Bug#925257: marked as done (ghostscript: CVE-2019-3838: forceput in DefineResource is still accessible)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Bug#925257: marked as done (ghostscript: CVE-2019-3838: forceput in DefineResource is still accessible)

Debian Bug Tracking System
Your message dated Thu, 18 Apr 2019 17:32:08 +0000
with message-id <[hidden email]>
and subject line Bug#925257: fixed in ghostscript 9.26a~dfsg-0+deb9u2
has caused the Debian Bug report #925257,
regarding ghostscript: CVE-2019-3838: forceput in DefineResource is still accessible
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [hidden email]
immediately.)


--
925257: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925257
Debian Bug Tracking System
Contact [hidden email] with problems

Source: ghostscript
Version: 9.26a~dfsg-2
Severity: grave
Tags: security upstream
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=700576
Control: found -1 9.26a~dfsg-0+deb9u1

Hi,

The following vulnerability was published for ghostscript.

CVE-2019-3838[0]:
forceput in DefineResource is still accessible

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-3838
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3838

Regards,
Salvatore

Source: ghostscript
Source-Version: 9.26a~dfsg-0+deb9u2

We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [hidden email],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[hidden email]> (supplier of updated ghostscript package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [hidden email])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 13 Apr 2019 16:40:43 +0200
Source: ghostscript
Architecture: source
Version: 9.26a~dfsg-0+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Debian Printing Team <[hidden email]>
Changed-By: Salvatore Bonaccorso <[hidden email]>
Closes: 925256 925257
Changes:
 ghostscript (9.26a~dfsg-0+deb9u2) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Have gs_cet.ps run from gs_init.ps
   * Undef /odef in gs_init.ps
   * Restrict superexec and remove it from internals and gs_cet.ps
     (CVE-2019-3835) (Closes: #925256)
   * Obliterate "superexec". We don't need it, nor do any known apps
     (CVE-2019-3835) (Closes: #925256)
   * Make a transient proc executeonly (in DefineResource) (CVE-2019-3838)
     (Closes: #925257)
   * an extra transient proc needs executeonly'ed (CVE-2019-3838)
     (Closes: #925257)
Checksums-Sha1:
 a36471ccccfaa5f824feb421b9b8d36a01880ed2 3052 ghostscript_9.26a~dfsg-0+deb9u2.dsc
 64988c4bcb2461931ab91c63de5c3c3c7bb14a07 114608 ghostscript_9.26a~dfsg-0+deb9u2.debian.tar.xz
Checksums-Sha256:
 f2db945f626273db54377fd2114278e0bedce96310668b6e550b26305ff9d29c 3052 ghostscript_9.26a~dfsg-0+deb9u2.dsc
 83f9bf1932c637733e63e293ed822dff0ea9b47914c743d29725ffc2cee839e8 114608 ghostscript_9.26a~dfsg-0+deb9u2.debian.tar.xz
Files:
 3eaf5fdf443490ece65b2bf39c69456f 3052 text optional ghostscript_9.26a~dfsg-0+deb9u2.dsc
 be65f72beb08cce7f64abd31998ceb20 114608 text optional ghostscript_9.26a~dfsg-0+deb9u2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlyx+4JfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EQS0P/AnEA56L6SIYVVNp8S2r0ovQSjiB4QID
DxQrBdlSBIkOkCvx7yGZpW/opZsPHGnJrqZSdm+eqUckzMSg/x4sPlAo0JxTwmMU
7mgonXwHioqGVUk8qZ4q27KsiOjbOJETpVf90LuDm7lnLGvRjDqeE5ySehHnys2J
/63RNYzLAj23H+jwVDsQA7DqLVK1KUHKGqABIyPJzVBnvFzoXAAGdGb9/UouiWsC
5g1TARClQrullhcNz2NcK0PLBbhtN1kxx/CyoBgS8itH3jolqUw4zk03Jx6p7F9f
GqP5mHAMoZo9WQBNKnoTr3xV4elUFvxIkPncFfPHpU5315w2K84n50nLGqYy+5k4
VkVB78BuomMyfRlUKZ4YyXPEsWj0GqLZQUOsb7WEx5NzNW9/1Fc8ib0qbij2DSpg
jVAapY/zRB+mjMB7ZmYdT3iVGQrQQEkQBMq0vrXZqnZyj3PuvPmE6AMj7MuQ8R5r
85Hj2Kvn2Ni4Ioxnz4h5grO5XI4cjDvNlrY4tlrpW/WHmAMZe4jEVJo3pbchlXbn
J3bs2AWiI0J/yEnlcQLjIAgv9mQpFIJLAl8OYj6nSL7Y9xzJjGdVngCB6udS35J1
Bv9mEueZ77YFzBxBJNB+nZFuR7EFDFu94HMqLWDhhIod8432dmHl2m9FzM4YjjlP
3nwxgM0ZrQZZ
=tQiH
-----END PGP SIGNATURE-----