.71~dfsg-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEAREDAAYFAkuKp3MACgkQn7DbMsAkQLj3/wCfQ89353QR0T8qrbYttMQZfEbG
qQ4An0DJiydtr0kDJfZkv0bKb80dCL6f
=UUmj
-----END PGP SIGNATURE-----
--- End Message ---
