To: [email protected]Subject: [ MDVSA-2009:095 ] ghostscript
Date: Fri, 24 Apr 2009 20:49:01 +0200
From: [email protected]
Reply-To: <xsecurity@mandriva.com.>
Message-Id: <E1LxQSL-00087h-DN@titan.mandriva.com.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:095
http://www.mandriva.com/security/
_______________________________________________________________________
Package : ghostscript
Date : April 24, 2009
Affected: 2008.1, 2009.0, Corporate 4.0
_______________________________________________________________________
Problem Description:
A buffer underflow in Ghostscript's CCITTFax decoding filter allows
remote attackers to cause denial of service and possibly to execute
arbitrary by using a crafted PDF file (CVE-2007-6725).
Buffer overflow in Ghostscript's BaseFont writer module allows
remote attackers to cause a denial of service and possibly to execute
arbitrary code via a crafted Postscript file (CVE-2008-6679).
Multiple interger overflows in Ghostsript's International Color
Consortium Format Library (icclib) allows attackers to cause denial
of service (heap-based buffer overflow and application crash) and
possibly execute arbirary code by using either a PostScript or PDF
file with crafte embedded images (CVE-2009-0583, CVE-2009-0584).
Multiple interger overflows in Ghostsript's International Color
Consortium Format Library (icclib) allows attackers to cause denial
of service (heap-based buffer overflow and application crash) and
possibly execute arbirary code by using either a PostScript or PDF
file with crafte embedded images. Note: this issue exists because of
an incomplete fix for CVE-2009-0583 (CVE-2009-0792).
Heap-based overflow in Ghostscript's JBIG2 decoding library allows
attackers to cause denial of service and possibly to execute arbitrary
code by using a crafted PDF file (CVE-2009-0196).
This update provides fixes for that vulnerabilities.
Update:
gostscript packages from Mandriva Linux 2009.0 distribution are not
affected by CVE-2007-6725.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6725http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6679http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0583http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0584http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0792http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0196
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.1:
21e5523f3dd1e662749153256a9c4c29 2008.1/i586/ghostscript-8.61-60.1mdv2008.1.i586.rpm
67c9ef01cbb300b355ca7973796128e1 2008.1/i586/ghostscript-common-8.61-60.1mdv2008.1.i586.rpm
981885697a740a41de36f2fbe9162ead 2008.1/i586/ghostscript-doc-8.61-60.1mdv2008.1.i586.rpm
6021f2ba30f5db13365b4b4032bd95dd 2008.1/i586/ghostscript-dvipdf-8.61-60.1mdv2008.1.i586.rpm
fbcf137a546d3a26728d03c43fe91f63 2008.1/i586/ghostscript-module-X-8.61-60.1mdv2008.1.i586.rpm
7957439e200dd85d147896c324267d25 2008.1/i586/ghostscript-X-8.61-60.1mdv2008.1.i586.rpm
2c15c85bde4846cf0e353bb05af17320 2008.1/i586/libgs8-8.61-60.1mdv2008.1.i586.rpm
eb5d8bab4161862a3f52cac7e75026b1 2008.1/i586/libgs8-devel-8.61-60.1mdv2008.1.i586.rpm
8c54dfe0af736153a138361ca4f7093a 2008.1/i586/libijs1-0.35-60.1mdv2008.1.i586.rpm
e8192518fbd2f9931ae54a86bcbbf567 2008.1/i586/libijs1-devel-0.35-60.1mdv2008.1.i586.rpm
c65ca4c2032670ac4f30ef131a8f3d32 2008.1/SRPMS/ghostscript-8.61-60.1mdv2008.1.src.rpm
Mandriva Linux 2008.1/X86_64:
1495a4f65154f7a50888a96162e6a180 2008.1/x86_64/ghostscript-8.61-60.1mdv2008.1.x86_64.rpm
3afecedda4a8d72f32f37efeabbaf46e 2008.1/x86_64/ghostscript-common-8.61-60.1mdv2008.1.x86_64.rpm
a2a2969f5c501347f6c7513a8180ac62 2008.1/x86_64/ghostscript-doc-8.61-60.1mdv2008.1.x86_64.rpm
016239f5bc2cca3aae62f1dc3fa443a2 2008.1/x86_64/ghostscript-dvipdf-8.61-60.1mdv2008.1.x86_64.rpm
5537b78ef9cac087f3a6c88e8c6c4b34 2008.1/x86_64/ghostscript-module-X-8.61-60.1mdv2008.1.x86_64.rpm
1927c0fce28438b00d504d5bf207a257 2008.1/x86_64/ghostscript-X-8.61-60.1mdv2008.1.x86_64.rpm
7da692a79f0054041c685f74d291c042 2008.1/x86_64/lib64gs8-8.61-60.1mdv2008.1.x86_64.rpm
e8eef75aa357ab14937c9e5bd07bad83 2008.1/x86_64/lib64gs8-devel-8.61-60.1mdv2008.1.x86_64.rpm
25dbc9b27639c90097a14532d8e30039 2008.1/x86_64/lib64ijs1-0.35-60.1mdv2008.1.x86_64.rpm
3effb7a452c598b79a9ccf2a2a85402f 2008.1/x86_64/lib64ijs1-devel-0.35-60.1mdv2008.1.x86_64.rpm
c65ca4c2032670ac4f30ef131a8f3d32 2008.1/SRPMS/ghostscript-8.61-60.1mdv2008.1.src.rpm
Mandriva Linux 2009.0:
08d85895c1b9b2f184b521b347b6c3a9 2009.0/i586/ghostscript-8.63-62.1mdv2009.0.i586.rpm
b80577925371e2e310efa46cc7e6524e 2009.0/i586/ghostscript-common-8.63-62.1mdv2009.0.i586.rpm
3d2b787310d18f6d57e8f2759e2e378d 2009.0/i586/ghostscript-doc-8.63-62.1mdv2009.0.i586.rpm
74230df515cd6f728b1ad0fa7425881f 2009.0/i586/ghostscript-dvipdf-8.63-62.1mdv2009.0.i586.rpm
89013a75d8c588b5ac8b08e68585c55e 2009.0/i586/ghostscript-module-X-8.63-62.1mdv2009.0.i586.rpm
383751e84376fe6bbd7e3cb52c2f9a68 2009.0/i586/ghostscript-X-8.63-62.1mdv2009.0.i586.rpm
353d6c17931a606fe9de82f3ce275dd5 2009.0/i586/libgs8-8.63-62.1mdv2009.0.i586.rpm
05665f903b2ac9b5f1baf924598250ab 2009.0/i586/libgs8-devel-8.63-62.1mdv2009.0.i586.rpm
a3d0879ab70588df82b0a2a0eba91cc4 2009.0/i586/libijs1-0.35-62.1mdv2009.0.i586.rpm
75b2f976582e0e1b2800927c0c0356d1 2009.0/i586/libijs1-devel-0.35-62.1mdv2009.0.i586.rpm
f10ffcf2150c332ff6baf9befc04561a 2009.0/SRPMS/ghostscript-8.63-62.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
66ea01cecd74b8baf47c0fde1333eb94 2009.0/x86_64/ghostscript-8.63-62.1mdv2009.0.x86_64.rpm
a5f89f1f738627329671fedc6499e066 2009.0/x86_64/ghostscript-common-8.63-62.1mdv2009.0.x86_64.rpm
8b7c1317a8da3b8ce5b19f9ee4b1e32d 2009.0/x86_64/ghostscript-doc-8.63-62.1mdv2009.0.x86_64.rpm
72e99ba40f13862aa1117738cb426e8a 2009.0/x86_64/ghostscript-dvipdf-8.63-62.1mdv2009.0.x86_64.rpm
9ef78a2da9e98e5a9b50c850166a2974 2009.0/x86_64/ghostscript-module-X-8.63-62.1mdv2009.0.x86_64.rpm
e66cb4eca77d326f7a8aa62c303a0630 2009.0/x86_64/ghostscript-X-8.63-62.1mdv2009.0.x86_64.rpm
6310d106dc710713b89b8053f702bff1 2009.0/x86_64/lib64gs8-8.63-62.1mdv2009.0.x86_64.rpm
69b66aa75de8eb8739b1b4cda07c9f5f 2009.0/x86_64/lib64gs8-devel-8.63-62.1mdv2009.0.x86_64.rpm
ce33d1391e0fb673c865df40a3d63eb4 2009.0/x86_64/lib64ijs1-0.35-62.1mdv2009.0.x86_64.rpm
9eac0d8043cb220edbbdf795c4f8eed0 2009.0/x86_64/lib64ijs1-devel-0.35-62.1mdv2009.0.x86_64.rpm
f10ffcf2150c332ff6baf9befc04561a 2009.0/SRPMS/ghostscript-8.63-62.1mdv2009.0.src.rpm
Corporate 4.0:
f3f2dd869b6716d5693a2851d0103d29 corporate/4.0/i586/ghostscript-8.15-46.2.20060mlcs4.i586.rpm
dfbad4b982a25d92abe3c59dd66dfcc5 corporate/4.0/i586/ghostscript-common-8.15-46.2.20060mlcs4.i586.rpm
0db7b9267e286692faba1c3d0dc96ba8 corporate/4.0/i586/ghostscript-dvipdf-8.15-46.2.20060mlcs4.i586.rpm
671ac5a9cbe53778e42bff674eecc29f corporate/4.0/i586/ghostscript-module-X-8.15-46.2.20060mlcs4.i586.rpm
084da1f80aed83f0c2760cb4badd0912 corporate/4.0/i586/ghostscript-X-8.15-46.2.20060mlcs4.i586.rpm
e1f093bba6ef20334386d510c8d71a16 corporate/4.0/i586/libgs8-8.15-46.2.20060mlcs4.i586.rpm
6822f3330c5df7322f0b2b358fc8a0b8 corporate/4.0/i586/libgs8-devel-8.15-46.2.20060mlcs4.i586.rpm
8524416169178e556b61dd524bccb880 corporate/4.0/i586/libijs1-0.35-46.2.20060mlcs4.i586.rpm
1608d8fc8f9f11a91a270f73a820886d corporate/4.0/i586/libijs1-devel-0.35-46.2.20060mlcs4.i586.rpm
2d6e27ec1923b32485fc40fbe73f5e76 corporate/4.0/SRPMS/ghostscript-8.15-46.2.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
3bf733e0a435f1d043ab03ee89bf900f corporate/4.0/x86_64/ghostscript-8.15-46.2.20060mlcs4.x86_64.rpm
378d6bedbe98a7ae128bf24ce73ff237 corporate/4.0/x86_64/ghostscript-common-8.15-46.2.20060mlcs4.x86_64.rpm
ef7a7d50ec22edf3194351c0564362ac corporate/4.0/x86_64/ghostscript-dvipdf-8.15-46.2.20060mlcs4.x86_64.rpm
5b70ec3ac9bfd88c9281a768089993fc corporate/4.0/x86_64/ghostscript-module-X-8.15-46.2.20060mlcs4.x86_64.rpm
1ea47debc989e4ce9efa7ced8d23ced3 corporate/4.0/x86_64/ghostscript-X-8.15-46.2.20060mlcs4.x86_64.rpm
aaad3b214a420ebfb7599aa7bf6c2265 corporate/4.0/x86_64/lib64gs8-8.15-46.2.20060mlcs4.x86_64.rpm
3d807e9b0ff862a28d3b15a067f71f27 corporate/4.0/x86_64/lib64gs8-devel-8.15-46.2.20060mlcs4.x86_64.rpm
46dcc298bf2eb2b0be3a7cdcaf20f4a6 corporate/4.0/x86_64/lib64ijs1-0.35-46.2.20060mlcs4.x86_64.rpm
5c656acee2162a7ab67bee745cbbf473 corporate/4.0/x86_64/lib64ijs1-devel-0.35-46.2.20060mlcs4.x86_64.rpm
2d6e27ec1923b32485fc40fbe73f5e76 corporate/4.0/SRPMS/ghostscript-8.15-46.2.20060mlcs4.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJ8d0VmqjQ0CJFipgRAmAFAJ0VG4BedOc36ha3HKdhcGHOKULILwCfRY4i
NI4Hm3ny+blkGziBjdTkXdg=
=MXEA
-----END PGP SIGNATURE-----