FEDORA-2016-1c13825502 created by dkaspar 3 years ago for Fedora 23
stable

This is a rebase of ghostscript package, to address several security issues:

  • CVE-2016-7977 - .libfile does not honor -dSAFER
  • CVE-2013-5653 - getenv and filenameforall ignore -dSAFER
  • CVE-2016-7976 - various userparams allow %pipe% in paths, allowing remote shell
  • CVE-2016-7978 - reference leak in .setdevice allows use-after-free and remote code
  • CVE-2016-7979 - Type confusion in .initialize_dsc_parser allows remote code execution

INFORMATION FOR FEDORA PACKAGERS & MAINTAINERS:

ghostscript has been rebased to latest upstream version (9.20). Rebase notes:

  • no API/ABI changes between versions 9.16 -> 9.20 according to upstream
  • OpenJPEG support has been retained
  • ijs-config custom tool from upstream has been removed (by upstream) (pkg-config is used by default now instead, see commit 0c176a9)
  • some patches were updated to 'git format-patch' format & renamed
  • rest of the patches were deleted (irrelevant for current version), mostly because upstream has fixed those issues in some way

How to install

sudo dnf upgrade --advisory=FEDORA-2016-1c13825502

This update has been submitted for testing by dkaspar.

3 years ago

This update has been pushed to testing.

3 years ago

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

3 years ago

This update has been submitted for stable by dkaspar.

3 years ago

This update has been pushed to stable.

3 years ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-4
Stable by Karma
12
Dates
submitted
3 years ago
in testing
3 years ago
in stable
3 years ago
BZ#1380327 CVE-2013-5653 ghostscript: getenv and filenameforall ignore -dSAFER
0
0
BZ#1380415 CVE-2016-7977 ghostscript: .libfile does not honor -dSAFER
0
0
BZ#1382294 CVE-2016-7976 ghostscript: various userparams allow %pipe% in paths, allowing remote shell
0
0
BZ#1382300 CVE-2016-7978 ghostscript: reference leak in .setdevice allows use-after-free and remote code execution
0
0
BZ#1382305 CVE-2016-7979 ghostscript: Type confusion in .initialize_dsc_parser allows remote code execution
0
0

Automated Test Results