** Changed in: ghostscript (Ubuntu)
       Status: In Progress => Fix Released

You received this bug notification because you are a member of Desktop
Packages, which is subscribed to ghostscript in Ubuntu.

  ghostscript (9.19~dfsg-3.1)  fixes 6 CVEs

Status in ghostscript package in Ubuntu:
  Fix Released

Bug description:
  There is a Debian update to ghostscript that fixes several CVEs
  including a quite serious remote shell execution issue

  ghostscript (9.19~dfsg-3.1) unstable; urgency=medium

    * Non-maintainer upload.
    * CVE-2013-5653: Information disclosure through getenv, filenameforall
      (Closes: #839118)
    * CVE-2016-7976: Various userparams allow %pipe% in paths, allowing remote
      shell command execution (Closes: #839260)
    * CVE-2016-7977: .libfile doesn't check PermitFileReading array, allowing
      remote file disclosure (Closes: #839841)
    * CVE-2016-7978: reference leak in .setdevice allows use-after-free and
      remote code execution (Closes: #839845)
    * CVE-2016-7979: type confusion in .initialize_dsc_parser allows remote code
      execution (Closes: #839846)
    * CVE-2016-8602: check for sufficient params in .sethalftone5 and param
      types (Closes: #840451)
    * Add 840691-Fix-.locksafe.patch patch.
      Fixes regression seen with zathura and evince. Fix .locksafe. We need to
      .forceput the defintion of getenv into systemdict.
      Thanks to Edgar Fuß <>

   -- Salvatore Bonaccorso <>  Thu, 27 Oct 2016
  13:25:52 +0200

  I can't tell if this is in progress, but it's been a few weeks.

To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to