I was mistaken. Emily was already working on updates. We'll update this bug when she publishes the updates.
** Changed in: ghostscript (Ubuntu) Importance: Undecided => High ** Changed in: ghostscript (Ubuntu) Status: Triaged => In Progress ** Changed in: ghostscript (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => Emily Ratliff (emilyr) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ghostscript in Ubuntu. https://bugs.launchpad.net/bugs/1643270 Title: ghostscript (9.19~dfsg-3.1) fixes 6 CVEs Status in ghostscript package in Ubuntu: In Progress Bug description: There is a Debian update to ghostscript that fixes several CVEs including a quite serious remote shell execution issue (CVE-2016-7976). ghostscript (9.19~dfsg-3.1) unstable; urgency=medium * Non-maintainer upload. * CVE-2013-5653: Information disclosure through getenv, filenameforall (Closes: #839118) * CVE-2016-7976: Various userparams allow %pipe% in paths, allowing remote shell command execution (Closes: #839260) * CVE-2016-7977: .libfile doesn't check PermitFileReading array, allowing remote file disclosure (Closes: #839841) * CVE-2016-7978: reference leak in .setdevice allows use-after-free and remote code execution (Closes: #839845) * CVE-2016-7979: type confusion in .initialize_dsc_parser allows remote code execution (Closes: #839846) * CVE-2016-8602: check for sufficient params in .sethalftone5 and param types (Closes: #840451) * Add 840691-Fix-.locksafe.patch patch. Fixes regression seen with zathura and evince. Fix .locksafe. We need to .forceput the defintion of getenv into systemdict. Thanks to Edgar Fuß <e...@math.uni-bonn.de> -- Salvatore Bonaccorso <car...@debian.org> Thu, 27 Oct 2016 13:25:52 +0200 I can't tell if this is in progress, but it's been a few weeks. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ghostscript/+bug/1643270/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp