Bug#869913: marked as done (ghostscript: CVE-2017-9727: heap-buffer-overflow in gx_ttfReader__Read(base/gxttfb.c))

2017-10-08 Thread Debian Bug Tracking System 
Your message dated Sun, 08 Oct 2017 11:33:49 +
with message-id 
and subject line Bug#869913: fixed in ghostscript 9.06~dfsg-2+deb8u6
has caused the Debian Bug report #869913,
regarding ghostscript: CVE-2017-9727: heap-buffer-overflow in 
gx_ttfReader__Read(base/gxttfb.c)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
869913: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869913
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ghostscript
Version: 9.06~dfsg-2
Severity: important
Tags: upstream patch security fixed-upstream
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=698056

Hi,

the following vulnerability was published for ghostscript.

CVE-2017-9727[0]:
| The gx_ttfReader__Read function in base/gxttfb.c in Artifex Ghostscript
| GhostXPS 9.22 allows remote attackers to cause a denial of service
| (heap-based buffer over-read and application crash) or possibly have
| unspecified other impact via a crafted document.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9727
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9727
[1] https://bugs.ghostscript.com/show_bug.cgi?id=698056
[2] http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=937ccd17ac

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ghostscript
Source-Version: 9.06~dfsg-2+deb8u6

We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 869...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso  (supplier of updated ghostscript 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 28 Sep 2017 21:55:37 +0200
Source: ghostscript
Binary: ghostscript ghostscript-x ghostscript-doc libgs9 libgs9-common 
libgs-dev ghostscript-dbg
Architecture: all source
Version: 9.06~dfsg-2+deb8u6
Distribution: jessie-security
Urgency: high
Maintainer: Debian Printing Team 
Changed-By: Salvatore Bonaccorso 
Closes: 869907 869910 869913 869915 869916 869917 869977
Description: 
 ghostscript - interpreter for the PostScript language and for PDF
 ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug 
symbo
 ghostscript-doc - interpreter for the PostScript language and for PDF - 
Documentati
 ghostscript-x - interpreter for the PostScript language and for PDF - X11 
support
 libgs-dev  - interpreter for the PostScript language and for PDF - Development
 libgs9 - interpreter for the PostScript language and for PDF - Library
 libgs9-common - interpreter for the PostScript language and for PDF - common 
file
Changes:
 ghostscript (9.06~dfsg-2+deb8u6) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Bounds check the array allocations methods (CVE-2017-9835)
 (Closes: #869907)
   * Bounds check zone pointer in Ins_MIRP() (CVE-2017-9611) (Closes: #869917)
   * Bounds check zone pointers in Ins_IP() (CVE-2017-9612) (Closes: #869916)
   * Bounds check zone pointer in Ins_MDRP (CVE-2017-9726) (Closes: #869915)
   * Make bounds check in gx_ttfReader__Read more robust (CVE-2017-9727)
 (Closes: #869913)
   * Bounds check Ins_JMPR (CVE-2017-9739) (Closes: #869910)
   * Prevent trying to reloc a freed object (CVE-2017-11714) (Closes: #869977)
Checksums-Sha1: 
 1c8a4f1c3b0b2588cd34115d793b40dbf00e7271 3047 
ghostscript_9.06~dfsg-2+deb8u6.dsc
 7a98ed931ce351d6825f9d2e8271761c61173052 102468 
ghostscript_9.06~dfsg-2+deb8u6.debian.tar.xz
 3dcd1775cdada514468e729c23a8d7360c8c 5067528 
ghostscript-doc_9.06~dfsg-2+deb8u6_all.deb
 163a310efbe0b6f2c6c04778bc51d2057487adaf 1979944 
libgs9-common_9.06~dfsg-2+deb8u6_all.deb
Checksums-Sha256: 
 0b9b99f5f83eebbc94ed5427e962e80a60d2902baee585f85abab11305a22ab0 3047

Bug#869913: marked as done (ghostscript: CVE-2017-9727: heap-buffer-overflow in gx_ttfReader__Read(base/gxttfb.c))

2017-09-30 Thread Debian Bug Tracking System 
Your message dated Sat, 30 Sep 2017 18:48:24 +
with message-id 
and subject line Bug#869913: fixed in ghostscript 9.20~dfsg-3.2+deb9u1
has caused the Debian Bug report #869913,
regarding ghostscript: CVE-2017-9727: heap-buffer-overflow in 
gx_ttfReader__Read(base/gxttfb.c)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
869913: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869913
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ghostscript
Version: 9.06~dfsg-2
Severity: important
Tags: upstream patch security fixed-upstream
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=698056

Hi,

the following vulnerability was published for ghostscript.

CVE-2017-9727[0]:
| The gx_ttfReader__Read function in base/gxttfb.c in Artifex Ghostscript
| GhostXPS 9.22 allows remote attackers to cause a denial of service
| (heap-based buffer over-read and application crash) or possibly have
| unspecified other impact via a crafted document.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9727
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9727
[1] https://bugs.ghostscript.com/show_bug.cgi?id=698056
[2] http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=937ccd17ac

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ghostscript
Source-Version: 9.20~dfsg-3.2+deb9u1

We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 869...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso  (supplier of updated ghostscript 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 28 Sep 2017 21:47:33 +0200
Source: ghostscript
Binary: ghostscript ghostscript-x ghostscript-doc libgs9 libgs9-common 
libgs-dev ghostscript-dbg
Architecture: source
Version: 9.20~dfsg-3.2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Printing Team 
Changed-By: Salvatore Bonaccorso 
Closes: 869907 869910 869913 869915 869916 869917 869977
Description: 
 ghostscript - interpreter for the PostScript language and for PDF
 ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug 
symbo
 ghostscript-doc - interpreter for the PostScript language and for PDF - 
Documentati
 ghostscript-x - interpreter for the PostScript language and for PDF - X11 
support
 libgs-dev  - interpreter for the PostScript language and for PDF - Development
 libgs9 - interpreter for the PostScript language and for PDF - Library
 libgs9-common - interpreter for the PostScript language and for PDF - common 
file
Changes:
 ghostscript (9.20~dfsg-3.2+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Bounds check the array allocations methods (CVE-2017-9835)
 (Closes: #869907)
   * Bounds check zone pointer in Ins_MIRP() (CVE-2017-9611) (Closes: #869917)
   * Bounds check zone pointers in Ins_IP() (CVE-2017-9612) (Closes: #869916)
   * Bounds check zone pointer in Ins_MDRP (CVE-2017-9726) (Closes: #869915)
   * Make bounds check in gx_ttfReader__Read more robust (CVE-2017-9727)
 (Closes: #869913)
   * Bounds check Ins_JMPR (CVE-2017-9739) (Closes: #869910)
   * Prevent trying to reloc a freed object (CVE-2017-11714) (Closes: #869977)
Checksums-Sha1: 
 9e2afb408e26181f04dff55fff1fa750172cbdd1 3053 
ghostscript_9.20~dfsg-3.2+deb9u1.dsc
 9489bf12392539b5ef063636419ea7248dbed423 24642220 
ghostscript_9.20~dfsg.orig.tar.gz
 c6962ab5948bf6f3ed01ef2487f5296a1d8d1879 117452 
ghostscript_9.20~dfsg-3.2+deb9u1.debian.tar.xz
Checksums-Sha256: 
 a66b365588b67d40f4d6928e25c786fa3fac9741ff04d90660d2dc25f438173f 3053 
ghostscript_9.20~dfsg-3.2+deb9u1.dsc