Summary: | <app-text/ghostscript-gpl-8.71 Multiple vulnerabilities (CVE-2009-{3743,4270,4897},CVE-2010-4054) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=540760 | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 264594 | ||
Bug Blocks: |
Description
Alex Legler (RETIRED)
2010-01-08 17:17:23 UTC
New upstream version app-text/ghostscript-gpl-8.71 in CVS (depends on ~testing libpng-1.2.42). So 8.71 is ok to go stable?! I've just put -r1 into CVS which should be considered the stable candidate since it addresses most regressions 8.71 caused. Should be good to go stable in about 1-2 days. CVE-2009-4897 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4897): Buffer overflow in gs/psi/iscan.c in Ghostscript 8.64 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted PDF document containing a long name. GLSA request filed. No affected package in the tree anymore. Nothing left to do for printing. CVE-2009-3743 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3743): Off-by-one error in the Ins_MINDEX function in the TrueType bytecode interpreter in Ghostscript before 8.71 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a malformed TrueType font in a document that trigger an integer overflow and a heap-based buffer overflow. CVE-2010-4054 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4054): The gs_type2_interpret function in Ghostscript allows remote attackers to cause a denial of service (incorrect pointer dereference and application crash) via crafted font data in a compressed data stream, aka bug 691043. This issue was resolved and addressed in GLSA 201412-17 at http://security.gentoo.org/glsa/glsa-201412-17.xml by GLSA coordinator Sean Amoss (ackle). |