Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 264614 (CVE-2007-6725) - app-text/ghostscript-gnu Multiple vulnerabilities (CVE-2007-6725,CVE-2008-6679)
Summary: app-text/ghostscript-gnu Multiple vulnerabilities (CVE-2007-6725,CVE-2008-6679)
Status: RESOLVED FIXED
Alias: CVE-2007-6725
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-02 11:43 UTC by Robert Buchholz (RETIRED)
Modified: 2014-06-01 18:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-04-02 11:43:07 UTC
On Wednesday 01 April 2009, Jan Lieskovsky wrote:
> 1, DoS (crash) in CCITTFax decoding filter
>    References:
>    https://bugzilla.redhat.com/show_bug.cgi?id=493442
>    https://bugzilla.redhat.com/show_bug.cgi?id=229174
>    -^ original report, so CVE-2007-XXXX will be needed
>    https://bugzilla.redhat.com/show_bug.cgi?id=493442#c1 (PoC)

upstream patch:
http://svn.ghostscript.com/viewvc?view=rev&revision=8896

> 2, Buffer overflow in BaseFont writer module for pdfwrite defice
>    References:
>    https://bugzilla.redhat.com/show_bug.cgi?id=493445
>    http://bugs.ghostscript.com/show_bug.cgi?id=690211
>    -^ upstream bug report, so CVE-2008-XXXX will be needed
>   
> http://svn.ghostscript.com/viewvc?view=rev&sortby=rev&revision=9304
> (upstream patch)
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-04-02 11:43:56 UTC
Note that app-text/ghostscript-gpl-8.64 already comes with both patches, whereas -gnu ships the vulnerable code.
Comment 2 Peter Volkov (RETIRED) gentoo-dev 2009-04-05 20:08:35 UTC
Thank you Robert for report.

Ebuild with patch commited. ppc64, please, stabilize.
Comment 3 Brent Baude (RETIRED) gentoo-dev 2009-04-05 20:29:38 UTC
ppc64 done
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-09 12:10:07 UTC
CVE-2007-6725 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6725):
  The CCITTFax decoding filter in Ghostscript 8.60, 8.61, and possibly
  other versions, allows remote attackers to cause a denial of service
  (crash) and possibly execute arbitrary code via a crafted PDF file
  that triggers a buffer underflow in the cf_decode_2d function.

CVE-2008-6679 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6679):
  Buffer overflow in the BaseFont writer module in Ghostscript 8.62,
  and possibly other versions, allows remote attackers to cause a
  denial of service (ps2pdf crash) and possibly execute arbitrary code
  via a crafted Postscript file.

Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2009-05-05 22:17:51 UTC
Is anything still required here maintainer-wise? I wonder why it's still in [ebuild] state.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-05-06 11:38:00 UTC
The fix for CVE-2007-6725 that went into 8.64 was meant as a work-around. Upstream states this here:
http://bugs.ghostscript.com/show_bug.cgi?id=689917#c5
However, none of the patches in comment 11 and 12 received a review yet.

Can someone verify which versions of the packages are unaffected and stable? I cannot currently sync CVS.
Comment 7 Timo Gurr (RETIRED) gentoo-dev 2009-08-04 22:16:00 UTC
I don't have the time nor the ambition to take care of ghostscript-gnu, too and I'm in favor of masking it if noone else wants to take care of it. Do we really need it besides -gpl anyway?
Comment 8 Peter Volkov (RETIRED) gentoo-dev 2009-11-15 20:05:19 UTC
I've asked gnu-ghostscript developers about differences and got rather ambiguous answer: it looks like that gnu-ghostscript has few more drivers (what?) and has non gpl-parts dropped (probably CMaps but what else?). Since gpl-ghostscript is times more maintained and code-base is gpl'ed I also think that it's better to drop ghostscript-gnu from the tree. Objections?
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-15 20:19:36 UTC
(In reply to comment #8)

> I also think that it's better to drop ghostscript-gnu from the tree. Objections?

Not from our side.
Comment 10 Tomáš Chvátal (RETIRED) gentoo-dev 2009-12-23 17:32:51 UTC
Removed from main tree.
Security: your turn now.
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-08-10 14:41:02 UTC
maskglsa request filed
Comment 12 Andreas K. Hüttel archtester gentoo-dev 2011-06-02 19:21:15 UTC
Package not in the tree anymore. 
Nothing left to do for printing.
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2014-06-01 18:20:01 UTC
We will not be sending a maskglsa for this.