A security issue fixed upstream in Ghostscript 9.23 has been announced: http://openwall.com/lists/oss-security/2018/04/19/5 Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11, smelror
Fedora has issued an advisory for this on April 27: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KAA4HM5ZWQWEFKXJK72E6S3MLTY2VN36/
Ubuntu has issued an advisory for this on April 30: https://usn.ubuntu.com/3636-1/
CC: (none) => lists.jjorgeAssignee: pkg-bugs => lists.jjorge
Status: NEW => ASSIGNEDAssignee: lists.jjorge => qa-bugs
Submitted version 9.23 as of it was in cauldron today to MGA6 and MGA5. MGA5 build failed, so at least for MGA6 it can be tested. RPMS: ghostscript-9.23-1.mga6.i586.rpm ghostscript-dvipdf-9.23-1.mga6.i586.rpm ghostscript-common-9.23-1.mga6.i586.rpm ghostscript-X-9.23-1.mga6.i586.rpm ghostscript-module-X-9.23-1.mga6.i586.rpm libgs9-9.23-1.mga6.i586.rpm libgs-devel-9.23-1.mga6.i586.rpm libijs1-0.35-127.mga6.i586.rpm libijs-devel-0.35-127.mga6.i586.rpm ghostscript-9.23-1.mga6.x86_64.rpm ghostscript-dvipdf-9.23-1.mga6.x86_64.rpm ghostscript-common-9.23-1.mga6.x86_64.rpm ghostscript-X-9.23-1.mga6.x86_64.rpm ghostscript-module-X-9.23-1.mga6.x86_64.rpm lib64gs9-9.23-1.mga6.x86_64.rpm lib64gs-devel-9.23-1.mga6.x86_64.rpm lib64ijs1-0.35-127.mga6.x86_64.rpm lib64ijs-devel-0.35-127.mga6.x86_64.rpm ghostscript-doc-9.23-1.mga6.noarch.rpm
Advisory to come later. It looks like Mageia 5 maybe just needed an autoreconf, so trying that now.
Yep, that worked. Easy peasy. ghostscript-9.23-1.mga5 ghostscript-dvipdf-9.23-1.mga5 ghostscript-common-9.23-1.mga5 ghostscript-X-9.23-1.mga5 ghostscript-module-X-9.23-1.mga5 libgs9-9.23-1.mga5 libgs-devel-9.23-1.mga5 libijs1-0.35-127.mga5 libijs-devel-0.35-127.mga5 ghostscript-doc-9.23-1.mga5 from ghostscript-9.23-1.mga5.src.rpm
Advisory: ======================== Updated ghostscript packages fix security vulnerability: The set_text_distance function in devices/vector/gdevpdts.c in the pdfwrite component in Artifex Ghostscript through 9.22 does not prevent overflows in text-positioning calculation, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document (CVE-2018-10194). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10194 http://openwall.com/lists/oss-security/2018/04/19/5 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KAA4HM5ZWQWEFKXJK72E6S3MLTY2VN36/
Mageia 6, x86_64 There is a test for the CVE but no reproducer file unfortunately. Used gs to view a couple of PDF files, pressing return to click through the pages. (Used drakfont to import some fonts and then copied them to /usr/share/fonts/default/ghostscript and executed type1inst in that directory. LO could not see them until this was done.) Used a local ruby/tk utility to generate a page of labels in a selected font. Viewed that using gs and LibreOffice. Command-line printing works fine. $ lpr -Pokda ~/tmp/abc-0.ps That looked just as it did in gs and LO. $ lpr -Pokda refcard.pdf That printed a two page PDF. Generate a six-page PDF from a DVI file. $ dvipdf refcard.dvi emacs.pdf emacs.pdf can be viewed page by page in gs. Checked it in xpdf also. Don't know how to use gs for printing but the following seemed to generate data which might be a raster file. The trick is to know what DEVICE to specify and that I cannot figure. $ gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=~/tmp/whatever -dSAFER abc-0.ps -c quit This all looks OK.
CC: (none) => tarazed25
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
Mageia 5, x86_64 Installed the packages as listed and ran similar tests to those in comment 8. All ran fine. There was something a little odd with gs when viewing a Linux Journal PDF from 2012. It has 114 pages. Typed quit after about 20 pages and it insisted in running through the remaining pages at high speed before quitting. This update is OK.
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK
Advisory from comments 4, 6, 7.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0219.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED