UbuntuUpdates.org

Package "ghostscript"

Name: ghostscript

Description:

interpreter for the PostScript language and for PDF

Latest version: 9.26~dfsg+0-0ubuntu0.16.04.3
Release: xenial (16.04)
Level: security
Repository: main
Homepage: http://www.ghostscript.com/

Links

Save this URL for the latest version of "ghostscript": https://www.ubuntuupdates.org/ghostscript


Download "ghostscript"


Other versions of "ghostscript" in Xenial

Repository Area Version
base main 9.18~dfsg~0-0ubuntu2
updates main 9.26~dfsg+0-0ubuntu0.16.04.3

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 9.26~dfsg+0-0ubuntu0.16.04.3 2018-12-06 20:07:05 UTC

  ghostscript (9.26~dfsg+0-0ubuntu0.16.04.3) xenial-security; urgency=medium

  * SECURITY REGRESSION: multiple regressions (LP: #1806517)
    - debian/patches/020181126-96c381c*.patch: fix duplex issue.
    - debian/patches/020181205-fae21f16*.patch: fix -dFirstPage and
      -dLastPage issue.

 -- Marc Deslauriers <email address hidden> Thu, 06 Dec 2018 07:17:51 -0500

Source diff to previous version
1806517 Ghostscript segmentation fault on PDF using -dFirstPage and -dLastPage

Version: 9.26~dfsg+0-0ubuntu0.16.04.1 2018-11-29 14:07:12 UTC

  ghostscript (9.26~dfsg+0-0ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Updated to 9.26 to fix multiple security issues
    - CVE-2018-19409
    - CVE-2018-19475
    - CVE-2018-19476
    - CVE-2018-19477
  * Removed patches included in new version:
    - debian/patches/0218*.patch
    - debian/patches/lp1800062.patch
  * debian/symbols.common: updated for new version.

 -- Marc Deslauriers <email address hidden> Wed, 28 Nov 2018 08:35:43 -0500

Source diff to previous version
CVE-2018-19409 An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is not checked correctly if another device is used.
CVE-2018-19475 psi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because available stack space is not
CVE-2018-19476 psi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a setcolorspace type confusio
CVE-2018-19477 psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a JBIG2Decode type confusi

Version: 9.25~dfsg+1-0ubuntu0.16.04.2 2018-10-30 18:06:19 UTC

  ghostscript (9.25~dfsg+1-0ubuntu0.16.04.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Multiple security issues
    - debian/patches/0218*.patch: multiple cherry-picked upstream commits
      to fix security issues. Thanks to Jonas Smedegaard for cherry-picking
      these for Debian's 9.25~dfsg-3 package.
    - debian/symbols.common: added new symbol.
    - CVE-2018-17961
    - CVE-2018-18073
    - CVE-2018-18284
  * Fix LeadingEdge regression introduced in 9.22. (LP: #1800062)
    - debian/patches/lp1800062.patch: fix cups get/put_params LeadingEdge
      logic in cups/gdevcups.c.

 -- Marc Deslauriers <email address hidden> Tue, 30 Oct 2018 09:04:39 -0400

Source diff to previous version
1800062 Ghostscript command line: /usr/bin/gs :Unrecoverable error: undefined in .putdeviceprops
CVE-2018-17961 Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving errorhandler setup. NOTE: this i
CVE-2018-18073 Artifex Ghostscript allows attackers to bypass a sandbox protection mechanism by leveraging exposure of system operators in the saved execution stack
CVE-2018-18284 Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving the 1Policy operator.

Version: 9.25~dfsg+1-0ubuntu0.16.04.1 2018-10-01 13:07:09 UTC

  ghostscript (9.25~dfsg+1-0ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY UPDATE: updated to 9.25 to fix multiple security issues
    - Previous security release contained an incomplete fix for
      CVE-2018-16510, and there are many other security fixes and
      improvements that went into the new upstream version without getting
      CVE numbers assigned.
    - CVE-2018-16510
    - CVE-2018-17183
  * Packages changes required for new version:
    - debian/patches/CVE*: removed, included in new version.
    - debian/patches/*: updated from cosmic package.
    - debian/copyright*: updated from cosmic package.
    - debian/rules, debian/libgs-dev.install: remove static library.
    - debian/symbols.common: updated for new version.

 -- Marc Deslauriers <email address hidden> Thu, 27 Sep 2018 08:16:57 -0400

Source diff to previous version
CVE-2018-16510 An issue was discovered in Artifex Ghostscript before 9.24. Incorrect exec stack handling in the "CS" and "SC" PDF primitives could be used by remote
CVE-2018-17183 Artifex Ghostscript before 9.25 allowed a user-writable error exception table, which could be used by remote attackers able to supply crafted PostScr

Version: 9.18~dfsg~0-0ubuntu2.9 2018-09-19 08:06:21 UTC

  ghostscript (9.18~dfsg~0-0ubuntu2.9) xenial-security; urgency=medium

  * SECURITY UPDATE: Multiple security issues
    - debian/patches/CVE-2018-1*.patch: backport large number of
      upstream security fixes.
    - CVE-2018-11645, CVE-2018-15908, CVE-2018-15909, CVE-2018-15910,
      CVE-2018-15911, CVE-2018-16509, CVE-2018-16511, CVE-2018-16513,
      CVE-2018-16539, CVE-2018-16540, CVE-2018-16541, CVE-2018-16542,
      CVE-2018-16543, CVE-2018-16585, CVE-2018-16802

 -- Marc Deslauriers <email address hidden> Wed, 12 Sep 2018 11:00:10 -0400

CVE-2018-11645 psi/zfile.c in Artifex Ghostscript before 9.21rc1 permits the status command even if -dSAFER is used, which might allow remote attackers to determine
CVE-2018-15908 In Artifex Ghostscript 9.23 before 2018-08-23, attackers are able to supply malicious PostScript files to bypass .tempfile restrictions and write fil
CVE-2018-15909 In Artifex Ghostscript 9.23 before 2018-08-24, a type confusion using the .shfill operator could be used by attackers able to supply crafted PostScri
CVE-2018-15910 In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use a type confusion in the LockDistillerParams parameter
CVE-2018-15911 In Artifex Ghostscript 9.23 before 2018-08-24, attackers able to supply crafted PostScript could use uninitialized memory access in the aesdecode ope
CVE-2018-16509 An issue was discovered in Artifex Ghostscript before 9.24. Incorrect "restoration of privilege" checking during handling of /invalidaccess exception
CVE-2018-16511 An issue was discovered in Artifex Ghostscript before 9.24. A type confusion in "ztype" could be used by remote attackers able to supply crafted Post
CVE-2018-16513 In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use a type confusion in the setcolor function to crash th
CVE-2018-16539 In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use incorrect access checking in temp file handling to di
CVE-2018-16540 In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files to the builtin PDF14 converter could use a use-after-free in co
CVE-2018-16541 In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use incorrect free logic in pagedevice replacement to cra
CVE-2018-16542 In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use insufficient interpreter stack-size checking during e
CVE-2018-16543 In Artifex Ghostscript before 9.24, gssetresolution and gsgetresolution allow attackers to have an unspecified impact.
CVE-2018-16585 An issue was discovered in Artifex Ghostscript before 9.24. The .setdistillerkeys PostScript command is accepted even though it is not intended for u
CVE-2018-16802 An issue was discovered in Artifex Ghostscript before 9.25. Incorrect "restoration of privilege" checking when running out of stack during exception



About   -   Send Feedback to @ubuntu_updates