-
ghostscript (9.26~dfsg+0-0ubuntu0.18.10.9) cosmic-security; urgency=medium
* SECURITY UPDATE: code execution vulnerability
- debian/patches/CVE-2019-3839-1.patch: hide pdfdict and GS_PDF_ProcSet
in Resource/Init/pdf_base.ps, Resource/Init/pdf_draw.ps,
Resource/Init/pdf_font.ps, Resource/Init/pdf_main.ps,
Resource/Init/pdf_ops.ps, Resource/Init/pdf_sec.ps.
- debian/patches/CVE-2019-3839-2.patch: fix lib/pdf2dsc.ps to use
documented Ghostscript pdf procedures in lib/pdf2dsc.ps.
- CVE-2019-3839
-- Marc Deslauriers <email address hidden> Tue, 07 May 2019 12:47:33 -0400
-
ghostscript (9.26~dfsg+0-0ubuntu0.18.10.8) cosmic-security; urgency=medium
* SECURITY UPDATE: superexec operator is available
- debian/patches/CVE-2019-3835-pre1.patch: Have gs_cet.ps run from
gs_init.ps in Resource/Init/gs_cet.ps, Resource/Init/gs_init.ps.
- debian/patches/CVE-2019-3835-pre2.patch: Undef /odef in
Resource/Init/gs_cet.ps, Resource/Init/gs_init.ps.
- debian/patches/CVE-2019-3835-1.patch: restrict superexec and remove
it in Resource/Init/gs_cet.ps, Resource/Init/gs_dps1.ps,
Resource/Init/gs_fonts.ps, Resource/Init/gs_init.ps,
Resource/Init/gs_ttf.ps, Resource/Init/gs_type1.ps.
- debian/patches/CVE-2019-3835-2.patch: obliterate superexec in
Resource/Init/gs_init.ps, psi/icontext.c, psi/icstate.h,
psi/zcontrol.c, psi/zdict.c, psi/zgeneric.c.
- CVE-2019-3835
* SECURITY UPDATE: forceput in DefineResource is still accessible
- debian/patches/CVE-2019-3838-1.patch: make a transient proc
executeonly in Resource/Init/gs_res.ps.
- debian/patches/CVE-2019-3838-2.patch: an extra transient proc needs
executeonly in Resource/Init/gs_res.ps.
- CVE-2019-3838
-- Marc Deslauriers <email address hidden> Tue, 19 Mar 2019 08:14:22 -0400
-
ghostscript (9.26~dfsg+0-0ubuntu0.18.10.7) cosmic-security; urgency=medium
* SECURITY REGRESSION: High RIP_MAX_CACHE makes cups output device fail,
second fix attempt. (LP: #1815339)
- debian/patches/lp1815339.patch: re-enable.
- debian/patches/lp1815339-2.patch: properly map RGBW color space in
cups/gdevcups.c.
-- Marc Deslauriers <email address hidden> Mon, 25 Feb 2019 09:38:22 -0500
-
ghostscript (9.26~dfsg+0-0ubuntu0.18.10.6) cosmic-security; urgency=medium
* SECURITY REGRESSION: Ghostscript update causes blue background
(LP: #1817308)
- disable debian/patches/lp1815339.patch
-- Chris Coulson <email address hidden> Sat, 23 Feb 2019 06:49:04 +0100
-
ghostscript (9.26~dfsg+0-0ubuntu0.18.10.5) cosmic-security; urgency=medium
* SECURITY REGRESSION: High RIP_MAX_CACHE makes cups output device fail
(LP: #1815339)
- debian/patches/lp1815339.patch: fix logic in cups/gdevcups.c.
* debian/libgs9.symbols: add new symbol missing in previous update.
-- Marc Deslauriers <email address hidden> Wed, 20 Feb 2019 11:45:19 +0100
-
ghostscript (9.26~dfsg+0-0ubuntu0.18.10.4) cosmic-security; urgency=medium
* SECURITY UPDATE: code execution vulnerability
- debian/patches/CVE-2019-6116.patch: address .force* operators
exposure in Resource/Init/gs_diskn.ps, Resource/Init/gs_dps1.ps,
Resource/Init/gs_fntem.ps, Resource/Init/gs_fonts.ps,
Resource/Init/gs_init.ps, Resource/Init/gs_lev2.ps,
Resource/Init/gs_pdfwr.ps, Resource/Init/gs_res.ps,
Resource/Init/gs_setpd.ps, Resource/Init/pdf_base.ps,
Resource/Init/pdf_draw.ps, Resource/Init/pdf_font.ps,
Resource/Init/pdf_main.ps, Resource/Init/pdf_ops.ps,
psi/int.mak, psi/interp.c, psi/istack.c, psi/istack.h.
- CVE-2019-6116
-- Marc Deslauriers <email address hidden> Wed, 16 Jan 2019 09:45:52 -0500
-
ghostscript (9.26~dfsg+0-0ubuntu0.18.10.3) cosmic-security; urgency=medium
* SECURITY REGRESSION: multiple regressions (LP: #1806517)
- debian/patches/020181126-96c381c*.patch: fix duplex issue.
- debian/patches/020181205-fae21f16*.patch: fix -dFirstPage and
-dLastPage issue.
-- Marc Deslauriers <email address hidden> Thu, 06 Dec 2018 07:14:48 -0500
-
ghostscript (9.26~dfsg+0-0ubuntu0.18.10.1) cosmic-security; urgency=medium
* SECURITY UPDATE: Updated to 9.26 to fix multiple security issues
- CVE-2018-19409
- CVE-2018-19475
- CVE-2018-19476
- CVE-2018-19477
* Removed patches included in new version:
- debian/patches/0218*.patch
- debian/patches/lp1800062.patch
* debian/libgs9.symbols: updated for new version.
-- Marc Deslauriers <email address hidden> Wed, 28 Nov 2018 07:12:52 -0500
-
ghostscript (9.25~dfsg+1-0ubuntu1.1) cosmic-security; urgency=medium
* SECURITY UPDATE: Multiple security issues
- debian/patches/0218*.patch: multiple cherry-picked upstream commits
to fix security issues. Thanks to Jonas Smedegaard for cherry-picking
these for Debian's 9.25~dfsg-3 package.
- debian/libgs9.symbols: added new symbol.
- CVE-2018-17961
- CVE-2018-18073
- CVE-2018-18284
* Fix LeadingEdge regression introduced in 9.22. (LP: #1800062)
- debian/patches/lp1800062.patch: fix cups get/put_params LeadingEdge
logic in cups/gdevcups.c.
-- Marc Deslauriers <email address hidden> Tue, 30 Oct 2018 08:38:06 -0400
-
ghostscript (9.25~dfsg+1-0ubuntu1) cosmic; urgency=medium
* New upstream bug fix release
Highlights:
- Highly recommended by upstream, release done to fix regressions in 9.24.
- This release fixes problems with argument handling, some unintended
results of the security fixes to the SAFER file access restrictions
(specifically accessing ICC profile files), and some additional security
issues over the recent 9.24 release.
- Note: The ps2epsi utility does not, and cannot call Ghostscript with
the -dSAFER command line option. It should never be called with input
from untrusted sources.
* Removed patch 020180906-bc3df07-*.patch backported from upstream.
* Refreshed patches 2003_support_multiarch.patch and
2007_suggest_install_ghostscript-doc_in_code.patch with quilt.
* debian/libgs9.symbols: Updated for new upstream source. Applied patch
which dpkg-gensymbols generated.
-- Till Kamppeter <email address hidden> Thu, 13 Sep 2018 20:27:06 +0200
-
ghostscript (9.24~dfsg+1-0ubuntu1) cosmic; urgency=medium
* New upstream release (LP: #1791279)
Highlights:
- Security issues have been the primary focus of this release,
including solving several (well publicised) real and potential
exploits.
Upstream highly recommends this due to the many security fixes
and improvements.
* debian/copyright, debian/rules: Upstream renamed the lcms2art/ directory
to lcms2mt/.
* Removed patch CVE-2018-10194.patch backported from upstream.
* Refreshed patch 2010_add_build_timestamp_setting.patch with quilt.
* 020180906-bc3df07-for-icc-profile-validation-have-cups-id-itself-as-device-n.patch:
"cups" output device did not work because there were no output profiles
for all color spaces (Upstream bug #699713).
* Merged from Debian package:
- Update copyright-check maintainer script: Extract metadata from png files.
- Update copyright info:
+ Extend coverage for main upstream author.
+ Extend coverage for Adobe.
- Extend lintian overrides regarding License-Reference.
- Declare compliance with Debian Policy 4.2.0.
* debian/libgs9.symbols: Updated for new upstream source. Applied patch
which dpkg-gensymbols generated.
-- Till Kamppeter <email address hidden> Thu, 06 Sep 2018 20:21:03 +0200
-
ghostscript (9.23~dfsg+1-0ubuntu2) cosmic; urgency=medium
* Build with -O2 on ppc64el to avoid FTBFS
-- Graham Inggs <email address hidden> Sat, 11 Aug 2018 11:41:40 +0000
-
ghostscript (9.23~dfsg+1-0ubuntu1) cosmic; urgency=medium
* New upstream release
Highlights:
+ Ghostscript now has a family of 'pdfimage' devices (pdfimage8,
pdfimage24 and pdfimage32) which produce rendered output wrapped
up as an image in a PDF. Additionally, there is a 'pclm' device
which produces PCLm format output.
+ There is now a ColorAccuracy parameter allowing the user to
decide between speed or accuracy in ICC color transforms.
+ JPEG Passthrough: devices which support it can now receive the
'raw' JPEG stream from the interpreter. The main use of this is
the pdfwrite/ps2write family of devices that can now take JPEG
streams from the input file(s) and write them unchanged to the
output (thus avoiding additional quantization effects).
+ PDF transparency performance improvements
* Difference to Debian package:
+ openjpeg library bundled with upstream Ghostscript/GhostPDL used
instead of the original openjpeg library, as the original library
is not accepted into Ubuntu Main
(https://bugs.launchpad.net/bugs/711061).
* Use bundled lcms2art instead of system's liblcms2 as the former
one is made thread safe and also contains preformance enhancements
which got rejected upstream.
* Updated list of stripped files/paths in debian/copyright
* Added licenses of bundled openjpeg and lcms2 libraries to
debian/copyright
* Updated/refreshed the 20* patches
* Dropped CVE-2016-10317.patch as it is included upstream.
* debian/libgs9.symbols: Updated for new upstream source. Applied patch
which dpkg-gensymbols generated.
-- Till Kamppeter <email address hidden> Wed, 08 Aug 2018 13:29:37 +0200
-
ghostscript (9.22~dfsg+1-0ubuntu1.1) bionic-security; urgency=medium
* SECURITY UPDATE: Heap-based buffer overflow and application crash
- debian/patches/CVE-2016-10317.patch: check max_height bounds in
base/gxht_thresh.c, base/gxipixel.c.
- CVE-2016-10317
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-10194.patch: avoid infinite number
in devices/vector/gdevpdts.c.
- CVE-2018-10194
-- <email address hidden> (Leonidas S. Barbosa) Tue, 24 Apr 2018 14:34:45 -0300
-
ghostscript (9.22~dfsg+1-0ubuntu1) bionic; urgency=low
* Merge from Debian unstable. Remaining changes:
+ openjpeg library bundled with upstream Ghostscript/GhostPDL used
instead of the original openjpeg library, as the original library
is not accepted into Ubuntu Main
(https://bugs.launchpad.net/bugs/711061).
* debian/libgs9.symbols: Updated for new upstream source. Applied patch
which dpkg-gensymbols generated.
-- Till Kamppeter <email address hidden> Fri, 23 Feb 2018 21:12:00 +0100
