lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1MVtFI-0008Sz-WE@titan.mandriva.com>
Date: Tue, 28 Jul 2009 22:26:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:165 ] ghostscript


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:165
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : ghostscript
 Date    : July 28, 2009
 Affected: Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple security vulnerabilities has been identified and fixed
 in ghostscript:
 
 Multiple integer overflows in JasPer 1.900.1 might allow
 context-dependent attackers to have an unknown impact via a crafted
 image file, related to integer multiplication for memory allocation
 (CVE-2008-3520).
 
 Buffer overflow in the jas_stream_printf function in
 libjasper/base/jas_stream.c in JasPer 1.900.1 might allow
 context-dependent attackers to have an unknown impact via
 vectors related to the mif_hdr_put function and use of vsprintf
 (CVE-2008-3522).
 
 Previousely the ghostscript packages were statically built against
 a bundled and private copy of the jasper library. This update makes
 ghostscript link against the shared system jasper library which
 makes it easier to address presumptive future security issues in the
 jasper library.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3520
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3522
 _______________________________________________________________________

 Updated Packages:

 Mandriva Enterprise Server 5:
 522b6a5c361a4a6205516b882a92064b  mes5/i586/ghostscript-8.63-62.3mdvmes5.i586.rpm
 362fcaf29ec6ed28b776c5bbc7623a07  mes5/i586/ghostscript-common-8.63-62.3mdvmes5.i586.rpm
 5957705fb7537c5386d8cce36db9b133  mes5/i586/ghostscript-doc-8.63-62.3mdvmes5.i586.rpm
 fc18ad1734dfb9c561fe32f9fd4eaddc  mes5/i586/ghostscript-dvipdf-8.63-62.3mdvmes5.i586.rpm
 82848a8c21df381f3623feee9a7e5f06  mes5/i586/ghostscript-module-X-8.63-62.3mdvmes5.i586.rpm
 a60ef4bbf6d230413798123d76c66256  mes5/i586/ghostscript-X-8.63-62.3mdvmes5.i586.rpm
 63b592eb894b53f976d4fc46efb82c40  mes5/i586/libgs8-8.63-62.3mdvmes5.i586.rpm
 0a985aa191f8fc700efeb5c3107dc5bc  mes5/i586/libgs8-devel-8.63-62.3mdvmes5.i586.rpm
 42bb3a1f0bdef682d8ed32dd4cd4a6f9  mes5/i586/libijs1-0.35-62.3mdvmes5.i586.rpm
 eea9f8a2b112eb7382e3afcce2cf7b32  mes5/i586/libijs1-devel-0.35-62.3mdvmes5.i586.rpm 
 c81b2ecc80d4d336b772708f6d0597b8  mes5/SRPMS/ghostscript-8.63-62.3mdvmes5.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 3b171f576c4da5ed378f76fef0e0aeb2  mes5/x86_64/ghostscript-8.63-62.3mdvmes5.x86_64.rpm
 ed2b0836b7a4ede822c0952ef515fafd  mes5/x86_64/ghostscript-common-8.63-62.3mdvmes5.x86_64.rpm
 4fed216433f8b0b57e15ba2f7db56ef5  mes5/x86_64/ghostscript-doc-8.63-62.3mdvmes5.x86_64.rpm
 0a7dd5e643c5847e22aad380aa2dd9fd  mes5/x86_64/ghostscript-dvipdf-8.63-62.3mdvmes5.x86_64.rpm
 779b16024d8e8bfd033374b6facae06d  mes5/x86_64/ghostscript-module-X-8.63-62.3mdvmes5.x86_64.rpm
 c71e7fd9849cd6f068692445b9d276f8  mes5/x86_64/ghostscript-X-8.63-62.3mdvmes5.x86_64.rpm
 b410c041382d1e5b0660d59444e76e5d  mes5/x86_64/lib64gs8-8.63-62.3mdvmes5.x86_64.rpm
 6be22e00b18420ae3869c8e992457512  mes5/x86_64/lib64gs8-devel-8.63-62.3mdvmes5.x86_64.rpm
 53cd9beb7f4f864c82374e12c9650686  mes5/x86_64/lib64ijs1-0.35-62.3mdvmes5.x86_64.rpm
 2715b78eba10382e254d79783e5c74bd  mes5/x86_64/lib64ijs1-devel-0.35-62.3mdvmes5.x86_64.rpm 
 c81b2ecc80d4d336b772708f6d0597b8  mes5/SRPMS/ghostscript-8.63-62.3mdvmes5.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKbzS2mqjQ0CJFipgRAhOCAJ0QvEQDjyMuVkGWpPrsqoreAvg3zACcD8Ht
pMn92KxDJ/tQMexED1MckiM=
=ykFM
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ