CVEs have been assigned for security issues fixed upstream in ghostscript: http://openwall.com/lists/oss-security/2016/10/05/15 Commits to the fix the issues are linked in the message above. Patched package uploaded for Cauldron. Backporting to Mageia 5 doesn't appear to be trivial.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => anaselli, lmenut, mageia, marja11, thierry.vignaudAssignee: bugsquad => pkg-bugs
CVE-2016-8602 assigned for an additional issue fixed upstream: http://openwall.com/lists/oss-security/2016/10/11/7 I added that patch in Cauldron.
Summary: ghostscript new security issues CVE-2016-797[6-9] => ghostscript new security issues CVE-2016-797[6-9] and CVE-2016-8602
URL: (none) => http://lwn.net/Vulnerabilities/703324/
Fedora has issued an advisory on January 28: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IJ3D6O5XHLO4UJVJETVCWPIWWWV6LQUE/ It fixes one additional issue.
Summary: ghostscript new security issues CVE-2016-797[6-9] and CVE-2016-8602 => ghostscript new security issues CVE-2016-797[6-9], CVE-2016-8602, and CVE-2016-9601
(In reply to David Walser from comment #3) > Fedora has issued an advisory on January 28: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/IJ3D6O5XHLO4UJVJETVCWPIWWWV6LQUE/ > > It fixes one additional issue. The patch Fedora added for that doesn't apply for 9.19, so we need to update it to 9.20.
(In reply to David Walser from comment #3) > Fedora has issued an advisory on January 28: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/IJ3D6O5XHLO4UJVJETVCWPIWWWV6LQUE/ > > It fixes one additional issue. LWN reference: https://lwn.net/Vulnerabilities/713054/
Fedora has issued an advisory on April 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/X7ZOUSQTFLCTRWNFRBBA6SC6K2Z6NRVI/ It fixes an additional issue, CVE-2017-7207.
Summary: ghostscript new security issues CVE-2016-797[6-9], CVE-2016-8602, and CVE-2016-9601 => ghostscript new security issues CVE-2016-797[6-9], CVE-2016-8602, CVE-2016-9601, CVE-2017-7207
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=20744
*** Bug 20744 has been marked as a duplicate of this bug. ***
CC: (none) => mandriva
(In reply to David Walser from comment #6) > Fedora has issued an advisory on April 9: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/X7ZOUSQTFLCTRWNFRBBA6SC6K2Z6NRVI/ > > It fixes an additional issue, CVE-2017-7207. fixed in new rpm
CC: (none) => mageia
Increasingly priority and severity for CVE-2017-8291, which appears to have known exploits.
Summary: ghostscript new security issues CVE-2016-797[6-9], CVE-2016-8602, CVE-2016-9601, CVE-2017-7207 => ghostscript new security issues CVE-2016-797[6-9], CVE-2016-8602, CVE-2016-9601, CVE-2017-7207, CVE-2017-8291Severity: normal => criticalPriority: Normal => High
IIRC, upgrading the ghostscript version broke building some other packages which required patching, so we need to be careful with upgrading it in mga5.
like ? i can look too
(In reply to Nicolas Lécureuil from comment #11) > like ? i can look too It's been a while, I don't remember off the top of my head. I wish there was an easy way to search svn log or changelogs referencing ghostscript or ijs-config. ijs-config was removed in 9.19, I think that caused the breakage.
src.rpm: ghostscript-9.20-1.mga5
Assignee: pkg-bugs => qa-bugs
(In reply to Nicolas Lécureuil from comment #13) > src.rpm: ghostscript-9.20-1.mga5 Why not 9.21 if we're changing versions anyway? BTW don't forget about cauldron, it currently has 9.19 so < 9.20-1.mga5.
It hasn't been stated yet, but there are more new CVEs that Nicolas included patches for: CVE-2016-10217 through CVE-2016-10220 and CVE-2017-5951. Fedora is still on 9.20, so I'd guess that's why we haven't updated to 9.21 yet.
Note that the ghostscript update breaks building some packages, so we'll need to include fixes for gutenprint, libspectre, and possibly libaccounts-glib as well.
gutenprint, libspectre => are now available in updates_testing. I don't see gs as BR of libaccounts-glib
Full list of CVEs is (I believe) now in the bug title. Advisory to come. Full package list below. ghostscript-9.20-1.mga5 ghostscript-dvipdf-9.20-1.mga5 ghostscript-common-9.20-1.mga5 ghostscript-X-9.20-1.mga5 ghostscript-module-X-9.20-1.mga5 libgs9-9.20-1.mga5 libgs-devel-9.20-1.mga5 libijs1-0.35-115.mga5 libijs-devel-0.35-115.mga5 ghostscript-doc-9.20-1.mga5 libgutenprint2-5.2.10-5.1.mga5 libgutenprint2-devel-5.2.10-5.1.mga5 libgutenprintui2_1-5.2.10-5.1.mga5 libgutenprintui2_1-devel-5.2.10-5.1.mga5 gutenprint-common-5.2.10-5.1.mga5 gutenprint-cups-5.2.10-5.1.mga5 gutenprint-foomatic-5.2.10-5.1.mga5 gutenprint-escputil-5.2.10-5.1.mga5 gutenprint-gimp2-5.2.10-5.1.mga5 libspectre1-0.2.7-5.1.mga5 libspectre-devel-0.2.7-5.1.mga5 from SRPMS: ghostscript-9.20-1.mga5.src.rpm gutenprint-5.2.10-5.1.mga5.src.rpm libspectre-0.2.7-5.1.mga5.src.rpm
Summary: ghostscript new security issues CVE-2016-797[6-9], CVE-2016-8602, CVE-2016-9601, CVE-2017-7207, CVE-2017-8291 => ghostscript new security issues CVE-2016-797[6-9], CVE-2016-8602, CVE-2016-9601, CVE-2016-1021[7-9], CVE-2016-10220, CVE-2017-5951, CVE-2017-7207, CVE-2017-8291
MGA5-32 on Asus A6000VM Xfce No installation issues. Got inspiration from bug16453 Comment 11. Used text file lspcidrake.txt from some previous test, and opened this with mousepad. File is rather wide, and fiddling with settings always gave a print with only the right hand side of the file. Tried the same file with pluma and there all OK. Used print to file from pluma to generate a ps file, and used ps2pdf to create a pdf file, and that was also OK.
Whiteboard: (none) => MGA5-32-OKCC: (none) => herman.viaene
Created attachment 9248 [details] text file used with mousepad and pluma
x86_64 on real hardware. Pre-update - referencing bug 16453: Installed missing packages and converted a couple of Postscript Type 1 files to PDF format using ps2pdf and ran gs and xpdf against them for comparison. They looked identical after the conversion. Waiting now for any links the advisory may provide before updating and testing any further.
CC: (none) => tarazed25
@Len > Waiting now for any links the advisory may provide before updating > and testing any further. The title (Comment 18) has all the CVEs, which you *could* use to search for PoCs http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-yyyy-nnnn But it looks as if 'it still works' is what matters. Cross-checking. Updated to: - ghostscript-9.20-1.mga5.x86_64 - ghostscript-common-9.20-1.mga5.x86_64 - ghostscript-module-X-9.20-1.mga5.x86_64 - gutenprint-common-5.2.10-5.1.mga5.x86_64 - gutenprint-cups-5.2.10-5.1.mga5.x86_64 - gutenprint-foomatic-5.2.10-5.1.mga5.x86_64 - lib64gs9-9.20-1.mga5.x86_64 - lib64gutenprint2-5.2.10-5.1.mga5.x86_64 - lib64spectre1-0.2.7-5.1.mga5.x86_64 I produced a pageprint .ps & same .pdf file from Firefox, they looked the same (but not too clever) in Atril & mupdf. Using $ gs ghostscript.ps|pdf directly is not impressive, but the output looks the same. $ ps2pdf ghostscript.ps ghostscript1.pdf The resulting PDF in viewers looks the same as the original ex Firefox. Used LO Draw to create a simple PDF file which then converted to PS: $ pdf2ps draw.pdf draw.ps The result was *not* perfect. But was it ever? $ pdf2ps ghostscript.pdf ghostscript1.ps The result is basically the same as the original, but with visible degradation. Am giving this the OK (Withdraw it if you wish, Len).
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OKCC: (none) => lewyssmith
D'accord Lewis.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Package list in Comment 18. Advisory below. Advisory: ======================== Updated ghostscript packages fix security vulnerabilities: Various userparams in Ghostscript allow %pipe% in paths, allowing remote shell command execution (CVE-2016-7976). The .libfile function in Ghostscript doesn't check PermitFileReading array, allowing remote file disclosure (CVE-2016-7977). Reference leak in the .setdevice function in Ghostscript allows use-after-free and remote code execution (CVE-2016-7978). Type confusion in the .initialize_dsc_parser function in Ghostscript allows remote code execution (CVE-2016-7979). The .sethalftone5 function in psi/zht2.c in Ghostscript before 9.21 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Postscript document that calls .sethalftone5 with an empty operand stack (CVE-2016-8602). A heap based buffer overflow was found in the ghostscript jbig2_decode_gray_scale_image() function used to decode halftone segments in a JBIG2 image. A document (PostScript or PDF) with an embedded, specially crafted, jbig2 image could trigger a segmentation fault in ghostscript (CVE-2016-9601). The pdf14_open function in base/gdevp14.c in Ghostscript 9.20 allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted file that is mishandled in the color management module (CVE-2016-10217). The pdf14_pop_transparency_group function in base/gdevp14.c in the PDF Transparency module in Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file (CVE-2016-10218). The intersect function in base/gxfill.c in Ghostscript 9.20 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted file (CVE-2016-10219). The gs_makewordimagedevice function in base/gsdevmem.c in Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file that is mishandled in the PDF Transparency module (CVE-2016-10220). The mem_get_bits_rectangle function in base/gdevmem.c in Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file (CVE-2017-5951). The mem_get_bits_rectangle function in Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted PostScript document (CVE-2017-7207). Ghostscript through 2017-04-26 allows -dSAFER bypass and remote command execution via .rsdparams type confusion with a "/OutputFile (%pipe%" substring in a crafted .eps document that is an input to the gs program (CVE-2017-8291). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7976 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7977 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7978 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7979 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8602 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9601 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10217 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10218 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10219 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10220 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5951 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8291 http://openwall.com/lists/oss-security/2016/10/05/15 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IJ3D6O5XHLO4UJVJETVCWPIWWWV6LQUE/
Thank you David for the advisory; it is uploaded.
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0133.html
Status: NEW => RESOLVEDResolution: (none) => FIXED