According to the post on oss-security [1], where pointers to upstream fixes can also be found: bug: various userparams allow %pipe% in paths, allowing remote shell command execution. bug: .libfile doesn't check PermitFileReading array, allowing remote file disclosure. bug: reference leak in .setdevice allows use-after-free and remote code execution bug: type confusion in .initialize_dsc_parser allows remote code execution [1] https://marc.info/?l=oss-security&m=147568403218963&w=2 Reproducible: Always
Since the current status of ghostscript's security I did not consider to open the bug. Thanks anyway to did it.
Upstream fix: http://git.ghostscript.com/?p=ghostpdl.git;h=6d444c273da5499a4cd72f21cb6d4c9a5256807d Not yet released.
> bug: various userparams allow %pipe% in paths, allowing remote shell > command execution. CVE-2016-7976 Upstream bug: https://bugs.ghostscript.com/show_bug.cgi?id=697178 Upstream patch: http://git.ghostscript.com/?p=ghostpdl.git;h=6d444c273da5499a4cd72f21cb6d4c9a5256807d > bug: .libfile doesn't check PermitFileReading array, allowing remote > file disclosure. CVE-2016-7977 Upstream bug: https://bugs.ghostscript.com/show_bug.cgi?id=697169 Upstream patch: http://git.ghostscript.com/?p=ghostpdl.git;h=8abd22010eb4db0fb1b10e430d5f5d83e015ef70 > bug: reference leak in .setdevice allows use-after-free and remote > code execution CVE-2016-7978 Upstream bug: https://bugs.ghostscript.com/show_bug.cgi?id=697179 Upstream patch: http://git.ghostscript.com/?p=ghostpdl.git;h=6f749c0c44e7b9e09737b9f29edf29925a34f0cf > bug: type confusion in .initialize_dsc_parser allows remote > code execution CVE-2016-7979 Upstream bug: https://bugs.ghostscript.com/show_bug.cgi?id=697190 Upstream patch: http://git.ghostscript.com/?p=ghostpdl.git;h=875a0095f37626a721c7ff57d606a0f95af03913 > type confusion CVE-2016-8602 Upstream bug: https://bugs.ghostscript.com/show_bug.cgi?id=697203 Upstream patch: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78 @ Maintainer(s): Please bump to >=app-text/ghostscript-gpl-9.20 and cherry-pick the patches.
A preliminary version bump can be found here: https://gitweb.gentoo.org/dev/dev-zero.git/tree/app-text/ghostscript-gpl/ghostscript-gpl-9.20.ebuild It is still a WiP since I didn't fix the build failures with gsdjvu yet. The patchset is based on the Fedora patches minus the one for jbig2dec since we unbundle it anyway. The tarball is located on woodpecker:/home/dev-zero/distfiles/ghostscript-gpl-9.20-patchset-1.tar.xz (since upstream uses now xz instead of bz2 I switched to xz for the patchset as well)
Bumped to 9.20 in ~arch, please test. I still need to verify which of these issues is already fixed and which needs separate patches. (In reply to Tiziano Müller from comment #4) [...] > The patchset is based on the Fedora patches minus the one for jbig2dec since > we unbundle it anyway. The tarball is located on > woodpecker:/home/dev-zero/distfiles/ghostscript-gpl-9.20-patchset-1.tar.xz Doh. Only saw this now. Will have a look later on.
commit 521a0bbaf9bea07b4c977156bb5cd3efaded1bb4 Author: Andreas K. Hüttel <dilfridge@gentoo.org> Date: Sat Jan 28 23:47:18 2017 +0100 app-text/ghostscript-gpl: Revision bump adding various security patches from Fedora, bug 596576 Many thanks to dev-zero for preparing this. It fixes CVE-2016-7976, CVE-2016-7977, CVE-2016-7978, CVE-2016-7979, CVE-2016-8602 Package-Manager: Portage-2.3.3, Repoman-2.3.1 app-text/ghostscript-gpl/Manifest | 1 + app-text/ghostscript-gpl/ghostscript-gpl-9.20-r1.ebuild | 255 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 256 insertions(+) Let's test this for a bit before stabilization.
I don't see any breakage wave coming, so let's go ahead. Arches please stabilize app-text/ghostscript-gpl-9.20-r1 Target: all stable arches
amd64 stable
x86 stable
ppc stable
Stable on alpha.
arm stable
Adding arches back. Please also stabilize in addition =net-print/gutenprint-5.2.12 (current stable does not build with the newly stable ghostscript-gpl, see bug 587744). So, =app-text/ghostscript-gpl-9.20-r1 =net-print/gutenprint-5.2.12 Target: all stable arches
sparc stable
arm ppc ppc64 stable.
Stable for HPPA.
ia64 stable
Cleanup done. Nothing to do for printing here anymore.
New GLSA request filed.
This issue was resolved and addressed in GLSA 201702-31 at https://security.gentoo.org/glsa/201702-31 by GLSA coordinator Thomas Deutschmann (whissi).