stable
FEDORA-2016-53e8aa35f6 created by dkaspar 6 years ago for Fedora 24

This is a rebase of ghostscript package, to address several security issues:

  • CVE-2016-7977 - .libfile does not honor -dSAFER
  • CVE-2013-5653 - getenv and filenameforall ignore -dSAFER
  • CVE-2016-7976 - various userparams allow %pipe% in paths, allowing remote shell
  • CVE-2016-7978 - reference leak in .setdevice allows use-after-free and remote code
  • CVE-2016-7979 - Type confusion in .initialize_dsc_parser allows remote code execution

INFORMATION FOR FEDORA PACKAGERS & MAINTAINERS:

ghostscript has been rebased to latest upstream version (9.20). Rebase notes:

  • no API/ABI changes between versions 9.16 -> 9.20 according to upstream
  • OpenJPEG support has been retained
  • ijs-config custom tool from upstream has been removed (by upstream) (pkg-config is used by default now instead, see commit 0c176a9)
  • some patches were updated to 'git format-patch' format & renamed
  • rest of the patches were deleted (irrelevant for current version), mostly because upstream has fixed those issues in some way

How to install

sudo dnf upgrade --refresh --advisory=FEDORA-2016-53e8aa35f6

This update has been submitted for testing by dkaspar.

6 years ago

This update has been pushed to testing.

6 years ago
User Icon samoht0 commented & provided feedback 6 years ago
karma

LGTM

User Icon cserpentis commented & provided feedback 6 years ago
karma

works for me

User Icon mhayden commented & provided feedback 6 years ago
karma

Works for me.

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

6 years ago
User Icon yuwata commented & provided feedback 6 years ago
karma

works for me

This update has been submitted for stable by dkaspar.

6 years ago
User Icon lupinix commented & provided feedback 6 years ago
karma

works fine

This update has been pushed to stable.

6 years ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
5
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-4
Stable by Karma
12
Stable by Time
disabled
Dates
submitted
6 years ago
in testing
6 years ago
in stable
6 years ago
BZ#1380327 CVE-2013-5653 ghostscript: getenv and filenameforall ignore -dSAFER
0
0
BZ#1380415 CVE-2016-7977 ghostscript: .libfile does not honor -dSAFER
0
0
BZ#1382294 CVE-2016-7976 ghostscript: various userparams allow %pipe% in paths, allowing remote shell
0
0
BZ#1382300 CVE-2016-7978 ghostscript: reference leak in .setdevice allows use-after-free and remote code execution
0
0
BZ#1382305 CVE-2016-7979 ghostscript: Type confusion in .initialize_dsc_parser allows remote code execution
0
0

Automated Test Results