Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in ghostscript
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in ghostscript
ID: MDVSA-2009:311
Distribution: Mandriva
Plattformen: Mandriva 2008.0
Datum: Fr, 4. Dezember 2009, 01:21
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6725
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3520
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6679
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0583
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0584
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0792
Applikationen: AFPL Ghostscript

Originalnachricht

This is a multi-part message in MIME format...

------------=_1259886090-24326-1585


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:311
http://www.mandriva.com/security/
_______________________________________________________________________

Package : ghostscript
Date : December 3, 2009
Affected: 2008.0
_______________________________________________________________________

Problem Description:

Multiple security vulnerabilities has been identified and fixed
in ghostscript:

A buffer underflow in Ghostscript's CCITTFax decoding filter allows
remote attackers to cause denial of service and possibly to execute
arbitrary by using a crafted PDF file (CVE-2007-6725).

Buffer overflow in Ghostscript's BaseFont writer module allows
remote attackers to cause a denial of service and possibly to execute
arbitrary code via a crafted Postscript file (CVE-2008-6679).

Multiple interger overflows in Ghostsript's International Color
Consortium Format Library (icclib) allows attackers to cause denial
of service (heap-based buffer overflow and application crash) and
possibly execute arbirary code by using either a PostScript or PDF
file with crafte embedded images (CVE-2009-0583, CVE-2009-0584).

Multiple interger overflows in Ghostsript's International Color
Consortium Format Library (icclib) allows attackers to cause denial
of service (heap-based buffer overflow and application crash) and
possibly execute arbirary code by using either a PostScript or PDF
file with crafte embedded images. Note: this issue exists because of
an incomplete fix for CVE-2009-0583 (CVE-2009-0792).

Heap-based overflow in Ghostscript's JBIG2 decoding library allows
attackers to cause denial of service and possibly to execute arbitrary
code by using a crafted PDF file (CVE-2009-0196).

Multiple integer overflows in JasPer 1.900.1 might allow
context-dependent attackers to have an unknown impact via a crafted
image file, related to integer multiplication for memory allocation
(CVE-2008-3520).

Buffer overflow in the jas_stream_printf function in
libjasper/base/jas_stream.c in JasPer 1.900.1 might allow
context-dependent attackers to have an unknown impact via
vectors related to the mif_hdr_put function and use of vsprintf
(CVE-2008-3522).

Previousely the ghostscript packages were statically built against
a bundled and private copy of the jasper library. This update makes
ghostscript link against the shared system jasper library which
makes it easier to address presumptive future security issues in the
jasper library.

Packages for 2008.0 are being provided due to extended support for
Corporate products.

This update provides fixes for that vulnerabilities.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6725
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3520
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6679
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0583
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0584
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0792
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.0:
d419c4cc3452b90b350c8fda68bf29f8
2008.0/i586/ghostscript-8.60-55.3mdv2008.0.i586.rpm
7e120e4166ebbf8203a05d657223c5d5
2008.0/i586/ghostscript-common-8.60-55.3mdv2008.0.i586.rpm
29685fcf8eb0bb04d59e07fcbb57973f
2008.0/i586/ghostscript-doc-8.60-55.3mdv2008.0.i586.rpm
d205693e3d3ba8da5f9197992d28ed13
2008.0/i586/ghostscript-dvipdf-8.60-55.3mdv2008.0.i586.rpm
6b4c9b0bcb0e00dfadf1e4d145a4c657
2008.0/i586/ghostscript-module-X-8.60-55.3mdv2008.0.i586.rpm
04b75844bec6d20e8d642ad0c217ad1f
2008.0/i586/ghostscript-X-8.60-55.3mdv2008.0.i586.rpm
b20ee4fa316e601a73131d0cca1b1643
2008.0/i586/libgs8-8.60-55.3mdv2008.0.i586.rpm
121aea93ce9d622fb7d5f616e442bc86
2008.0/i586/libgs8-devel-8.60-55.3mdv2008.0.i586.rpm
157190bd96bc7326ce9291a67db738cf
2008.0/i586/libijs1-0.35-55.3mdv2008.0.i586.rpm
50d401f2135225ec3cad3881ceb084bd
2008.0/i586/libijs1-devel-0.35-55.3mdv2008.0.i586.rpm
5f649dc370d0b581b067d8b5db30a1a2
2008.0/SRPMS/ghostscript-8.60-55.3mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64:
54292241ec99616cedd3099e4d2ff6a5
2008.0/x86_64/ghostscript-8.60-55.3mdv2008.0.x86_64.rpm
ede49cf300d10edf9b67067c13608fd2
2008.0/x86_64/ghostscript-common-8.60-55.3mdv2008.0.x86_64.rpm
e75cb4fb3d2b00ff395da26109518f6b
2008.0/x86_64/ghostscript-doc-8.60-55.3mdv2008.0.x86_64.rpm
2644ccf83047b448e0d0097bab2dad19
2008.0/x86_64/ghostscript-dvipdf-8.60-55.3mdv2008.0.x86_64.rpm
eaf0ee1db669bf25c30839b2da7782d1
2008.0/x86_64/ghostscript-module-X-8.60-55.3mdv2008.0.x86_64.rpm
62ad0f8af2eae01f62b178b6f9d1ae86
2008.0/x86_64/ghostscript-X-8.60-55.3mdv2008.0.x86_64.rpm
d96e334812d8af6448214491832ee176
2008.0/x86_64/lib64gs8-8.60-55.3mdv2008.0.x86_64.rpm
f129af9829956f8ad1aff56af496d31c
2008.0/x86_64/lib64gs8-devel-8.60-55.3mdv2008.0.x86_64.rpm
914c12790362c30b562f2a5b99748aec
2008.0/x86_64/lib64ijs1-0.35-55.3mdv2008.0.x86_64.rpm
deff12b840779e49a2d14a30d46060f1
2008.0/x86_64/lib64ijs1-devel-0.35-55.3mdv2008.0.x86_64.rpm
5f649dc370d0b581b067d8b5db30a1a2
2008.0/SRPMS/ghostscript-8.60-55.3mdv2008.0.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLGCnxmqjQ0CJFipgRAgO1AKC3lP/mULkNhPd9/o91BePfDLB3uwCg0GjV
q4PuQczr3V0LuJ8MhlTucZM=
=e4Ko
-----END PGP SIGNATURE-----


------------=_1259886090-24326-1585
Content-Type: text/plain; name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://www.mandrivastore.com
Join the Club : http://www.mandrivaclub.com
_______________________________________________________

------------=_1259886090-24326-1585--
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung