On Wednesday 01 April 2009, Jan Lieskovsky wrote:
> 1, DoS (crash) in CCITTFax decoding filter
> -^ original report, so CVE-2007-XXXX will be needed
> https://bugzilla.redhat.com/show_bug.cgi?id=493442#c1 (PoC)
> 2, Buffer overflow in BaseFont writer module for pdfwrite defice
> -^ upstream bug report, so CVE-2008-XXXX will be needed
> (upstream patch)
Note that app-text/ghostscript-gpl-8.64 already comes with both patches, whereas -gnu ships the vulnerable code.
Thank you Robert for report.
Ebuild with patch commited. ppc64, please, stabilize.
The CCITTFax decoding filter in Ghostscript 8.60, 8.61, and possibly
other versions, allows remote attackers to cause a denial of service
(crash) and possibly execute arbitrary code via a crafted PDF file
that triggers a buffer underflow in the cf_decode_2d function.
Buffer overflow in the BaseFont writer module in Ghostscript 8.62,
and possibly other versions, allows remote attackers to cause a
denial of service (ps2pdf crash) and possibly execute arbitrary code
via a crafted Postscript file.
Is anything still required here maintainer-wise? I wonder why it's still in [ebuild] state.
The fix for CVE-2007-6725 that went into 8.64 was meant as a work-around. Upstream states this here:
However, none of the patches in comment 11 and 12 received a review yet.
Can someone verify which versions of the packages are unaffected and stable? I cannot currently sync CVS.
I don't have the time nor the ambition to take care of ghostscript-gnu, too and I'm in favor of masking it if noone else wants to take care of it. Do we really need it besides -gpl anyway?
I've asked gnu-ghostscript developers about differences and got rather ambiguous answer: it looks like that gnu-ghostscript has few more drivers (what?) and has non gpl-parts dropped (probably CMaps but what else?). Since gpl-ghostscript is times more maintained and code-base is gpl'ed I also think that it's better to drop ghostscript-gnu from the tree. Objections?
(In reply to comment #8)
> I also think that it's better to drop ghostscript-gnu from the tree. Objections?
Not from our side.
Removed from main tree.
Security: your turn now.
maskglsa request filed
Package not in the tree anymore.
Nothing left to do for printing.
We will not be sending a maskglsa for this.