On Wednesday 01 April 2009, Jan Lieskovsky wrote: > 1, DoS (crash) in CCITTFax decoding filter > References: > https://bugzilla.redhat.com/show_bug.cgi?id=493442 > https://bugzilla.redhat.com/show_bug.cgi?id=229174 > -^ original report, so CVE-2007-XXXX will be needed > https://bugzilla.redhat.com/show_bug.cgi?id=493442#c1 (PoC) upstream patch: http://svn.ghostscript.com/viewvc?view=rev&revision=8896 > 2, Buffer overflow in BaseFont writer module for pdfwrite defice > References: > https://bugzilla.redhat.com/show_bug.cgi?id=493445 > http://bugs.ghostscript.com/show_bug.cgi?id=690211 > -^ upstream bug report, so CVE-2008-XXXX will be needed > > http://svn.ghostscript.com/viewvc?view=rev&sortby=rev&revision=9304 > (upstream patch)
Note that app-text/ghostscript-gpl-8.64 already comes with both patches, whereas -gnu ships the vulnerable code.
Thank you Robert for report. Ebuild with patch commited. ppc64, please, stabilize.
ppc64 done
CVE-2007-6725 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6725): The CCITTFax decoding filter in Ghostscript 8.60, 8.61, and possibly other versions, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PDF file that triggers a buffer underflow in the cf_decode_2d function. CVE-2008-6679 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6679): Buffer overflow in the BaseFont writer module in Ghostscript 8.62, and possibly other versions, allows remote attackers to cause a denial of service (ps2pdf crash) and possibly execute arbitrary code via a crafted Postscript file.
Is anything still required here maintainer-wise? I wonder why it's still in [ebuild] state.
The fix for CVE-2007-6725 that went into 8.64 was meant as a work-around. Upstream states this here: http://bugs.ghostscript.com/show_bug.cgi?id=689917#c5 However, none of the patches in comment 11 and 12 received a review yet. Can someone verify which versions of the packages are unaffected and stable? I cannot currently sync CVS.
I don't have the time nor the ambition to take care of ghostscript-gnu, too and I'm in favor of masking it if noone else wants to take care of it. Do we really need it besides -gpl anyway?
I've asked gnu-ghostscript developers about differences and got rather ambiguous answer: it looks like that gnu-ghostscript has few more drivers (what?) and has non gpl-parts dropped (probably CMaps but what else?). Since gpl-ghostscript is times more maintained and code-base is gpl'ed I also think that it's better to drop ghostscript-gnu from the tree. Objections?
(In reply to comment #8) > I also think that it's better to drop ghostscript-gnu from the tree. Objections? Not from our side.
Removed from main tree. Security: your turn now.
maskglsa request filed
Package not in the tree anymore. Nothing left to do for printing.
We will not be sending a maskglsa for this.