UbuntuUpdates.org

Package "libgs9-common"

Name: libgs9-common

Description:

interpreter for the PostScript language and for PDF - common files

Latest version: 9.05~dfsg-0ubuntu4.5
Release: precise (12.04)
Level: updates
Repository: main
Head package: ghostscript
Homepage: http://www.ghostscript.com/

Links


Download "libgs9-common"


Other versions of "libgs9-common" in Precise

Repository Area Version
base main 9.05~dfsg-0ubuntu4
security main 9.05~dfsg-0ubuntu4.5

Changelog

Version: 9.05~dfsg-0ubuntu4.5 2017-04-28 07:06:40 UTC

  ghostscript (9.05~dfsg-0ubuntu4.5) precise-security; urgency=medium

  * SECURITY UPDATE: invalid handling of parameters to .eqproc and
    .rsdparams allowed disabling -dSAFER and thus code execution
    - debian/patches/CVE-2017-8291-1.patch: check .eqproc parameters
    - debian/patches/CVE-2017-8291-2.patch: check .rsdparams parameters
    - CVE-2017-8291
  * SECURITY UPDATE: use-after-free in color management module.
    - CVE-2016-10217.patch: Don't create new ctx when pdf14 device
      reenabled
    - CVE-2016-10217
  * SECURITY UPDATE: divide-by-zero error denial of service in
    base/gxfill.c
    - CVE-2016-10219.patch: check for 0 in denominator
    - CVE-2016-10219
  * SECURITY UPDATE: null pointer dereference denial of service
    - CVE-2016-10220.patch: initialize device data structure correctly
    - CVE-2016-10220
  * SECURITY UPDATE: null pointer dereference denial of service
    - CVE-2017-5951.patch: use the correct param list enumerator
    - CVE-2017-5951
  * SECURITY UPDATE: null pointer dereference denial of service
    - CVE-2017-7207.patch: ensure a device has raster memory, before
      trying to read it
    - CVE-2017-7207

 -- Steve Beattie <email address hidden> Thu, 27 Apr 2017 19:05:47 -0700

Source diff to previous version
CVE-2017-8291 Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remote command execution via a "/OutputFile (%pipe%" substring in a crafted .eps doc
CVE-2016-1021 Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0.0.213 on Windows and OS X and before 11.2.202.616 on Linux allows attackers to
CVE-2016-1022 Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0.0.213 on Windows and OS X and before 11.2.202.616 on Linux allows attackers to
CVE-2017-5951 The mem_get_bits_rectangle function in base/gdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service
CVE-2017-7207 The mem_get_bits_rectangle function in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer der

Version: 9.05~dfsg-0ubuntu4.4 2016-12-02 00:07:08 UTC

  ghostscript (9.05~dfsg-0ubuntu4.4) precise-security; urgency=medium

  * SECURITY UPDATE: Information disclosure through getenv, filenameforall
    - debian/patches/CVE-2013-5653.patch: Have filenameforall and getenv
      honor SAFER
    - CVE-2013-5653
  * SECURITY UPDATE: userparams with %pipe% in paths allow remote shell exec
    - debian/patches/CVE-2016-7976.patch: Add a file permissions callback
    - CVE-2016-7976
  * SECURITY UPDATE: use-after-free and remote code execution
    - debian/patches/CVE-2016-7978.patch: Reference count device icc profile
    - CVE-2016-7978
  * SECURITY UPDATE: type confusion allows remote code execution
    - debian/patches/CVE-2016-7979.patch: DSC parser - validate parameters
    - CVE-2016-7979
  * SECURITY UPDATE: NULL dereference
    - debian/patches/CVE-2016-8602.patch: check for sufficient params
    - CVE-2016-8602
  * SECURITY UPDATE: fix SAFER permissions
    - debian/patches/CVE-2016-7977.patch: Be rigorous with SAFER permissions
    - CVE-2016-7977

 -- Emily Ratliff <email address hidden> Thu, 01 Dec 2016 08:37:22 -0600

Source diff to previous version
CVE-2013-5653 Ghostscript information disclosure through getenv, filenameforall
CVE-2016-7976 various userparams allow %pipe% in paths, allowing remote shell command execution
CVE-2016-7978 reference leak in .setdevice allows use-after-free and remote code execution
CVE-2016-7979 type confusion in .initialize_dsc_parser allows remote code execution
CVE-2016-8602 type confusion
CVE-2016-7977 .libfile doesn't check PermitFileReading array, allowing remote file disclosure

Version: 9.05~dfsg-0ubuntu4.3 2015-07-30 14:08:31 UTC

  ghostscript (9.05~dfsg-0ubuntu4.3) precise-security; urgency=medium

  * SECURITY UPDATE: integer overflow in gs_heap_alloc_bytes()
    - debian/patches/CVE-2015-3228.patch: added sanity check to
      base/gsmalloc.c.
    - CVE-2015-3228

 -- Marc Deslauriers Wed, 29 Jul 2015 16:05:11 -0400

Source diff to previous version
CVE-2015-3228 Integer overflow

Version: 9.05~dfsg-0ubuntu4.2 2012-09-23 01:06:50 UTC

  ghostscript (9.05~dfsg-0ubuntu4.2) precise-proposed; urgency=low

  * debian/patches/020120828-535d11e-disable-checking-for-the-max-pdf-object-number-during-pdf-linearisation.patch:
    Disable checking for the max pdf object number during PDF linearisation,
    because linearisation adds a few new objects to the PDF file (LP: #1032366).
 -- Till Kamppeter <email address hidden> Tue, 28 Aug 2012 21:07:13 +0200

Source diff to previous version
1032366 pdfopt problem caused by change of pdf_base.ps

Version: 9.05~dfsg-0ubuntu4.1 2012-07-30 01:06:51 UTC

  ghostscript (9.05~dfsg-0ubuntu4.1) precise-proposed; urgency=low

  * debian/patches/020120711-4f6b985-write-transparent-type2-pattern-color-to-clist.patch:
    When using a clist, ensure that all the color space data for the
    pattern gets written to the clist, *and* that the clist correctly
    records all the relevant transparency data (LP: #1022516, upstream bug
    #693176).
 -- Till Kamppeter <email address hidden> Wed, 11 Jul 2012 17:08:13 +0200

1022516 Incorrect color output of the buttons on the webpages (google search web page) when printed from Mozilla firefox 12 and above



About   -   Send Feedback to @ubuntu_updates