CVE-2007-2721 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2721): The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted attackers to cause a denial of service (crash) and possibly corrupt the heap via malformed image files, as originally demonstrated using imagemagick convert.
Both app-text/ghostscript-gpl and app-text/ghostscript-gnu contain code copies of media-libs/jasper. CVE-2007-2721 as fixed in bug 179159 might still affect these packages. For ghostscript-gpl I could confirm that the Jasper code is compiled. I did not check every available ebuild, only the latest stables. Ghostscript accepted the jasper patch upstream: http://cvs.ghostscript.com/cgi-bin/viewcvs.cgi/ghostscript?rev=8298&view=rev See URL for further reference.
*** Bug 197802 has been marked as a duplicate of this bug. ***
ghostscript-gpl revisions which apply the patch are now in the tree as: ghostscript-gpl-8.60-r1 ghostscript-gpl-8.57-r1 ghostscript-gpl-8.54-r1
Thanks. Timo, what about app-text/ghostscript-gnu? Arches, please test and mark stable app-text/ghostscript-gpl-8.60-r1. Target keywords : "amd64 arm hppa ppc sh sparc x86"
Sparc stable for ghostscript-gpl-8.60-r1.
x86 stable
Stable for HPPA.
ppc stable
Ehh... I've gone and done app-text/ghostscript-gpl on amd64. Are we supposed to be doing anything with app-text/ghostscript-gnu? If so, add us back to this bug.
(In reply to comment #9) > Are we supposed to be doing anything with app-text/ghostscript-gnu? Not until printing has an ebuild ready.
Timo, printing, any word on -gnu?
(In reply to comment #11) > Timo, printing, any word on -gnu? Sorry for the delay. ghostscript-gnu revision which applies the patch is now in the tree as: ghostscript-gnu-8.60.0-r1
Arches, please test and mark stable app-text/ghostscript-gnu-8.60.0-r1. Target keywords : "ppc64" (In reply to comment #9) > Ehh... I've gone and done app-text/ghostscript-gpl on amd64. Are we supposed > to be doing anything with app-text/ghostscript-gnu? If so, add us back to this > bug. Seems it was never stable on amd64, so nothing to do.
ppc64 done
GLSA vote now open. From the description of the bug I'd vote yes, but bug 179159 went [noglsa].
voting no since previous went noglsa.
Voting NO and closing.