Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 617022 (CVE-2017-7207) - <app-text/ghostscript-gpl-9.21 : NULL pointer dereference in mem_get_bits_rectangle()
Summary: <app-text/ghostscript-gpl-9.21 : NULL pointer dereference in mem_get_bits_rec...
Status: RESOLVED FIXED
Alias: CVE-2017-7207
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa cve]
Keywords:
: 621124 (view as bug list)
Depends on: CVE-2017-8291
Blocks:
  Show dependency tree
 
Reported: 2017-04-29 17:13 UTC by Ian Zimmerman
Modified: 2017-10-08 20:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Zimmerman 2017-04-29 17:13:57 UTC 
RH summary [1]:
A null pointer vulnerability was found in mem_get_bits_rectangle() when trying to read from unallocated memory.

Upstream patch [2]

Upstream ref [3]

[1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7207
[2] http://git.ghostscript.com/?p=ghostpdl.git;h=309eca4e0a31ea70dcc844812691439312dad091
[3] https://bugs.ghostscript.com/show_bug.cgi?id=697676
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2017-04-30 11:55:18 UTC 
CVE ID: CVE-2017-7207
   Summary: The mem_get_bits_rectangle function in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted PostScript document.
 Published: 2017-03-21T06:59:00.000Z
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-07 19:57:09 UTC 
*** Bug 621124 has been marked as a duplicate of this bug. ***
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2017-06-09 22:55:35 UTC 
Patched in our 9.21
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2017-08-02 04:08:21 UTC 
Added to an existing GLSA Request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-08-21 01:16:47 UTC 
This issue was resolved and addressed in
 GLSA 201708-06 at https://security.gentoo.org/glsa/201708-06
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-21 01:20:05 UTC 
Re-opening for remaining architecture.