Bug#869913: marked as done (ghostscript: CVE-2017-9727: heap-buffer-overflow in gx_ttfReader__Read(base/gxttfb.c))
Your message dated Sun, 08 Oct 2017 11:33:49 + with message-idand subject line Bug#869913: fixed in ghostscript 9.06~dfsg-2+deb8u6 has caused the Debian Bug report #869913, regarding ghostscript: CVE-2017-9727: heap-buffer-overflow in gx_ttfReader__Read(base/gxttfb.c) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 869913: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869913 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: ghostscript Version: 9.06~dfsg-2 Severity: important Tags: upstream patch security fixed-upstream Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=698056 Hi, the following vulnerability was published for ghostscript. CVE-2017-9727[0]: | The gx_ttfReader__Read function in base/gxttfb.c in Artifex Ghostscript | GhostXPS 9.22 allows remote attackers to cause a denial of service | (heap-based buffer over-read and application crash) or possibly have | unspecified other impact via a crafted document. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-9727 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9727 [1] https://bugs.ghostscript.com/show_bug.cgi?id=698056 [2] http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=937ccd17ac Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: ghostscript Source-Version: 9.06~dfsg-2+deb8u6 We believe that the bug you reported is fixed in the latest version of ghostscript, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 869...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso (supplier of updated ghostscript package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 28 Sep 2017 21:55:37 +0200 Source: ghostscript Binary: ghostscript ghostscript-x ghostscript-doc libgs9 libgs9-common libgs-dev ghostscript-dbg Architecture: all source Version: 9.06~dfsg-2+deb8u6 Distribution: jessie-security Urgency: high Maintainer: Debian Printing Team Changed-By: Salvatore Bonaccorso Closes: 869907 869910 869913 869915 869916 869917 869977 Description: ghostscript - interpreter for the PostScript language and for PDF ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug symbo ghostscript-doc - interpreter for the PostScript language and for PDF - Documentati ghostscript-x - interpreter for the PostScript language and for PDF - X11 support libgs-dev - interpreter for the PostScript language and for PDF - Development libgs9 - interpreter for the PostScript language and for PDF - Library libgs9-common - interpreter for the PostScript language and for PDF - common file Changes: ghostscript (9.06~dfsg-2+deb8u6) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Bounds check the array allocations methods (CVE-2017-9835) (Closes: #869907) * Bounds check zone pointer in Ins_MIRP() (CVE-2017-9611) (Closes: #869917) * Bounds check zone pointers in Ins_IP() (CVE-2017-9612) (Closes: #869916) * Bounds check zone pointer in Ins_MDRP (CVE-2017-9726) (Closes: #869915) * Make bounds check in gx_ttfReader__Read more robust (CVE-2017-9727) (Closes: #869913) * Bounds check Ins_JMPR (CVE-2017-9739) (Closes: #869910) * Prevent trying to reloc a freed object (CVE-2017-11714) (Closes: #869977) Checksums-Sha1: 1c8a4f1c3b0b2588cd34115d793b40dbf00e7271 3047 ghostscript_9.06~dfsg-2+deb8u6.dsc 7a98ed931ce351d6825f9d2e8271761c61173052 102468 ghostscript_9.06~dfsg-2+deb8u6.debian.tar.xz 3dcd1775cdada514468e729c23a8d7360c8c 5067528 ghostscript-doc_9.06~dfsg-2+deb8u6_all.deb 163a310efbe0b6f2c6c04778bc51d2057487adaf 1979944 libgs9-common_9.06~dfsg-2+deb8u6_all.deb Checksums-Sha256: 0b9b99f5f83eebbc94ed5427e962e80a60d2902baee585f85abab11305a22ab0 3047
Bug#869913: marked as done (ghostscript: CVE-2017-9727: heap-buffer-overflow in gx_ttfReader__Read(base/gxttfb.c))
Your message dated Sat, 30 Sep 2017 18:48:24 + with message-idand subject line Bug#869913: fixed in ghostscript 9.20~dfsg-3.2+deb9u1 has caused the Debian Bug report #869913, regarding ghostscript: CVE-2017-9727: heap-buffer-overflow in gx_ttfReader__Read(base/gxttfb.c) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 869913: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869913 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: ghostscript Version: 9.06~dfsg-2 Severity: important Tags: upstream patch security fixed-upstream Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=698056 Hi, the following vulnerability was published for ghostscript. CVE-2017-9727[0]: | The gx_ttfReader__Read function in base/gxttfb.c in Artifex Ghostscript | GhostXPS 9.22 allows remote attackers to cause a denial of service | (heap-based buffer over-read and application crash) or possibly have | unspecified other impact via a crafted document. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-9727 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9727 [1] https://bugs.ghostscript.com/show_bug.cgi?id=698056 [2] http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=937ccd17ac Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: ghostscript Source-Version: 9.20~dfsg-3.2+deb9u1 We believe that the bug you reported is fixed in the latest version of ghostscript, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 869...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso (supplier of updated ghostscript package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 28 Sep 2017 21:47:33 +0200 Source: ghostscript Binary: ghostscript ghostscript-x ghostscript-doc libgs9 libgs9-common libgs-dev ghostscript-dbg Architecture: source Version: 9.20~dfsg-3.2+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Printing Team Changed-By: Salvatore Bonaccorso Closes: 869907 869910 869913 869915 869916 869917 869977 Description: ghostscript - interpreter for the PostScript language and for PDF ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug symbo ghostscript-doc - interpreter for the PostScript language and for PDF - Documentati ghostscript-x - interpreter for the PostScript language and for PDF - X11 support libgs-dev - interpreter for the PostScript language and for PDF - Development libgs9 - interpreter for the PostScript language and for PDF - Library libgs9-common - interpreter for the PostScript language and for PDF - common file Changes: ghostscript (9.20~dfsg-3.2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Bounds check the array allocations methods (CVE-2017-9835) (Closes: #869907) * Bounds check zone pointer in Ins_MIRP() (CVE-2017-9611) (Closes: #869917) * Bounds check zone pointers in Ins_IP() (CVE-2017-9612) (Closes: #869916) * Bounds check zone pointer in Ins_MDRP (CVE-2017-9726) (Closes: #869915) * Make bounds check in gx_ttfReader__Read more robust (CVE-2017-9727) (Closes: #869913) * Bounds check Ins_JMPR (CVE-2017-9739) (Closes: #869910) * Prevent trying to reloc a freed object (CVE-2017-11714) (Closes: #869977) Checksums-Sha1: 9e2afb408e26181f04dff55fff1fa750172cbdd1 3053 ghostscript_9.20~dfsg-3.2+deb9u1.dsc 9489bf12392539b5ef063636419ea7248dbed423 24642220 ghostscript_9.20~dfsg.orig.tar.gz c6962ab5948bf6f3ed01ef2487f5296a1d8d1879 117452 ghostscript_9.20~dfsg-3.2+deb9u1.debian.tar.xz Checksums-Sha256: a66b365588b67d40f4d6928e25c786fa3fac9741ff04d90660d2dc25f438173f 3053 ghostscript_9.20~dfsg-3.2+deb9u1.dsc