On Wed, Oct 12, 2016 at 11:29:07PM +0800, Alex Vong wrote: > > Package : ghostscript > > CVE ID : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 > > CVE-2016-7979 CVE-2016-8602 > > Debian Bug : 839118 839260 839841 839845 839846 840451 > > > > Several vulnerabilities were discovered in Ghostscript, the GPL > > PostScript/PDF interpreter, which may lead to the execution of arbitrary > > code or information disclosure if a specially crafted Postscript file is > > processed.
> I've checked just now. GNU Ghostscript is also affected at least by > CVE-2016-8602. Looking at the patch in this bug report and the > source, one can see that the vulnerable lines are present in GNU > Ghostscript. What should we do now? I don't know the relationship between GNU Ghostscript and "upstream" Ghostscript. Can anyone explain why GNU offers its own distribution? We can try cherry-picking the upstream commits that fix each of these bugs . Hopefully they apply to our older Ghostscript version. If the resulting package's ABI is compatible to our current package, we can apply it with a graft on the master branch. We should also apply these patches to the ghostscript package on core-updates. Do you want to try it? Debian helpfully links to the upstream commits corresponding to each bug: https://security-tracker.debian.org/tracker/CVE-2013-5653
Description: PGP signature