On Wed, Oct 12, 2016 at 11:29:07PM +0800, Alex Vong wrote:
> > Package        : ghostscript
> > CVE ID         : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 
> >                  CVE-2016-7979 CVE-2016-8602
> > Debian Bug     : 839118 839260 839841 839845 839846 840451
> >
> > Several vulnerabilities were discovered in Ghostscript, the GPL
> > PostScript/PDF interpreter, which may lead to the execution of arbitrary
> > code or information disclosure if a specially crafted Postscript file is
> > processed.

> I've checked just now. GNU Ghostscript is also affected at least by
> CVE-2016-8602. Looking at the patch in this bug report[0] and the
> source[1], one can see that the vulnerable lines are present in GNU
> Ghostscript. What should we do now?

I don't know the relationship between GNU Ghostscript and "upstream"
Ghostscript. Can anyone explain why GNU offers its own distribution?

We can try cherry-picking the upstream commits that fix each of these
bugs [0]. Hopefully they apply to our older Ghostscript version.

If the resulting package's ABI is compatible to our current package, we
can apply it with a graft on the master branch.

We should also apply these patches to the ghostscript package on

Do you want to try it?

Debian helpfully links to the upstream commits corresponding to each

Attachment: signature.asc
Description: PGP signature

Reply via email to