-
gs-esp (8.15.2.dfsg.0ubuntu1-0ubuntu1.2) dapper-security; urgency=low
* SECURITY UPDATE: Arbitrary code execution due to integer overflows and
insufficient upper-bounds checks in the ICC library
- debian/patches/06_CVE-2009-0583_0584.dpatch: fix multiple integer
overflows and perform bounds checking in icclib/icc.c.
- CVE-2009-0583
- CVE-2009-0584
* SECURITY UPDATE: denial of service and possible arbitrary code
execution via buffer underflow in the CCITTFax decoding filter
- debian/patches/07_CVE-2007-6725.dpatch: work around the buffer
underflow in src/scfd.c.
- CVE-2007-6725
* SECURITY UPDATE: denial of service and possible arbitrary code
execution via BaseFont writer module
- debian/patches/08_CVE-2008-6679.dpatch: increase size of buffer in
src/gdevpdtb.c.
- CVE-2008-6679
* SECURITY UPDATE: possible arbitrary code execution via JBIG2 symbol
dictionary segments
- debian/patches/09_CVE-2009-0196.dpatch: validate size of runlength
in export symbol table in jbig2dec/jbig2_symbol_dict.c.
- CVE-2009-0196
* SECURITY UPDATE: denial of service and possible arbitrary code
execution via integer overflows in icclib
- debian/patches/10_CVE-2009-0792.dpatch: fix numerous overflows in
icclib/icc.c.
- CVE-2009-0792
-- Marc Deslauriers <email address hidden> Thu, 09 Apr 2009 13:50:18 -0400
-
gs-esp (8.15.2.dfsg.0ubuntu1-0ubuntu1.1) dapper-security; urgency=low
* SECURITY UPDATE: buffer overflow in color space handling code
* debian/patches/05_CVE-2008-0411.dpatch: fix zseticcspace() to perform
range checks
* References
CVE-2008-0411
-- Jamie Strandboge <email address hidden> Tue, 08 Apr 2008 12:44:43 -0400
-
gs-esp (8.15.2.dfsg.0ubuntu1-0ubuntu1) dapper; urgency=low
* New upstream version. Changes are listed here:
http://www.cups.org/articles.php?L378
and consist of bugfixes (including some security fixes) and
improvements to CUPS support and some new drivers.
-- Ian Jackson <email address hidden> Tue, 2 May 2006 17:54:21 +0100
-
gs-esp (8.15.1.dfsg.1-1ubuntu4) dapper; urgency=low
* Fix cdj driver not to fail on unsupported NumCopies setpagedevice.
Malone #38060; upstream STR 1577, trunk r137. Diff imported from
http://www.easysw.com/espnews.php?s1+gcups.commit+v1.
-- Ian Jackson <email address hidden> Mon, 24 Apr 2006 14:31:56 +0100
-
gs-esp (8.15.1.dfsg.1-1ubuntu3) dapper; urgency=low
* Update KRGB support as described in gs-esp-krgb1.2.patch from
Debian #354394. Fixes Malone #23099. See also Debian #355616
and http://www.cups.org/espgs/str.php?L1448.
-- Ian Jackson <email address hidden> Tue, 4 Apr 2006 17:55:03 +0100
-
gs-esp (8.15.1.dfsg.1-1ubuntu2) dapper; urgency=low
* Resynch with Debian. Applying same patch as to our gs-gpl;
dropping old patches against gs-esp 7.07 (phnew!). Remaining
Ubuntu patches:
* Close and reopen x11 driver when size changes. Fixes
coredump in x11 driver under gv with antialiasing turned
(reproducible in 8.01 on a 16bbp display).
Related to Ubuntu 17141, and to fix for Debian #254206.
* Fix coredumping bug on ppc: Ubuntu bugzilla:
http://bugzilla.ubuntu.com/show_bug.cgi?id=14311
http://bugzilla.ubuntu.com/show_bug.cgi?id=13771
This is the same issue as
http://bugs.ghostscript.com/show_bug.cgi?id=687643
http://bugs.ghostscript.com/show_bug.cgi?id=687730
discussed in
http://ghostscript.com/pipermail/gs-code-review/2004-September/004649.html
and probably the same as Debian bugs #324796 and #325570 and
perhaps others in Debian's gs-esp and gs-gpl.
This bug is due to gs's incorrect assumption that (where ref is an
important struct inside gs) sizeof(ref) % alignof(jmp_buf) == 0. This
is not true on ppc and apparently not necessarily on Itanium either.
The `fix' I have applied is to wrap setjmp/longjmp up in macros which
arrange for jmp_buf to have alignment 1, as sketched out in the URLs
above. A previous attempt to fix it by padding ref out to the
alignment of jmp_buf failed and I don't know why; but I suspect other
unjustified assumptions in gs.
GhostScript's algorithms ought to be repaired not to assume
falsehoods.
-- Ian Jackson <email address hidden> Tue, 13 Sep 2005 18:27:17 +0100