Summary: | <app-text/ghostscript-gpl-9.21 : Memory corruption / type confusion | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | printing, slyfox |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: |
app-text/ghostscript-gpl-9.21
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 617016, 617018, 617020, 617022, 618818 |
Description
Hanno Böck
2017-04-28 08:32:35 UTC
CVE ID: CVE-2017-8291 Summary: Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remote command execution via .rsdparams type confusion with a "/OutputFile (%pipe%" substring in a crafted .eps document that is an input to the gs program, as exploited in the wild in April 2017. Published: 2017-04-27T01:59:02.000Z Upstream patches: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=04b37bbce174eed24edec7ad5b920eb93db4d47d https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3 Not yet released. Patched in our 9.21 Please stabilize app-text/ghostscript-gpl-9.21 (all stable arches) x86 stable amd64 stable Stable on alpha. ppc stable ppc64 stable arm stable ia64 stable sparc stable @hppa ping. Arches or maintainers please stabilize for hppa ASAP. Security will release GLSA for this in 7 days with or without hppa arch being stable. This issue was resolved and addressed in GLSA 201708-06 at https://security.gentoo.org/glsa/201708-06 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for remaining architecture. Maintainer(s), please drop the vulnerable version(s). Slyfox, please stabilize or drop from stable. This is holding up a security bug, and security cleanup. hppa stable Thank you all, Maintainers please proceed to cleanup. Gentoo Security Padawan ChrisADR |