Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 607190

Summary: <app-text/ghostscript-gpl-9.20-r1: Multiple vulnerabilities through bundled media-libs/openjpeg
Product: Gentoo Security Reporter: Thomas Deutschmann <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: dev-zero
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 596576    
Bug Blocks:    

Description Thomas Deutschmann gentoo-dev 2017-01-25 15:29:43 UTC
app-text/ghostscript-gpl is currently bundling media-libs/openjpeg (ghostscript-gpl-9.19 includes openjpeg-2.1.0).

The package should be affected by most vulnerabilities mentioned in
Comment 1 Tiziano Müller (RETIRED) gentoo-dev 2017-01-25 17:59:56 UTC
Unbundling openjpeg seems possible (upstream uses 2.1.0), but `base/lib.mak` needs to be patched to make it build with openjpeg 2.1.1+.

See for a preliminary version bump to 9.20
Comment 2 Thomas Deutschmann gentoo-dev 2017-01-30 00:37:33 UTC
OpenJPEG was unbundled in as part of bug 596576.
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2017-02-21 12:46:17 UTC
All vulnerable versions have been removed.
Comment 4 Thomas Deutschmann gentoo-dev 2017-02-21 18:23:22 UTC
Added to an existing GLSA request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-02-22 11:25:00 UTC
This issue was resolved and addressed in
 GLSA 201702-31 at
by GLSA coordinator Thomas Deutschmann (whissi).