lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1LxQSL-00087l-JI@titan.mandriva.com>
Date: Fri, 24 Apr 2009 20:49:01 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:095 ] ghostscript


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:095
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : ghostscript
 Date    : April 24, 2009
 Affected: 2008.1, 2009.0, Corporate 4.0
 _______________________________________________________________________

 Problem Description:

 A buffer underflow in Ghostscript's CCITTFax decoding filter allows
 remote attackers to cause denial of service and possibly to execute
 arbitrary by using a crafted PDF file (CVE-2007-6725).
 
 Buffer overflow in Ghostscript's BaseFont writer module allows
 remote attackers to cause a denial of service and possibly to execute
 arbitrary code via a crafted Postscript file (CVE-2008-6679).
 
 Multiple interger overflows in Ghostsript's International Color
 Consortium Format Library (icclib) allows attackers to cause denial
 of service (heap-based buffer overflow and application crash) and
 possibly execute arbirary code by using either a PostScript or PDF
 file with crafte embedded images (CVE-2009-0583, CVE-2009-0584).
 
 Multiple interger overflows in Ghostsript's International Color
 Consortium Format Library (icclib) allows attackers to cause denial
 of service (heap-based buffer overflow and application crash) and
 possibly execute arbirary code by using either a PostScript or PDF
 file with crafte embedded images. Note: this issue exists because of
 an incomplete fix for CVE-2009-0583 (CVE-2009-0792).
 
 Heap-based overflow in Ghostscript's JBIG2 decoding library allows
 attackers to cause denial of service and possibly to execute arbitrary
 code by using a crafted PDF file (CVE-2009-0196).
 
 This update provides fixes for that vulnerabilities.

 Update:

 gostscript packages from Mandriva Linux 2009.0 distribution are not
 affected by CVE-2007-6725.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6725
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6679
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0583
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0584
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0792
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0196
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.1:
 21e5523f3dd1e662749153256a9c4c29  2008.1/i586/ghostscript-8.61-60.1mdv2008.1.i586.rpm
 67c9ef01cbb300b355ca7973796128e1  2008.1/i586/ghostscript-common-8.61-60.1mdv2008.1.i586.rpm
 981885697a740a41de36f2fbe9162ead  2008.1/i586/ghostscript-doc-8.61-60.1mdv2008.1.i586.rpm
 6021f2ba30f5db13365b4b4032bd95dd  2008.1/i586/ghostscript-dvipdf-8.61-60.1mdv2008.1.i586.rpm
 fbcf137a546d3a26728d03c43fe91f63  2008.1/i586/ghostscript-module-X-8.61-60.1mdv2008.1.i586.rpm
 7957439e200dd85d147896c324267d25  2008.1/i586/ghostscript-X-8.61-60.1mdv2008.1.i586.rpm
 2c15c85bde4846cf0e353bb05af17320  2008.1/i586/libgs8-8.61-60.1mdv2008.1.i586.rpm
 eb5d8bab4161862a3f52cac7e75026b1  2008.1/i586/libgs8-devel-8.61-60.1mdv2008.1.i586.rpm
 8c54dfe0af736153a138361ca4f7093a  2008.1/i586/libijs1-0.35-60.1mdv2008.1.i586.rpm
 e8192518fbd2f9931ae54a86bcbbf567  2008.1/i586/libijs1-devel-0.35-60.1mdv2008.1.i586.rpm 
 c65ca4c2032670ac4f30ef131a8f3d32  2008.1/SRPMS/ghostscript-8.61-60.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 1495a4f65154f7a50888a96162e6a180  2008.1/x86_64/ghostscript-8.61-60.1mdv2008.1.x86_64.rpm
 3afecedda4a8d72f32f37efeabbaf46e  2008.1/x86_64/ghostscript-common-8.61-60.1mdv2008.1.x86_64.rpm
 a2a2969f5c501347f6c7513a8180ac62  2008.1/x86_64/ghostscript-doc-8.61-60.1mdv2008.1.x86_64.rpm
 016239f5bc2cca3aae62f1dc3fa443a2  2008.1/x86_64/ghostscript-dvipdf-8.61-60.1mdv2008.1.x86_64.rpm
 5537b78ef9cac087f3a6c88e8c6c4b34  2008.1/x86_64/ghostscript-module-X-8.61-60.1mdv2008.1.x86_64.rpm
 1927c0fce28438b00d504d5bf207a257  2008.1/x86_64/ghostscript-X-8.61-60.1mdv2008.1.x86_64.rpm
 7da692a79f0054041c685f74d291c042  2008.1/x86_64/lib64gs8-8.61-60.1mdv2008.1.x86_64.rpm
 e8eef75aa357ab14937c9e5bd07bad83  2008.1/x86_64/lib64gs8-devel-8.61-60.1mdv2008.1.x86_64.rpm
 25dbc9b27639c90097a14532d8e30039  2008.1/x86_64/lib64ijs1-0.35-60.1mdv2008.1.x86_64.rpm
 3effb7a452c598b79a9ccf2a2a85402f  2008.1/x86_64/lib64ijs1-devel-0.35-60.1mdv2008.1.x86_64.rpm 
 c65ca4c2032670ac4f30ef131a8f3d32  2008.1/SRPMS/ghostscript-8.61-60.1mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 08d85895c1b9b2f184b521b347b6c3a9  2009.0/i586/ghostscript-8.63-62.1mdv2009.0.i586.rpm
 b80577925371e2e310efa46cc7e6524e  2009.0/i586/ghostscript-common-8.63-62.1mdv2009.0.i586.rpm
 3d2b787310d18f6d57e8f2759e2e378d  2009.0/i586/ghostscript-doc-8.63-62.1mdv2009.0.i586.rpm
 74230df515cd6f728b1ad0fa7425881f  2009.0/i586/ghostscript-dvipdf-8.63-62.1mdv2009.0.i586.rpm
 89013a75d8c588b5ac8b08e68585c55e  2009.0/i586/ghostscript-module-X-8.63-62.1mdv2009.0.i586.rpm
 383751e84376fe6bbd7e3cb52c2f9a68  2009.0/i586/ghostscript-X-8.63-62.1mdv2009.0.i586.rpm
 353d6c17931a606fe9de82f3ce275dd5  2009.0/i586/libgs8-8.63-62.1mdv2009.0.i586.rpm
 05665f903b2ac9b5f1baf924598250ab  2009.0/i586/libgs8-devel-8.63-62.1mdv2009.0.i586.rpm
 a3d0879ab70588df82b0a2a0eba91cc4  2009.0/i586/libijs1-0.35-62.1mdv2009.0.i586.rpm
 75b2f976582e0e1b2800927c0c0356d1  2009.0/i586/libijs1-devel-0.35-62.1mdv2009.0.i586.rpm 
 f10ffcf2150c332ff6baf9befc04561a  2009.0/SRPMS/ghostscript-8.63-62.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 66ea01cecd74b8baf47c0fde1333eb94  2009.0/x86_64/ghostscript-8.63-62.1mdv2009.0.x86_64.rpm
 a5f89f1f738627329671fedc6499e066  2009.0/x86_64/ghostscript-common-8.63-62.1mdv2009.0.x86_64.rpm
 8b7c1317a8da3b8ce5b19f9ee4b1e32d  2009.0/x86_64/ghostscript-doc-8.63-62.1mdv2009.0.x86_64.rpm
 72e99ba40f13862aa1117738cb426e8a  2009.0/x86_64/ghostscript-dvipdf-8.63-62.1mdv2009.0.x86_64.rpm
 9ef78a2da9e98e5a9b50c850166a2974  2009.0/x86_64/ghostscript-module-X-8.63-62.1mdv2009.0.x86_64.rpm
 e66cb4eca77d326f7a8aa62c303a0630  2009.0/x86_64/ghostscript-X-8.63-62.1mdv2009.0.x86_64.rpm
 6310d106dc710713b89b8053f702bff1  2009.0/x86_64/lib64gs8-8.63-62.1mdv2009.0.x86_64.rpm
 69b66aa75de8eb8739b1b4cda07c9f5f  2009.0/x86_64/lib64gs8-devel-8.63-62.1mdv2009.0.x86_64.rpm
 ce33d1391e0fb673c865df40a3d63eb4  2009.0/x86_64/lib64ijs1-0.35-62.1mdv2009.0.x86_64.rpm
 9eac0d8043cb220edbbdf795c4f8eed0  2009.0/x86_64/lib64ijs1-devel-0.35-62.1mdv2009.0.x86_64.rpm 
 f10ffcf2150c332ff6baf9befc04561a  2009.0/SRPMS/ghostscript-8.63-62.1mdv2009.0.src.rpm

 Corporate 4.0:
 f3f2dd869b6716d5693a2851d0103d29  corporate/4.0/i586/ghostscript-8.15-46.2.20060mlcs4.i586.rpm
 dfbad4b982a25d92abe3c59dd66dfcc5  corporate/4.0/i586/ghostscript-common-8.15-46.2.20060mlcs4.i586.rpm
 0db7b9267e286692faba1c3d0dc96ba8  corporate/4.0/i586/ghostscript-dvipdf-8.15-46.2.20060mlcs4.i586.rpm
 671ac5a9cbe53778e42bff674eecc29f  corporate/4.0/i586/ghostscript-module-X-8.15-46.2.20060mlcs4.i586.rpm
 084da1f80aed83f0c2760cb4badd0912  corporate/4.0/i586/ghostscript-X-8.15-46.2.20060mlcs4.i586.rpm
 e1f093bba6ef20334386d510c8d71a16  corporate/4.0/i586/libgs8-8.15-46.2.20060mlcs4.i586.rpm
 6822f3330c5df7322f0b2b358fc8a0b8  corporate/4.0/i586/libgs8-devel-8.15-46.2.20060mlcs4.i586.rpm
 8524416169178e556b61dd524bccb880  corporate/4.0/i586/libijs1-0.35-46.2.20060mlcs4.i586.rpm
 1608d8fc8f9f11a91a270f73a820886d  corporate/4.0/i586/libijs1-devel-0.35-46.2.20060mlcs4.i586.rpm 
 2d6e27ec1923b32485fc40fbe73f5e76  corporate/4.0/SRPMS/ghostscript-8.15-46.2.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 3bf733e0a435f1d043ab03ee89bf900f  corporate/4.0/x86_64/ghostscript-8.15-46.2.20060mlcs4.x86_64.rpm
 378d6bedbe98a7ae128bf24ce73ff237  corporate/4.0/x86_64/ghostscript-common-8.15-46.2.20060mlcs4.x86_64.rpm
 ef7a7d50ec22edf3194351c0564362ac  corporate/4.0/x86_64/ghostscript-dvipdf-8.15-46.2.20060mlcs4.x86_64.rpm
 5b70ec3ac9bfd88c9281a768089993fc  corporate/4.0/x86_64/ghostscript-module-X-8.15-46.2.20060mlcs4.x86_64.rpm
 1ea47debc989e4ce9efa7ced8d23ced3  corporate/4.0/x86_64/ghostscript-X-8.15-46.2.20060mlcs4.x86_64.rpm
 aaad3b214a420ebfb7599aa7bf6c2265  corporate/4.0/x86_64/lib64gs8-8.15-46.2.20060mlcs4.x86_64.rpm
 3d807e9b0ff862a28d3b15a067f71f27  corporate/4.0/x86_64/lib64gs8-devel-8.15-46.2.20060mlcs4.x86_64.rpm
 46dcc298bf2eb2b0be3a7cdcaf20f4a6  corporate/4.0/x86_64/lib64ijs1-0.35-46.2.20060mlcs4.x86_64.rpm
 5c656acee2162a7ab67bee745cbbf473  corporate/4.0/x86_64/lib64ijs1-devel-0.35-46.2.20060mlcs4.x86_64.rpm 
 2d6e27ec1923b32485fc40fbe73f5e76  corporate/4.0/SRPMS/ghostscript-8.15-46.2.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJ8d0VmqjQ0CJFipgRAmAFAJ0VG4BedOc36ha3HKdhcGHOKULILwCfRY4i
NI4Hm3ny+blkGziBjdTkXdg=
=MXEA
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ