Re: Ghostscript issue with fonts
[ sent again - avoiding 8bit in mail header confusing Debian server ] Hi Clark, Quoting Clark Knøsen (2019-08-13 18:45:33) > There seems to be an issue with the fonts which cause some PDF's to be > unreadable after processing them with Ghostscript.. > > I don't know where to report this? > > Please see this bug report at Ghostscript and what the developers > say.. > > https://bugs.ghostscript.com/show_bug.cgi?id=701417 As you wrote yourself in upstream bugreport the package you installed is "ghostscript" - that's a suitable package to file your bugreport against. More info on reporting bugs in Debian here: https://www.debian.org/Bugs/Reporting NB: I maintain the ghostscript package and am danish, so if the issue you have is tied to danish characters specifically, then you can assume in your bugreport that I know the difference between german double-S and danish o-slash :-) Kind regards, - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
Ghostscript issue with fonts
Hi There seems to be an issue with the fonts which cause some PDF's to be unreadable after processing them with Ghostscript.. I don't know where to report this? Please see this bug report at Ghostscript and what the developers say.. https://bugs.ghostscript.com/show_bug.cgi?id=701417
ghostscript_9.27~dfsg-3.1_sourceonly.changes ACCEPTED into unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 13 Aug 2019 09:49:11 +0200 Source: ghostscript Architecture: source Version: 9.27~dfsg-3.1 Distribution: unstable Urgency: medium Maintainer: Debian Printing Team Changed-By: Salvatore Bonaccorso Closes: 934638 Changes: ghostscript (9.27~dfsg-3.1) unstable; urgency=medium . * Non-maintainer upload (with maintainers approval). * protect use of .forceput with executeonly (CVE-2019-10216) (Closes: #934638) Checksums-Sha1: 4d5894c6a76860fe0fe2b24de1362e35016dd399 2965 ghostscript_9.27~dfsg-3.1.dsc e7b97c0d670c702d30a81764eff3a10c8a4b6582 111316 ghostscript_9.27~dfsg-3.1.debian.tar.xz Checksums-Sha256: 8c44649907b3480c45ddcd9e2f2ea685351a5ed3a9cfc934f1ec272a881318fd 2965 ghostscript_9.27~dfsg-3.1.dsc 002431936315ed31541d6f62541e83a899d8edd3b9e2da84ed157bb218101a2f 111316 ghostscript_9.27~dfsg-3.1.debian.tar.xz Files: 305561f0bb72faf83d3542f6ad15b5b2 2965 text optional ghostscript_9.27~dfsg-3.1.dsc d8373e08b9df33ec898c549e961a8b33 111316 text optional ghostscript_9.27~dfsg-3.1.debian.tar.xz -BEGIN PGP SIGNATURE- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl1ScoNfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EJkYP/2vF/VF8CosTnQnm/B/qbw6ycu2qwGMF L5WAktAA+58G+3hRgo/Z7TTQDidYXyPQKcz0tQ3GGC+AhwOAGAt7Qy7nBX0RL+wr IPEbZDeredjZMR89W6JQ0uVV4gWSY4cJxKw6U442XAKHU2bySY4Jae7JVESwtW6j tgk2dR9Vtfovo+3ZyvtU2p46N/wTRLEftiaSwwqP+tmH14Odk3MLv6CkfpDWMRps ntKKPKdNrseWiRQ6T5TW2JCkHWHXDFNWuUn53kZsGjikMoe2KZYN1TPRP0rVdjZl f/BQ3vIhgzjwQPuZKWJnX0JaTS5Itr1hr1PBWgMipxZDKsoLij3Je/mzoXzF+P2l egsn1CskjuJov1RHPIbkMYIFqYJt4nGE2X6Tm3aQV0LqpfPXSqvV9JnR4G5p+M9t UpSlIKFgZIdmkMDLUZSprbA5vuvdHkExKJ4dL5oo5Eij4EzdDs5ReH0iltqwSIm3 JWkUqSQVQIf+FpOsbX+XM7C6w457bwYEnP8ymZ0zCkaJzVMokiXGxSRp6CMF6+Xj bkq8s+PMQakuUTdoYHJZFhRBc5dOp1BvmrLU4taTy9fZ9MZSAXiYNPEu6/s9/I9T XntXmcCw9TZyDE2+vPvwv9h/NHLfM2JzP/OUCzk46e+vJo3B8H2+wkPur6Q0YJVo 2FaRXGkTWjsM =bXVF -END PGP SIGNATURE- Thank you for your contribution to Debian.
Processing of ghostscript_9.27~dfsg-3.1_sourceonly.changes
ghostscript_9.27~dfsg-3.1_sourceonly.changes uploaded successfully to localhost along with the files: ghostscript_9.27~dfsg-3.1.dsc ghostscript_9.27~dfsg-3.1.debian.tar.xz Greetings, Your Debian queue daemon (running on host usper.debian.org)
Bug#934638: marked as done (ghostscript: CVE-2019-10216)
Your message dated Tue, 13 Aug 2019 08:40:14 + with message-id and subject line Bug#934638: fixed in ghostscript 9.27~dfsg-3.1 has caused the Debian Bug report #934638, regarding ghostscript: CVE-2019-10216 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 934638: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934638 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: ghostscript Version: 9.27~dfsg-3 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=701394 Control: found -1 9.27~dfsg-2 Control: found -1 9.26a~dfsg-0+deb9u2 Control: found -1 9.26a~dfsg-0+deb9u3 Control: found -1 9.06~dfsg-2 Control: fixed -1 9.26a~dfsg-0+deb9u4 Control: fixed -1 9.27~dfsg-2+deb10u1 Hi, The following vulnerability was published for ghostscript. CVE-2019-10216[0]: | -dSAFER escape via .buildfont1 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-10216 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10216 [1] https://bugs.ghostscript.com/show_bug.cgi?id=701394 [2] http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19a8420a1bd2d5529325be35d78e94234 Regards, Salvatore --- End Message --- --- Begin Message --- Source: ghostscript Source-Version: 9.27~dfsg-3.1 We believe that the bug you reported is fixed in the latest version of ghostscript, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 934...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso (supplier of updated ghostscript package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 13 Aug 2019 09:49:11 +0200 Source: ghostscript Architecture: source Version: 9.27~dfsg-3.1 Distribution: unstable Urgency: medium Maintainer: Debian Printing Team Changed-By: Salvatore Bonaccorso Closes: 934638 Changes: ghostscript (9.27~dfsg-3.1) unstable; urgency=medium . * Non-maintainer upload (with maintainers approval). * protect use of .forceput with executeonly (CVE-2019-10216) (Closes: #934638) Checksums-Sha1: 4d5894c6a76860fe0fe2b24de1362e35016dd399 2965 ghostscript_9.27~dfsg-3.1.dsc e7b97c0d670c702d30a81764eff3a10c8a4b6582 111316 ghostscript_9.27~dfsg-3.1.debian.tar.xz Checksums-Sha256: 8c44649907b3480c45ddcd9e2f2ea685351a5ed3a9cfc934f1ec272a881318fd 2965 ghostscript_9.27~dfsg-3.1.dsc 002431936315ed31541d6f62541e83a899d8edd3b9e2da84ed157bb218101a2f 111316 ghostscript_9.27~dfsg-3.1.debian.tar.xz Files: 305561f0bb72faf83d3542f6ad15b5b2 2965 text optional ghostscript_9.27~dfsg-3.1.dsc d8373e08b9df33ec898c549e961a8b33 111316 text optional ghostscript_9.27~dfsg-3.1.debian.tar.xz -BEGIN PGP SIGNATURE- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl1ScoNfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EJkYP/2vF/VF8CosTnQnm/B/qbw6ycu2qwGMF L5WAktAA+58G+3hRgo/Z7TTQDidYXyPQKcz0tQ3GGC+AhwOAGAt7Qy7nBX0RL+wr IPEbZDeredjZMR89W6JQ0uVV4gWSY4cJxKw6U442XAKHU2bySY4Jae7JVESwtW6j tgk2dR9Vtfovo+3ZyvtU2p46N/wTRLEftiaSwwqP+tmH14Odk3MLv6CkfpDWMRps ntKKPKdNrseWiRQ6T5TW2JCkHWHXDFNWuUn53kZsGjikMoe2KZYN1TPRP0rVdjZl f/BQ3vIhgzjwQPuZKWJnX0JaTS5Itr1hr1PBWgMipxZDKsoLij3Je/mzoXzF+P2l egsn1CskjuJov1RHPIbkMYIFqYJt4nGE2X6Tm3aQV0LqpfPXSqvV9JnR4G5p+M9t UpSlIKFgZIdmkMDLUZSprbA5vuvdHkExKJ4dL5oo5Eij4EzdDs5ReH0iltqwSIm3 JWkUqSQVQIf+FpOsbX+XM7C6w457bwYEnP8ymZ0zCkaJzVMokiXGxSRp6CMF6+Xj bkq8s+PMQakuUTdoYHJZFhRBc5dOp1BvmrLU4taTy9fZ9MZSAXiYNPEu6/s9/I9T XntXmcCw9TZyDE2+vPvwv9h/NHLfM2JzP/OUCzk46e+vJo3B8H2+wkPur6Q0YJVo 2FaRXGkTWjsM =bXVF -END PGP SIGNATURE End Message ---
Bug#934638: ghostscript: diff for NMU version 9.27~dfsg-3.1
Control: tags 934638 + patch
Control: tags 934638 + pending
Dear Jonas,
I've prepared an NMU for ghostscript (versioned as 9.27~dfsg-3.1) and
uploaded it to according to your ack.
Merge request is as well in
https://salsa.debian.org/printing-team/ghostscript/merge_requests/7
(as the others for the respective versions in buster- and
stretch-security).
Regards,
Salvatore
diff -Nru ghostscript-9.27~dfsg/debian/changelog ghostscript-9.27~dfsg/debian/changelog
--- ghostscript-9.27~dfsg/debian/changelog 2019-07-24 17:45:28.0 +0200
+++ ghostscript-9.27~dfsg/debian/changelog 2019-08-13 09:49:11.0 +0200
@@ -1,3 +1,11 @@
+ghostscript (9.27~dfsg-3.1) unstable; urgency=medium
+
+ * Non-maintainer upload (with maintainers approval).
+ * protect use of .forceput with executeonly (CVE-2019-10216)
+(Closes: #934638)
+
+ -- Salvatore Bonaccorso Tue, 13 Aug 2019 09:49:11 +0200
+
ghostscript (9.27~dfsg-3) unstable; urgency=medium
* Declare compliance with Debian Policy 4.4.0.
diff -Nru ghostscript-9.27~dfsg/debian/patches/020190802~5b85ddd.patch ghostscript-9.27~dfsg/debian/patches/020190802~5b85ddd.patch
--- ghostscript-9.27~dfsg/debian/patches/020190802~5b85ddd.patch 1970-01-01 01:00:00.0 +0100
+++ ghostscript-9.27~dfsg/debian/patches/020190802~5b85ddd.patch 2019-08-13 09:49:11.0 +0200
@@ -0,0 +1,52 @@
+From: Chris Liddell
+Date: Fri, 2 Aug 2019 15:18:26 +0100
+Subject: Bug 701394: protect use of .forceput with executeonly
+Origin: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19a8420a1bd2d5529325be35d78e94234
+Bug-Debian: https://bugs.debian.org/934638
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-10216
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701394
+
+---
+ Resource/Init/gs_type1.ps | 14 +++---
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps
+index 6c7735bc0cc3..a039ccee3590 100644
+--- a/Resource/Init/gs_type1.ps
b/Resource/Init/gs_type1.ps
+@@ -118,25 +118,25 @@
+ ( to be the same as glyph: ) print 1 index //== exec } if
+3 index exch 3 index .forceput
+ % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
+- }
++ }executeonly
+ {pop} ifelse
+- } forall
++ } executeonly forall
+pop pop
+- }
++ } executeonly
+ {
+pop pop pop
+ } ifelse
+- }
++ } executeonly
+{
+% scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
+ pop pop
+} ifelse
+- } forall
++ } executeonly forall
+ 3 1 roll pop pop
+- } if
++ } executeonly if
+ pop
+ dup /.AGLprocessed~GS //true .forceput
+- } if
++ } executeonly if
+
+%% We need to excute the C .buildfont1 in a stopped context so that, if there
+%% are errors we can put the stack back sanely and exit. Otherwise callers won't
+--
+2.20.1
+
diff -Nru ghostscript-9.27~dfsg/debian/patches/series ghostscript-9.27~dfsg/debian/patches/series
--- ghostscript-9.27~dfsg/debian/patches/series 2019-04-20 10:09:53.0 +0200
+++ ghostscript-9.27~dfsg/debian/patches/series 2019-08-13 09:49:11.0 +0200
@@ -1,4 +1,5 @@
020190410~06c9207.patch
+020190802~5b85ddd.patch
2001_docdir_fix_for_debian.patch
2002_gs_man_fix_debian.patch
2003_support_multiarch.patch
Processed: ghostscript: diff for NMU version 9.27~dfsg-3.1
Processing control commands: > tags 934638 + patch Bug #934638 [src:ghostscript] ghostscript: CVE-2019-10216 Added tag(s) patch. > tags 934638 + pending Bug #934638 [src:ghostscript] ghostscript: CVE-2019-10216 Added tag(s) pending. -- 934638: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934638 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
