Your message dated Fri, 28 Oct 2016 18:20:44 +0000 with message-id <e1c0blk-0002b7...@franck.debian.org> and subject line Bug#839118: fixed in ghostscript 9.19~dfsg-3.1 has caused the Debian Bug report #839118, regarding ghostscript: CVE-2013-5653: getenv and filenameforall ignore -dSAFER to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 839118: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839118 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: ghostscript Version: 9.06~dfsg-2+deb8u1 Tags: security This issue is now public, but was apparently never properly announced: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ab109aaeb3ddba59518b036fb288402a65cf7ce8 http://bugs.ghostscript.com/show_bug.cgi?id=694724 Reproducer: %!PS (HOME) getenv { print (\n) print } { (variable not found\n) print } ifelse
--- End Message ---
--- Begin Message ---Source: ghostscript Source-Version: 9.19~dfsg-3.1 We believe that the bug you reported is fixed in the latest version of ghostscript, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 839...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated ghostscript package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 27 Oct 2016 13:25:52 +0200 Source: ghostscript Binary: ghostscript ghostscript-x ghostscript-doc libgs9 libgs9-common libgs-dev ghostscript-dbg Architecture: all source Version: 9.19~dfsg-3.1 Distribution: unstable Urgency: medium Maintainer: Debian Printing Team <debian-print...@lists.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 839118 839260 839841 839845 839846 840451 Description: ghostscript - interpreter for the PostScript language and for PDF ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug symbo ghostscript-doc - interpreter for the PostScript language and for PDF - Documentati ghostscript-x - interpreter for the PostScript language and for PDF - X11 support libgs-dev - interpreter for the PostScript language and for PDF - Development libgs9 - interpreter for the PostScript language and for PDF - Library libgs9-common - interpreter for the PostScript language and for PDF - common file Changes: ghostscript (9.19~dfsg-3.1) unstable; urgency=medium . * Non-maintainer upload. * CVE-2013-5653: Information disclosure through getenv, filenameforall (Closes: #839118) * CVE-2016-7976: Various userparams allow %pipe% in paths, allowing remote shell command execution (Closes: #839260) * CVE-2016-7977: .libfile doesn't check PermitFileReading array, allowing remote file disclosure (Closes: #839841) * CVE-2016-7978: reference leak in .setdevice allows use-after-free and remote code execution (Closes: #839845) * CVE-2016-7979: type confusion in .initialize_dsc_parser allows remote code execution (Closes: #839846) * CVE-2016-8602: check for sufficient params in .sethalftone5 and param types (Closes: #840451) * Add 840691-Fix-.locksafe.patch patch. Fixes regression seen with zathura and evince. Fix .locksafe. We need to .forceput the defintion of getenv into systemdict. Thanks to Edgar Fuß <e...@math.uni-bonn.de> Checksums-Sha1: 73e9eb76a5189dc9a1bd57752b26f4edae837946 2997 ghostscript_9.19~dfsg-3.1.dsc d969bd2cc53abe7352922c1853c47e7ccb0d8eeb 106324 ghostscript_9.19~dfsg-3.1.debian.tar.xz 285f6d7b5828229ebfd9ba92d92168fabc90331a 5568784 ghostscript-doc_9.19~dfsg-3.1_all.deb 20aa04760215363e21fdffde03a4f23f7ce2111b 3030750 libgs9-common_9.19~dfsg-3.1_all.deb Checksums-Sha256: d0c44fabebe04b6d2797d61df9940c1ac5897ff47d0dd3882e6eaa603fdd6642 2997 ghostscript_9.19~dfsg-3.1.dsc 0e22f98aed5e9b705a241acd401303c57467b686363912bf6c85422c587e90bb 106324 ghostscript_9.19~dfsg-3.1.debian.tar.xz 5526424d99b60b40665177bb93927f5620aaddb458e2624922d56b49670c8a10 5568784 ghostscript-doc_9.19~dfsg-3.1_all.deb 55ad19603838e06a2fd2d5b69ffd2bdb9d4899f8714c5b050ee94f760e710c6f 3030750 libgs9-common_9.19~dfsg-3.1_all.deb Files: 679cdcc87ac7a4382519dcfeace22a46 2997 text optional ghostscript_9.19~dfsg-3.1.dsc 8668693afcef4280199b80fd08e1a754 106324 text optional ghostscript_9.19~dfsg-3.1.debian.tar.xz 439b9da68e9e157294b64d472f99cc5e 5568784 doc optional ghostscript-doc_9.19~dfsg-3.1_all.deb 6aa26679d65514fccb63fb82e3343d0b 3030750 libs optional libgs9-common_9.19~dfsg-3.1_all.deb -----BEGIN PGP SIGNATURE----- iQKPBAEBCgB5BQJYE4tXXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0NjQ0NDA5ODA4QzE3MUUwNTUzMURERUUw NTRDQjhGMzEzNDNDRjQ0EhxjYXJuaWxAZGViaWFuLm9yZwAKCRAFTLjzE0PPRMoI D/94fxNlivh303wFVls0NLyAAkeiSbPP1DzirV+q/3aXk1lUvzhHsrxT+co65rn1 2zIymw5kvElanQiwI+REmlOF+mkxRv0yLYopGKHjvDST/W/Kx5KIrl68yyqVe8fO WDdSW2mRg5otCQyuSd+Pa96jpFZEWsyEE1zblS/jhZw8RzkJpSCHnmGUXFDLKV0i +m59qliO8TsaldVJ1f8f8Ts5mfs5J9UzU2p4Z0jXBkVVhOejvqBcJjhYsUydV/mL SSzvpUBgkqd29af0n53YvOssgt3XhXXwx55L2EI+1/lhMR4XGXfWGLq3cnJGxAhl 2Vavbn+GSg6g8u8uHeUe4L5BCzhqcUtBKyGNLxbTv4+4sv+2C1tzS8XavvBokI+D E4sc4l1UePIkWWI9AaFSq7pc9hOF+gjFI2JqBAvGd2sc8Cg+qRznxLRwrmsGet5g XcKVHv91uqoYcYpN8y/kmI/IzmZ1khjvtYatjLGK56eUBNAjXrjrJ4aMYwaVZrKV FCtueleGbjpwJyeFl8QRq/4vhTPPP6vYWYmb07hf+hBVoYicoQR78qnJiF99nXjm uO+UfW4Zc07pIHl+qVbmUMC28pWYsJ2qlQ+GJDluBPQMTR2k/jLs6XbuQ1diZIw2 YeZPkNB9dfrqPIFGAllZWwFuk3ISFhUele7pMMX3v8mfDA== =ykAE -----END PGP SIGNATURE-----
--- End Message ---
