[Desktop-packages] [Bug 1643270] Re: ghostscript (9.19~dfsg-3.1) fixes 6 CVEs

2016-12-01 Thread Tyler Hicks 
https://www.ubuntu.com/usn/usn-3148-1/

** Changed in: ghostscript (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to ghostscript in Ubuntu.
https://bugs.launchpad.net/bugs/1643270

Title:
  ghostscript (9.19~dfsg-3.1)  fixes 6 CVEs

Status in ghostscript package in Ubuntu:
  Fix Released

Bug description:
  There is a Debian update to ghostscript that fixes several CVEs
  including a quite serious remote shell execution issue
  (CVE-2016-7976).

  ghostscript (9.19~dfsg-3.1) unstable; urgency=medium

* Non-maintainer upload.
* CVE-2013-5653: Information disclosure through getenv, filenameforall
  (Closes: #839118)
* CVE-2016-7976: Various userparams allow %pipe% in paths, allowing remote
  shell command execution (Closes: #839260)
* CVE-2016-7977: .libfile doesn't check PermitFileReading array, allowing
  remote file disclosure (Closes: #839841)
* CVE-2016-7978: reference leak in .setdevice allows use-after-free and
  remote code execution (Closes: #839845)
* CVE-2016-7979: type confusion in .initialize_dsc_parser allows remote code
  execution (Closes: #839846)
* CVE-2016-8602: check for sufficient params in .sethalftone5 and param
  types (Closes: #840451)
* Add 840691-Fix-.locksafe.patch patch.
  Fixes regression seen with zathura and evince. Fix .locksafe. We need to
  .forceput the defintion of getenv into systemdict.
  Thanks to Edgar Fuß 

   -- Salvatore Bonaccorso   Thu, 27 Oct 2016
  13:25:52 +0200

  
  I can't tell if this is in progress, but it's been a few weeks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ghostscript/+bug/1643270/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1643270] Re: ghostscript (9.19~dfsg-3.1) fixes 6 CVEs

2016-12-01 Thread Emily Ratliff 
Updates are now available for testing in the security-proposed PPA and
will be published shortly.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to ghostscript in Ubuntu.
https://bugs.launchpad.net/bugs/1643270

Title:
  ghostscript (9.19~dfsg-3.1)  fixes 6 CVEs

Status in ghostscript package in Ubuntu:
  In Progress

Bug description:
  There is a Debian update to ghostscript that fixes several CVEs
  including a quite serious remote shell execution issue
  (CVE-2016-7976).

  ghostscript (9.19~dfsg-3.1) unstable; urgency=medium

* Non-maintainer upload.
* CVE-2013-5653: Information disclosure through getenv, filenameforall
  (Closes: #839118)
* CVE-2016-7976: Various userparams allow %pipe% in paths, allowing remote
  shell command execution (Closes: #839260)
* CVE-2016-7977: .libfile doesn't check PermitFileReading array, allowing
  remote file disclosure (Closes: #839841)
* CVE-2016-7978: reference leak in .setdevice allows use-after-free and
  remote code execution (Closes: #839845)
* CVE-2016-7979: type confusion in .initialize_dsc_parser allows remote code
  execution (Closes: #839846)
* CVE-2016-8602: check for sufficient params in .sethalftone5 and param
  types (Closes: #840451)
* Add 840691-Fix-.locksafe.patch patch.
  Fixes regression seen with zathura and evince. Fix .locksafe. We need to
  .forceput the defintion of getenv into systemdict.
  Thanks to Edgar Fuß 

   -- Salvatore Bonaccorso   Thu, 27 Oct 2016
  13:25:52 +0200

  
  I can't tell if this is in progress, but it's been a few weeks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ghostscript/+bug/1643270/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1643270] Re: ghostscript (9.19~dfsg-3.1) fixes 6 CVEs

2016-12-01 Thread Tyler Hicks 
I was mistaken. Emily was already working on updates. We'll update this
bug when she publishes the updates.

** Changed in: ghostscript (Ubuntu)
   Importance: Undecided => High

** Changed in: ghostscript (Ubuntu)
   Status: Triaged => In Progress

** Changed in: ghostscript (Ubuntu)
 Assignee: Ubuntu Security Team (ubuntu-security) => Emily Ratliff (emilyr)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to ghostscript in Ubuntu.
https://bugs.launchpad.net/bugs/1643270

Title:
  ghostscript (9.19~dfsg-3.1)  fixes 6 CVEs

Status in ghostscript package in Ubuntu:
  In Progress

Bug description:
  There is a Debian update to ghostscript that fixes several CVEs
  including a quite serious remote shell execution issue
  (CVE-2016-7976).

  ghostscript (9.19~dfsg-3.1) unstable; urgency=medium

* Non-maintainer upload.
* CVE-2013-5653: Information disclosure through getenv, filenameforall
  (Closes: #839118)
* CVE-2016-7976: Various userparams allow %pipe% in paths, allowing remote
  shell command execution (Closes: #839260)
* CVE-2016-7977: .libfile doesn't check PermitFileReading array, allowing
  remote file disclosure (Closes: #839841)
* CVE-2016-7978: reference leak in .setdevice allows use-after-free and
  remote code execution (Closes: #839845)
* CVE-2016-7979: type confusion in .initialize_dsc_parser allows remote code
  execution (Closes: #839846)
* CVE-2016-8602: check for sufficient params in .sethalftone5 and param
  types (Closes: #840451)
* Add 840691-Fix-.locksafe.patch patch.
  Fixes regression seen with zathura and evince. Fix .locksafe. We need to
  .forceput the defintion of getenv into systemdict.
  Thanks to Edgar Fuß 

   -- Salvatore Bonaccorso   Thu, 27 Oct 2016
  13:25:52 +0200

  
  I can't tell if this is in progress, but it's been a few weeks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ghostscript/+bug/1643270/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1643270] Re: ghostscript (9.19~dfsg-3.1) fixes 6 CVEs

2016-12-01 Thread Tyler Hicks 
Thanks for the report, Bill. We're aware of these issues but have given
priority to other security updates since they were discussed on oss-
security. We intend to work on updates soon.

** Information type changed from Private Security to Public Security

** Changed in: ghostscript (Ubuntu)
   Status: New => Triaged

** Changed in: ghostscript (Ubuntu)
 Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to ghostscript in Ubuntu.
https://bugs.launchpad.net/bugs/1643270

Title:
  ghostscript (9.19~dfsg-3.1)  fixes 6 CVEs

Status in ghostscript package in Ubuntu:
  Triaged

Bug description:
  There is a Debian update to ghostscript that fixes several CVEs
  including a quite serious remote shell execution issue
  (CVE-2016-7976).

  ghostscript (9.19~dfsg-3.1) unstable; urgency=medium

* Non-maintainer upload.
* CVE-2013-5653: Information disclosure through getenv, filenameforall
  (Closes: #839118)
* CVE-2016-7976: Various userparams allow %pipe% in paths, allowing remote
  shell command execution (Closes: #839260)
* CVE-2016-7977: .libfile doesn't check PermitFileReading array, allowing
  remote file disclosure (Closes: #839841)
* CVE-2016-7978: reference leak in .setdevice allows use-after-free and
  remote code execution (Closes: #839845)
* CVE-2016-7979: type confusion in .initialize_dsc_parser allows remote code
  execution (Closes: #839846)
* CVE-2016-8602: check for sufficient params in .sethalftone5 and param
  types (Closes: #840451)
* Add 840691-Fix-.locksafe.patch patch.
  Fixes regression seen with zathura and evince. Fix .locksafe. We need to
  .forceput the defintion of getenv into systemdict.
  Thanks to Edgar Fuß 

   -- Salvatore Bonaccorso   Thu, 27 Oct 2016
  13:25:52 +0200

  
  I can't tell if this is in progress, but it's been a few weeks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ghostscript/+bug/1643270/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp