Source: ghostscript Version: 9.21~dfsg-1 Severity: normal Tags: security patch upstream
Hi, the following vulnerabilities were published for ghostscript. Note, I'm collecting those in one bug, because they are currently unimportant for Debian as xps/ not used during build. But it would be nice to see those as well fixed for future. The security-tracker link refer individually to the respective upstream bug and commit. CVE-2017-9610[0]: | The xps_load_sfnt_name function in xps/xpsfont.c in Artifex Ghostscript | GhostXPS 9.22 allows remote attackers to cause a denial of service | (heap-based buffer over-read and application crash) or possibly have | unspecified other impact via a crafted document. CVE-2017-9618[1]: | The xps_load_sfnt_name function in xps/xpsfont.c in Artifex Ghostscript | GhostXPS 9.22 allows remote attackers to cause a denial of service | (buffer overflow and application crash) or possibly have unspecified | other impact via a crafted document. CVE-2017-9619[2]: | The xps_true_callback_glyph_name function in xps/xpsttf.c in Artifex | Ghostscript GhostXPS 9.22 allows remote attackers to cause a denial of | service (Segmentation Violation and application crash) via a crafted | file. CVE-2017-9620[3]: | The xps_select_font_encoding function in xps/xpsfont.c in Artifex | Ghostscript GhostXPS 9.22 allows remote attackers to cause a denial of | service (heap-based buffer over-read and application crash) or possibly | have unspecified other impact via a crafted document, related to the | xps_encode_font_char_imp function. CVE-2017-9740[4]: | The xps_decode_font_char_imp function in xps/xpsfont.c in Artifex | Ghostscript GhostXPS 9.22 allows remote attackers to cause a denial of | service (heap-based buffer over-read and application crash) or possibly | have unspecified other impact via a crafted document. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-9610 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9610 [1] https://security-tracker.debian.org/tracker/CVE-2017-9618 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9618 [2] https://security-tracker.debian.org/tracker/CVE-2017-9619 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9619 [3] https://security-tracker.debian.org/tracker/CVE-2017-9620 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9620 [4] https://security-tracker.debian.org/tracker/CVE-2017-9740 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9740 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.11.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)