Univention Bugzilla – Bug 48170
ghostscript: Multiple issues (4.3)
Last modified: 2018-11-21 15:21:20 CET
New Debian ghostscript 9.25~dfsg-0+deb9u1 fixes: This update addresses the following issues: * Integer overflow in the mark_curve function (CVE-2017-7948) * Out-of-bounds read in mark_line_tr function (CVE-2017-8908) * Heap-buffer over-read in the xps_load_sfnt_name function (CVE-2017-9610) * Buffer overflow in the xps_load_sfnt_name function (CVE-2017-9618) * Segmentation fault in the xps_true_callback_glyph_name function (CVE-2017-9619) * Heap-buffer over-read in the xps_select_font_encoding function (CVE-2017-9620) * Heap-buffer over-read in the xps_decode_font_char_imp function (CVE-2017-9740) * status command permitted with -dSAFER in psi/zfile.c allowing attackers to identify the size and existence of files (CVE-2018-11645) * saved execution stacks can leak operator arrays (incomplete fix for CVE-2018-17183) (CVE-2018-17961) * saved execution stacks can leak operator arrays (CVE-2018-18073) * 1Policy operator allows a sandbox protection bypass (CVE-2018-18284)
--- mirror/ftp/4.3/unmaintained/component/4.3-2-errata/source/ghostscript_9.20~dfsg-3.2+deb9u5.dsc +++ apt/ucs_4.3-0-errata4.3-2/source/ghostscript_9.25~dfsg-0+deb9u1.dsc @@ -1,3 +1,67 @@ +9.25~dfsg-0+deb9u1 [Thu, 08 Nov 2018 16:06:47 +0100] Salvatore Bonaccorso <carnil@debian.org>: + + * Non-maintainer upload by the Security Team. + * New upstream version 9.25~dfsg + + Fixes regression using ps2ascii after fix for CVE-2018-17183 + (Closes: #909076) + + status operator honour SAFER option (CVE-2018-11645) + * Drop patches applied upstream + * Rebase 2001_docdir_fix_for_debian.patch for 9.25 + * Rebase 2010_add_build_timestamp_setting.patch for 9.25 + * Add patches cherry-picked upstream to fix execution issues. + + Implement .currentoutputdevice operator + + Change "executeonly" to throw typecheck on gstatetype and + devicetype objects + + Undefine some additional internal operators. + + Fix handling of .needinput if used from interpreter + + Ensure all errors are included from initialization + + setundercolorremoval memory corruption + + copydevice fails after stack device copies invalidated + + add operand checking to .setnativefontmapbuilt + + add object type check for AES key + + Add parameter type checking on .bigstring + + zparse_dsc_comments can crash with invalid dsc_state + + Catch errors in setpagesize, .setpagesize and setpagedevice and + cleanup + + Catch errors and cleanup stack on statusdict page size definitions + + Add parameter checking in setresolution + + device subclass open_device call must return child code + + fix DSC comment parsing in pdfwrite + + Check all uses of dict_find* to ensure 0 return properly handled + + permit Mod and CreDate pdfmarks in PDF 2.0 in pdfwrite + + Avoid overrunning non terminated string buffer. + + Prevent SEGV in gs_setdevice_no_erase. + + Fix uninitialised value for render_cond. + + Hide the .needinput operator + + filenameforall calls bad iodev with insufficent scratch + + Improve hiding of security critical custom operators (CVE-2018-17961) + (Closes: #911175) + + Prevent SEGV after calling gs_image_class_1_simple. + + don't push userdict in preparation for Type 1 fonts + + add control over hiding error handlers. (Closes: #909929) + + For hidden operators, pass a name object to error handler. + (CVE-2018-17961) (Closes: #911175) + + Explicitly exclude /unknownerror from the SAFERERRORLIST + + don't include operator arrays in execstack output (CVE-2018-18073) + (Closes: #910758) + + Make .forceput unavailable from '.policyprocs' helper dictionary + (CVE-2018-18284) (Closes: #911175) + + .loadfontloop must be an operator (CVE-2018-17961) (Closes: #911175) + + font parsing - prevent SEGV in .cffparse + * openjpeg allocator must return NULL if size too large + * debian/copyright: Refresh with version from 9.25~dfsg-5 + * debian/libgs9.symbols: Update (and sync from 9.25~dfsg-5) for new version. + Adjust version for errorexec_find@Base. + * Fix cups get/put_params LeadingEdge logic (cf. #912664) + * Avoid privacy breach linking documentation to jquery: + + Add patch 2009 to use local jquery. + + Add symlink from relative link to system-shared jquery library. + + Have ghostscript-doc depend on libjs-jquery. + * Avoid privacy breach linking documentation to font: + + Avoid linking to remote fonts in documentation. + * Avoid privacy breach linking documentation with Google: + + Strip googletagmanager code from documentation. + 9.20~dfsg-3.2+deb9u5 [Fri, 14 Sep 2018 22:53:46 +0200] Moritz Mühlenhoff <jmm@debian.org>: * Fixes for CVE-2018-16509 (fourth patch, rest were applied in deb9u4) <http://10.200.17.11/4.3-2/#1111190459226998680>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.3-2] e1523e768e Bug #48170: ghostscript 9.25~dfsg-0+deb9u1 doc/errata/staging/ghostscript.yaml | 38 +++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+)
<http://errata.software-univention.de/ucs/4.3/316.html>