Hi, uploading a 0-day NMU to fix this as the maintainer is listed in the LowThresholdNmu list.
Attached is the patch to fix this. It will be also archived on: http://people.debian.org/~nion/nmu-diff/ghostscript-8.61.dfsg.1-1_8.61.dfsg.1-1.1.patch Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u ghostscript-8.61.dfsg.1/debian/changelog ghostscript-8.61.dfsg.1/debian/changelog --- ghostscript-8.61.dfsg.1/debian/changelog +++ ghostscript-8.61.dfsg.1/debian/changelog @@ -1,3 +1,13 @@ +ghostscript (8.61.dfsg.1-1.1) unstable; urgency=high + + * Non-maintainer upload by security team. + * Fix stack based buffer overflow in the zseticcspace() function possibly + leading to arbitrary code exeuction via a crafted ps file. + (31_CVE-2008-0411.dpatch; Closes: #468190). + * Adjusting libgs shlibs file to match the new version number. + + -- Nico Golde <[EMAIL PROTECTED]> Sat, 01 Mar 2008 11:18:27 +0100 + ghostscript (8.61.dfsg.1-1) unstable; urgency=low [Masayuki Hatta] diff -u ghostscript-8.61.dfsg.1/debian/patches/00list ghostscript-8.61.dfsg.1/debian/patches/00list --- ghostscript-8.61.dfsg.1/debian/patches/00list +++ ghostscript-8.61.dfsg.1/debian/patches/00list @@ -20 +20 @@ - +31_CVE-2008-0411.dpatch diff -u ghostscript-8.61.dfsg.1/debian/libgs8.shlibs ghostscript-8.61.dfsg.1/debian/libgs8.shlibs --- ghostscript-8.61.dfsg.1/debian/libgs8.shlibs +++ ghostscript-8.61.dfsg.1/debian/libgs8.shlibs @@ -1 +1 @@ -libgs 8 libgs8 (= 8.61.dfsg.1-1) +libgs 8 libgs8 (= 8.61.dfsg.1-1.1) only in patch2: unchanged: --- ghostscript-8.61.dfsg.1.orig/debian/patches/31_CVE-2008-0411.dpatch +++ ghostscript-8.61.dfsg.1/debian/patches/31_CVE-2008-0411.dpatch @@ -0,0 +1,20 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 31_CVE-2008-0411.dpatch by Nico Golde <[EMAIL PROTECTED]> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: fix for CVE-2008-0411 + [EMAIL PROTECTED]@ +diff -urNad ghostscript-8.61.dfsg.1~/src/zicc.c ghostscript-8.61.dfsg.1/src/zicc.c +--- ghostscript-8.61.dfsg.1~/src/zicc.c 2007-09-25 15:31:24.000000000 +0200 ++++ ghostscript-8.61.dfsg.1/src/zicc.c 2008-03-01 11:17:18.000000000 +0100 +@@ -77,6 +77,9 @@ + dict_find_string(op, "N", &pnval); + ncomps = pnval->value.intval; + ++ if (2*ncomps > sizeof(range_buff)/sizeof(float)) ++ return_error(e_rangecheck); ++ + /* verify the DataSource entry */ + if (dict_find_string(op, "DataSource", &pstrmval) <= 0) + return_error(e_undefined);
pgpDIGvul9Xaw.pgp
Description: PGP signature

