Your message dated Sat, 22 Sep 2012 00:02:54 +0000 with message-id <e1tfdbo-0000js...@franck.debian.org> and subject line Bug#687274: fixed in ghostscript 9.05~dfsg-6.1 has caused the Debian Bug report #687274, regarding CVE-2012-4405 integer overflow leading to heap based buffer overflow in embedded icclib to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 687274: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687274 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: ghostscript Severity: grave Tags: security patch Hi, the following vulnerability was published for ghostscript. Quoting from the original report, as the mitre entry does not exist so far.. CVE-2012-4405[0]: | An array index error leading to heap-based buffer out-of-buffer bounds write | flaw was found in the way International Color Consortium (ICC) Format library | (aka icclib) as used in Ghostscript and Argyll Color Management System computed | dimensional increment through the clut based on the count of input channels. | Using specially-crafted ICC profiles, an attacker could create a malicious | PostScript or PDF file with embedded images which would cause Ghostscript to | crash or, potentially, execute arbitrary code when opened by the victim. | Similarly when such specially-crafted ICC profile was inspected by some of the | Argyll Color Management System tools it could lead to particular executable | crash or, arbitrary code execution with the privileges of the user running the If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4405 http://security-tracker.debian.org/tracker/CVE-2012-4405 Patch: https://bugzilla.redhat.com/attachment.cgi?id=609986 -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA
pgpiVrmND6yJ9.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: ghostscript Source-Version: 9.05~dfsg-6.1 We believe that the bug you reported is fixed in the latest version of ghostscript, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 687...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Cyril Brulebois <k...@debian.org> (supplier of updated ghostscript package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 22 Sep 2012 01:18:12 +0200 Source: ghostscript Binary: ghostscript ghostscript-cups ghostscript-x ghostscript-doc libgs9 libgs9-common libgs-dev ghostscript-dbg Architecture: source all amd64 Version: 9.05~dfsg-6.1 Distribution: unstable Urgency: high Maintainer: Debian Printing Team <debian-print...@lists.debian.org> Changed-By: Cyril Brulebois <k...@debian.org> Description: ghostscript - interpreter for the PostScript language and for PDF ghostscript-cups - interpreter for the PostScript language and for PDF - CUPS filter ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug symbo ghostscript-doc - interpreter for the PostScript language and for PDF - Documentati ghostscript-x - interpreter for the PostScript language and for PDF - X11 support libgs-dev - interpreter for the PostScript language and for PDF - Development libgs9 - interpreter for the PostScript language and for PDF - Library libgs9-common - interpreter for the PostScript language and for PDF - common file Closes: 687274 687300 Changes: ghostscript (9.05~dfsg-6.1) unstable; urgency=high . * Non-maintainer upload. * Apply security patch for CVE-2012-4405 (Closes: #687274): error out if inputChan is strictly less than 1 in icmLut_read(), thanks to Nico Golde for the pointers. * Enable xz compression for all binaries (Closes: #687300). Checksums-Sha1: 9236b036ea032f2ed4d07ed191b829b453d79cb0 2168 ghostscript_9.05~dfsg-6.1.dsc 532babb01e165fc532afa653656de42c21cb8a12 105362 ghostscript_9.05~dfsg-6.1.debian.tar.gz 8754ccace6848ea58040b0d7c9bf40164f746ead 2325870 ghostscript-doc_9.05~dfsg-6.1_all.deb 42fbe7b9bcd9260371d977f1a8d34b613e8274e9 1977094 libgs9-common_9.05~dfsg-6.1_all.deb bf1c5fd28add78ae86a71334e7d21330f0a6f5e7 79634 ghostscript_9.05~dfsg-6.1_amd64.deb d51d4f96cd84a56689fa2ee953ee2c0ed7acfe70 60026 ghostscript-cups_9.05~dfsg-6.1_amd64.deb 2ae846826d99d4667ee00f23c2930cccb0569901 71296 ghostscript-x_9.05~dfsg-6.1_amd64.deb cb1a65beb1f9fce4d8820d11e61a5388c361748b 1842870 libgs9_9.05~dfsg-6.1_amd64.deb 23a4d1f2b6f917f1c6bf319f65da784223595453 2035254 libgs-dev_9.05~dfsg-6.1_amd64.deb 3890aabaa9f76ed940b7cbd4031681ab711b139e 5322324 ghostscript-dbg_9.05~dfsg-6.1_amd64.deb Checksums-Sha256: 4f8a9d3eecd77e2bf72572981477ed18ae8c1ad109d2086ce2bfb5af6774a3ee 2168 ghostscript_9.05~dfsg-6.1.dsc 9d967c0966bdf0b02be6ec111a48a4e4074aa71c1587fbaf96f58a70b00d37f1 105362 ghostscript_9.05~dfsg-6.1.debian.tar.gz 281bb85623e3a23d2b78130898f6c5b536b5bee62fb2d16ffd9175ead7b2220f 2325870 ghostscript-doc_9.05~dfsg-6.1_all.deb d02550d90fd2b608aac3c2c28b2e40e6f808d4a39e8289149c9821f05ae0e964 1977094 libgs9-common_9.05~dfsg-6.1_all.deb 49f7be9c994bb682deb689bda5bb2d49198b89633fbf5c67ff3a7d0238f4d353 79634 ghostscript_9.05~dfsg-6.1_amd64.deb 9877ea8d5211dda38b905e40d028f7cac0bdb15bcf941ececa6c175b3da89ee9 60026 ghostscript-cups_9.05~dfsg-6.1_amd64.deb 955432f3d0fa1c1249b308f760dc55b6c5443a0d358a34ff279982058fc43e3b 71296 ghostscript-x_9.05~dfsg-6.1_amd64.deb e826e445d901081f19b54729b810233ed39b44961e9bb07fc0b3c962a5426739 1842870 libgs9_9.05~dfsg-6.1_amd64.deb 45d84b0c75aff697f949312c411c1919345574224b577fa5422d6a084b27486e 2035254 libgs-dev_9.05~dfsg-6.1_amd64.deb dd8dfcd2ad5f45efa719f15cc611a0c0910d37ec907664ba682a7e7550db689d 5322324 ghostscript-dbg_9.05~dfsg-6.1_amd64.deb Files: acaa7ebb6dba572524cd2f930b192b99 2168 text optional ghostscript_9.05~dfsg-6.1.dsc 9bcdbf1e421436a27fb1603b2ec9e61e 105362 text optional ghostscript_9.05~dfsg-6.1.debian.tar.gz fbb04f48ede195596b706a4419b92ea1 2325870 doc optional ghostscript-doc_9.05~dfsg-6.1_all.deb 7ba3029366e00985a9ab439026f12dce 1977094 libs optional libgs9-common_9.05~dfsg-6.1_all.deb 5dc84a458ea8e4e363e851be9b86633a 79634 text optional ghostscript_9.05~dfsg-6.1_amd64.deb eab9ad77e112e877fdeeef3984debb69 60026 text optional ghostscript-cups_9.05~dfsg-6.1_amd64.deb 1be695b1cefe9525c8aef1418564eaec 71296 text optional ghostscript-x_9.05~dfsg-6.1_amd64.deb 571e6c5b20b7f778df59bf162bc0e981 1842870 libs optional libgs9_9.05~dfsg-6.1_amd64.deb c47fd30d16eacabe6b7b43c44fa3a8ec 2035254 libdevel optional libgs-dev_9.05~dfsg-6.1_amd64.deb ff17877060c8c04aad0f08d59ac2e381 5322324 debug extra ghostscript-dbg_9.05~dfsg-6.1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBc/hgACgkQeGfVPHR5Nd02qwCgr+Y1jAvkk77Vs/pK0nDWgmvO 7MAAn2WdqQ7Y2kxmD3guzcVH2ZYANirC =+C4q -----END PGP SIGNATURE-----
--- End Message ---
