Re: Wheezy update of ghostscript?

To: Ola Lundqvist <ola@inguza.com>
Cc: debian-lts@lists.debian.org
Subject: Re: Wheezy update of ghostscript?
From: Chris Lamb <lamby@debian.org>
Date: Mon, 09 Jan 2017 09:45:09 +0000
Message-id: <[🔎] 1483955109.3531798.841591361.39EEB4EF@webmail.messagingengine.com>
In-reply-to: <CABY6=0k4bEi7KUFut6czt3Zq+fyAVLJCAUT7QB9Q9SkhvfpttA@mail.gmail.com>
References: <[🔎] 1483608717.1641055.838003385.16544D95@webmail.messagingengine.com> <CABY6=0k4bEi7KUFut6czt3Zq+fyAVLJCAUT7QB9Q9SkhvfpttA@mail.gmail.com>

[Adding debian-lts@lists.debian.org to CC]

Ola Lundqvist wrote:

> I started to look into ghostscript but I could not find any CVE for
> it. Do you remember which CVE that you had in mind?

It was CVE-2016-9601, but:

commit 3999fc68814dbeb21394d0f49d4cb424bee59da8
Author: jmm <jmm@e39458fd-73e7-0310-bf30-c45bca0a0e42>
Date:   Thu Jan 5 12:17:38 2017 +0000

    fix source package, the vulnerability seems to be in jbig2dec, which is used by ghostscript these days


    git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@47750 e39458fd-73e7-0310-bf30-c45bca0a0e42

diff --git a/data/CVE/list b/data/CVE/list
index adbfb066..24d2f097 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -11310,7 +11310,7 @@ CVE-2016-9602
        RESERVED
 CVE-2016-9601 [Heap-buffer overflow due to Integer overflow in jbig2_image_new function]
        RESERVED
-       - ghostscript <unfixed>
+       - jbig2dec <unfixed>
        NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697457
 CVE-2016-9600 [Null Pointer Dereference due to missing check for UNKNOWN color space in JP2 encoder]
        RESERVED


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Reply to:

References:
- Wheezy update of ghostscript?
  - From: Chris Lamb <lamby@debian.org>

Prev by Date: Wheezy update of w3m?
Next by Date: Re: wheezy update for libav
Previous by thread: Wheezy update of ghostscript?
Next by thread: LTS report for December
Index(es):
- Date
- Thread