#2488: ESP Ghostscript security issue ----------------------------------------+----------------------------------- Reporter: [EMAIL PROTECTED] | Owner: [email protected] Type: defect | Status: new Priority: high | Milestone: 6.3 Component: BOOK | Version: SVN Severity: major | Keywords: ----------------------------------------+----------------------------------- Alexander wrote in BLFS-Dev:
Randy McMurchy wrote: > > The short answer is that ESP GS will probably stay in the book > > as is until after BLFS-6.3 has been released. Even though my FreeBSD installation received a security advisory (stack- based buffer overflow) against a newer (8.61) GPL version of Ghostscript? See http://scary.beasts.org/security/CESA-2008-001.html, it applies to Linux, too. There's a patch that is reported to fix it. This patch should be tested and implemented into the book if it works as expected. Here is the patch (from http://bugs.gentoo.org/attachment.cgi?id=143467): --- src/zicc.c +++ src/zicc.c 2008-02-05 16:11:59.000000000 +0000 @@ -77,6 +77,9 @@ zseticcspace(i_ctx_t * i_ctx_p) dict_find_string(op, "N", &pnval); ncomps = pnval->value.intval; + if (2*ncomps > sizeof(range_buff)/sizeof(float)) + return_error(e_rangecheck); + /* verify the DataSource entry */ if (dict_find_string(op, "DataSource", &pstrmval) <= 0) return_error(e_undefined); -- Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/2488> BLFS Trac <http://wiki.linuxfromscratch.org/blfs> Beyond Linux From Scratch -- http://linuxfromscratch.org/mailman/listinfo/blfs-book FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
