Summary: | app-text/ghostscript-gnu Multiple vulnerabilities (CVE-2007-6725,CVE-2008-6679) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | pva |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2009-04-02 11:43:07 UTC
Note that app-text/ghostscript-gpl-8.64 already comes with both patches, whereas -gnu ships the vulnerable code. Thank you Robert for report. Ebuild with patch commited. ppc64, please, stabilize. ppc64 done CVE-2007-6725 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6725): The CCITTFax decoding filter in Ghostscript 8.60, 8.61, and possibly other versions, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PDF file that triggers a buffer underflow in the cf_decode_2d function. CVE-2008-6679 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6679): Buffer overflow in the BaseFont writer module in Ghostscript 8.62, and possibly other versions, allows remote attackers to cause a denial of service (ps2pdf crash) and possibly execute arbitrary code via a crafted Postscript file. Is anything still required here maintainer-wise? I wonder why it's still in [ebuild] state. The fix for CVE-2007-6725 that went into 8.64 was meant as a work-around. Upstream states this here: http://bugs.ghostscript.com/show_bug.cgi?id=689917#c5 However, none of the patches in comment 11 and 12 received a review yet. Can someone verify which versions of the packages are unaffected and stable? I cannot currently sync CVS. I don't have the time nor the ambition to take care of ghostscript-gnu, too and I'm in favor of masking it if noone else wants to take care of it. Do we really need it besides -gpl anyway? I've asked gnu-ghostscript developers about differences and got rather ambiguous answer: it looks like that gnu-ghostscript has few more drivers (what?) and has non gpl-parts dropped (probably CMaps but what else?). Since gpl-ghostscript is times more maintained and code-base is gpl'ed I also think that it's better to drop ghostscript-gnu from the tree. Objections? (In reply to comment #8) > I also think that it's better to drop ghostscript-gnu from the tree. Objections? Not from our side. Removed from main tree. Security: your turn now. maskglsa request filed Package not in the tree anymore. Nothing left to do for printing. We will not be sending a maskglsa for this. |