-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:095 http://www.mandriva.com/security/ _______________________________________________________________________ Package : ghostscript Date : April 24, 2009 Affected: 2008.1, 2009.0, Corporate 4.0 _______________________________________________________________________ Problem Description: A buffer underflow in Ghostscript's CCITTFax decoding filter allows remote attackers to cause denial of service and possibly to execute arbitrary by using a crafted PDF file (CVE-2007-6725). Buffer overflow in Ghostscript's BaseFont writer module allows remote attackers to cause a denial of service and possibly to execute arbitrary code via a crafted Postscript file (CVE-2008-6679). Multiple interger overflows in Ghostsript's International Color Consortium Format Library (icclib) allows attackers to cause denial of service (heap-based buffer overflow and application crash) and possibly execute arbirary code by using either a PostScript or PDF file with crafte embedded images (CVE-2009-0583, CVE-2009-0584). Multiple interger overflows in Ghostsript's International Color Consortium Format Library (icclib) allows attackers to cause denial of service (heap-based buffer overflow and application crash) and possibly execute arbirary code by using either a PostScript or PDF file with crafte embedded images. Note: this issue exists because of an incomplete fix for CVE-2009-0583 (CVE-2009-0792). Heap-based overflow in Ghostscript's JBIG2 decoding library allows attackers to cause denial of service and possibly to execute arbitrary code by using a crafted PDF file (CVE-2009-0196). This update provides fixes for that vulnerabilities. Update: gostscript packages from Mandriva Linux 2009.0 distribution are not affected by CVE-2007-6725. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6725 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6679 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0583 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0584 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0792 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0196 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.1: 21e5523f3dd1e662749153256a9c4c29 2008.1/i586/ghostscript-8.61-60.1mdv2008.1.i586.rpm 67c9ef01cbb300b355ca7973796128e1 2008.1/i586/ghostscript-common-8.61-60.1mdv2008.1.i586.rpm 981885697a740a41de36f2fbe9162ead 2008.1/i586/ghostscript-doc-8.61-60.1mdv2008.1.i586.rpm 6021f2ba30f5db13365b4b4032bd95dd 2008.1/i586/ghostscript-dvipdf-8.61-60.1mdv2008.1.i586.rpm fbcf137a546d3a26728d03c43fe91f63 2008.1/i586/ghostscript-module-X-8.61-60.1mdv2008.1.i586.rpm 7957439e200dd85d147896c324267d25 2008.1/i586/ghostscript-X-8.61-60.1mdv2008.1.i586.rpm 2c15c85bde4846cf0e353bb05af17320 2008.1/i586/libgs8-8.61-60.1mdv2008.1.i586.rpm eb5d8bab4161862a3f52cac7e75026b1 2008.1/i586/libgs8-devel-8.61-60.1mdv2008.1.i586.rpm 8c54dfe0af736153a138361ca4f7093a 2008.1/i586/libijs1-0.35-60.1mdv2008.1.i586.rpm e8192518fbd2f9931ae54a86bcbbf567 2008.1/i586/libijs1-devel-0.35-60.1mdv2008.1.i586.rpm c65ca4c2032670ac4f30ef131a8f3d32 2008.1/SRPMS/ghostscript-8.61-60.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 1495a4f65154f7a50888a96162e6a180 2008.1/x86_64/ghostscript-8.61-60.1mdv2008.1.x86_64.rpm 3afecedda4a8d72f32f37efeabbaf46e 2008.1/x86_64/ghostscript-common-8.61-60.1mdv2008.1.x86_64.rpm a2a2969f5c501347f6c7513a8180ac62 2008.1/x86_64/ghostscript-doc-8.61-60.1mdv2008.1.x86_64.rpm 016239f5bc2cca3aae62f1dc3fa443a2 2008.1/x86_64/ghostscript-dvipdf-8.61-60.1mdv2008.1.x86_64.rpm 5537b78ef9cac087f3a6c88e8c6c4b34 2008.1/x86_64/ghostscript-module-X-8.61-60.1mdv2008.1.x86_64.rpm 1927c0fce28438b00d504d5bf207a257 2008.1/x86_64/ghostscript-X-8.61-60.1mdv2008.1.x86_64.rpm 7da692a79f0054041c685f74d291c042 2008.1/x86_64/lib64gs8-8.61-60.1mdv2008.1.x86_64.rpm e8eef75aa357ab14937c9e5bd07bad83 2008.1/x86_64/lib64gs8-devel-8.61-60.1mdv2008.1.x86_64.rpm 25dbc9b27639c90097a14532d8e30039 2008.1/x86_64/lib64ijs1-0.35-60.1mdv2008.1.x86_64.rpm 3effb7a452c598b79a9ccf2a2a85402f 2008.1/x86_64/lib64ijs1-devel-0.35-60.1mdv2008.1.x86_64.rpm c65ca4c2032670ac4f30ef131a8f3d32 2008.1/SRPMS/ghostscript-8.61-60.1mdv2008.1.src.rpm Mandriva Linux 2009.0: 08d85895c1b9b2f184b521b347b6c3a9 2009.0/i586/ghostscript-8.63-62.1mdv2009.0.i586.rpm b80577925371e2e310efa46cc7e6524e 2009.0/i586/ghostscript-common-8.63-62.1mdv2009.0.i586.rpm 3d2b787310d18f6d57e8f2759e2e378d 2009.0/i586/ghostscript-doc-8.63-62.1mdv2009.0.i586.rpm 74230df515cd6f728b1ad0fa7425881f 2009.0/i586/ghostscript-dvipdf-8.63-62.1mdv2009.0.i586.rpm 89013a75d8c588b5ac8b08e68585c55e 2009.0/i586/ghostscript-module-X-8.63-62.1mdv2009.0.i586.rpm 383751e84376fe6bbd7e3cb52c2f9a68 2009.0/i586/ghostscript-X-8.63-62.1mdv2009.0.i586.rpm 353d6c17931a606fe9de82f3ce275dd5 2009.0/i586/libgs8-8.63-62.1mdv2009.0.i586.rpm 05665f903b2ac9b5f1baf924598250ab 2009.0/i586/libgs8-devel-8.63-62.1mdv2009.0.i586.rpm a3d0879ab70588df82b0a2a0eba91cc4 2009.0/i586/libijs1-0.35-62.1mdv2009.0.i586.rpm 75b2f976582e0e1b2800927c0c0356d1 2009.0/i586/libijs1-devel-0.35-62.1mdv2009.0.i586.rpm f10ffcf2150c332ff6baf9befc04561a 2009.0/SRPMS/ghostscript-8.63-62.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 66ea01cecd74b8baf47c0fde1333eb94 2009.0/x86_64/ghostscript-8.63-62.1mdv2009.0.x86_64.rpm a5f89f1f738627329671fedc6499e066 2009.0/x86_64/ghostscript-common-8.63-62.1mdv2009.0.x86_64.rpm 8b7c1317a8da3b8ce5b19f9ee4b1e32d 2009.0/x86_64/ghostscript-doc-8.63-62.1mdv2009.0.x86_64.rpm 72e99ba40f13862aa1117738cb426e8a 2009.0/x86_64/ghostscript-dvipdf-8.63-62.1mdv2009.0.x86_64.rpm 9ef78a2da9e98e5a9b50c850166a2974 2009.0/x86_64/ghostscript-module-X-8.63-62.1mdv2009.0.x86_64.rpm e66cb4eca77d326f7a8aa62c303a0630 2009.0/x86_64/ghostscript-X-8.63-62.1mdv2009.0.x86_64.rpm 6310d106dc710713b89b8053f702bff1 2009.0/x86_64/lib64gs8-8.63-62.1mdv2009.0.x86_64.rpm 69b66aa75de8eb8739b1b4cda07c9f5f 2009.0/x86_64/lib64gs8-devel-8.63-62.1mdv2009.0.x86_64.rpm ce33d1391e0fb673c865df40a3d63eb4 2009.0/x86_64/lib64ijs1-0.35-62.1mdv2009.0.x86_64.rpm 9eac0d8043cb220edbbdf795c4f8eed0 2009.0/x86_64/lib64ijs1-devel-0.35-62.1mdv2009.0.x86_64.rpm f10ffcf2150c332ff6baf9befc04561a 2009.0/SRPMS/ghostscript-8.63-62.1mdv2009.0.src.rpm Corporate 4.0: f3f2dd869b6716d5693a2851d0103d29 corporate/4.0/i586/ghostscript-8.15-46.2.20060mlcs4.i586.rpm dfbad4b982a25d92abe3c59dd66dfcc5 corporate/4.0/i586/ghostscript-common-8.15-46.2.20060mlcs4.i586.rpm 0db7b9267e286692faba1c3d0dc96ba8 corporate/4.0/i586/ghostscript-dvipdf-8.15-46.2.20060mlcs4.i586.rpm 671ac5a9cbe53778e42bff674eecc29f corporate/4.0/i586/ghostscript-module-X-8.15-46.2.20060mlcs4.i586.rpm 084da1f80aed83f0c2760cb4badd0912 corporate/4.0/i586/ghostscript-X-8.15-46.2.20060mlcs4.i586.rpm e1f093bba6ef20334386d510c8d71a16 corporate/4.0/i586/libgs8-8.15-46.2.20060mlcs4.i586.rpm 6822f3330c5df7322f0b2b358fc8a0b8 corporate/4.0/i586/libgs8-devel-8.15-46.2.20060mlcs4.i586.rpm 8524416169178e556b61dd524bccb880 corporate/4.0/i586/libijs1-0.35-46.2.20060mlcs4.i586.rpm 1608d8fc8f9f11a91a270f73a820886d corporate/4.0/i586/libijs1-devel-0.35-46.2.20060mlcs4.i586.rpm 2d6e27ec1923b32485fc40fbe73f5e76 corporate/4.0/SRPMS/ghostscript-8.15-46.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 3bf733e0a435f1d043ab03ee89bf900f corporate/4.0/x86_64/ghostscript-8.15-46.2.20060mlcs4.x86_64.rpm 378d6bedbe98a7ae128bf24ce73ff237 corporate/4.0/x86_64/ghostscript-common-8.15-46.2.20060mlcs4.x86_64.rpm ef7a7d50ec22edf3194351c0564362ac corporate/4.0/x86_64/ghostscript-dvipdf-8.15-46.2.20060mlcs4.x86_64.rpm 5b70ec3ac9bfd88c9281a768089993fc corporate/4.0/x86_64/ghostscript-module-X-8.15-46.2.20060mlcs4.x86_64.rpm 1ea47debc989e4ce9efa7ced8d23ced3 corporate/4.0/x86_64/ghostscript-X-8.15-46.2.20060mlcs4.x86_64.rpm aaad3b214a420ebfb7599aa7bf6c2265 corporate/4.0/x86_64/lib64gs8-8.15-46.2.20060mlcs4.x86_64.rpm 3d807e9b0ff862a28d3b15a067f71f27 corporate/4.0/x86_64/lib64gs8-devel-8.15-46.2.20060mlcs4.x86_64.rpm 46dcc298bf2eb2b0be3a7cdcaf20f4a6 corporate/4.0/x86_64/lib64ijs1-0.35-46.2.20060mlcs4.x86_64.rpm 5c656acee2162a7ab67bee745cbbf473 corporate/4.0/x86_64/lib64ijs1-devel-0.35-46.2.20060mlcs4.x86_64.rpm 2d6e27ec1923b32485fc40fbe73f5e76 corporate/4.0/SRPMS/ghostscript-8.15-46.2.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJ8d0VmqjQ0CJFipgRAmAFAJ0VG4BedOc36ha3HKdhcGHOKULILwCfRY4i NI4Hm3ny+blkGziBjdTkXdg= =MXEA -----END PGP SIGNATURE-----