-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:144 http://www.mandriva.com/security/ _______________________________________________________________________ Package : ghostscript Date : June 27, 2009 Affected: 2008.1, 2009.0, 2009.1 _______________________________________________________________________ Problem Description: Multiple security vulnerabilities has been identified and fixed in ghostscript: Multiple integer overflows in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via a crafted image file, related to integer multiplication for memory allocation (CVE-2008-3520). Buffer overflow in the jas_stream_printf function in libjasper/base/jas_stream.c in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via vectors related to the mif_hdr_put function and use of vsprintf (CVE-2008-3522). Previousely the ghostscript packages were statically built against a bundled and private copy of the jasper library. This update makes ghostscript link against the shared system jasper library which makes it easier to address presumptive future security issues in the jasper library. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3520 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3522 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.1: 64de52ad8197e811b96671e9a730e3c0 2008.1/i586/ghostscript-8.61-60.2mdv2008.1.i586.rpm 45c1d4890c5c8b088e7a022fbbdc6dd9 2008.1/i586/ghostscript-common-8.61-60.2mdv2008.1.i586.rpm a302314dd1cbe2460f27448adb59e826 2008.1/i586/ghostscript-doc-8.61-60.2mdv2008.1.i586.rpm 0e613f9e659e078bdab3d13a78f809a0 2008.1/i586/ghostscript-dvipdf-8.61-60.2mdv2008.1.i586.rpm 1a446b7c9285b32e7123913ab06a7b23 2008.1/i586/ghostscript-module-X-8.61-60.2mdv2008.1.i586.rpm 1225f21b30cb7ed380539e2d141f3d33 2008.1/i586/ghostscript-X-8.61-60.2mdv2008.1.i586.rpm dd540467728f5e66bd37a1f49c0976a9 2008.1/i586/libgs8-8.61-60.2mdv2008.1.i586.rpm dfbca51c10471f7cc8c5d2f8e09cda58 2008.1/i586/libgs8-devel-8.61-60.2mdv2008.1.i586.rpm b6eae4883e5d9d76b2941f5f2ad2e63d 2008.1/i586/libijs1-0.35-60.2mdv2008.1.i586.rpm 37cedb3f1887c5fcd1c6e025c3af9a75 2008.1/i586/libijs1-devel-0.35-60.2mdv2008.1.i586.rpm 3b4d9f79b3e583c2a8c87f9662a370ec 2008.1/SRPMS/ghostscript-8.61-60.2mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 7575892730d45a63ecaf87c8c5396a5f 2008.1/x86_64/ghostscript-8.61-60.2mdv2008.1.x86_64.rpm 187caf1e05d6e108c040de51e9c0c2cf 2008.1/x86_64/ghostscript-common-8.61-60.2mdv2008.1.x86_64.rpm 370204ee2097294f44359fd3e23354cd 2008.1/x86_64/ghostscript-doc-8.61-60.2mdv2008.1.x86_64.rpm b2a4bc0340b7862d87ef22b6eb5d54a2 2008.1/x86_64/ghostscript-dvipdf-8.61-60.2mdv2008.1.x86_64.rpm a072f285954615b154763f8b6d84320c 2008.1/x86_64/ghostscript-module-X-8.61-60.2mdv2008.1.x86_64.rpm 72ee1177330643bba7bef2f759a27fb1 2008.1/x86_64/ghostscript-X-8.61-60.2mdv2008.1.x86_64.rpm 7961183b3542484dba3d45e4c0b0e63e 2008.1/x86_64/lib64gs8-8.61-60.2mdv2008.1.x86_64.rpm 337a97636c425cf3c95e8070bf9acd24 2008.1/x86_64/lib64gs8-devel-8.61-60.2mdv2008.1.x86_64.rpm 1fe6a0989d24d7acb36bc3f698992ae1 2008.1/x86_64/lib64ijs1-0.35-60.2mdv2008.1.x86_64.rpm ab837490f350451d613a5cfae76852d0 2008.1/x86_64/lib64ijs1-devel-0.35-60.2mdv2008.1.x86_64.rpm 3b4d9f79b3e583c2a8c87f9662a370ec 2008.1/SRPMS/ghostscript-8.61-60.2mdv2008.1.src.rpm Mandriva Linux 2009.0: df32fad867b6add9bf45dad5657a8330 2009.0/i586/ghostscript-8.63-62.2mdv2009.0.i586.rpm 5210a202691f7651e50103f92fc47f82 2009.0/i586/ghostscript-common-8.63-62.2mdv2009.0.i586.rpm 96249fb38e6da477bfb5f509c9cfe1f7 2009.0/i586/ghostscript-doc-8.63-62.2mdv2009.0.i586.rpm db3289afab8953821293444e4d25990e 2009.0/i586/ghostscript-dvipdf-8.63-62.2mdv2009.0.i586.rpm 2948de8a3142ac3cb188f1ca6277d085 2009.0/i586/ghostscript-module-X-8.63-62.2mdv2009.0.i586.rpm 0a1eb391b47f8a2885f687d727f0a727 2009.0/i586/ghostscript-X-8.63-62.2mdv2009.0.i586.rpm 64f89983246d5f77a657331f8c152b47 2009.0/i586/libgs8-8.63-62.2mdv2009.0.i586.rpm 67f549ca579add92fb25f20b49a4a125 2009.0/i586/libgs8-devel-8.63-62.2mdv2009.0.i586.rpm 7849ac132852a6c1ed86f924f92cc43a 2009.0/i586/libijs1-0.35-62.2mdv2009.0.i586.rpm 5e9b18f0795b19a247a690e3aaff2015 2009.0/i586/libijs1-devel-0.35-62.2mdv2009.0.i586.rpm ce033e6b29aa70a42185a555eb6c378b 2009.0/SRPMS/ghostscript-8.63-62.2mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: bd0f230c1822c7c1bbba0559abdba507 2009.0/x86_64/ghostscript-8.63-62.2mdv2009.0.x86_64.rpm 4c5a4ab568fea04f48dc0cbd2655a35d 2009.0/x86_64/ghostscript-common-8.63-62.2mdv2009.0.x86_64.rpm 9161c959c6cef418ebad57db507e2822 2009.0/x86_64/ghostscript-doc-8.63-62.2mdv2009.0.x86_64.rpm 49d8b0b0644600f46be23bd7a95a6f1a 2009.0/x86_64/ghostscript-dvipdf-8.63-62.2mdv2009.0.x86_64.rpm 1a4b375953b3154e0bd69968d89c81fc 2009.0/x86_64/ghostscript-module-X-8.63-62.2mdv2009.0.x86_64.rpm b19edb3dc189bd92ef6ff5048cb72ad8 2009.0/x86_64/ghostscript-X-8.63-62.2mdv2009.0.x86_64.rpm 9c6f38ee4b023e6ebaa9a0b740fff041 2009.0/x86_64/lib64gs8-8.63-62.2mdv2009.0.x86_64.rpm f30d6c657f840ff898e2875f39637aec 2009.0/x86_64/lib64gs8-devel-8.63-62.2mdv2009.0.x86_64.rpm 77160fabdc96b83cca54dd96b9725e0d 2009.0/x86_64/lib64ijs1-0.35-62.2mdv2009.0.x86_64.rpm 310cf7488822883cb19228e245038891 2009.0/x86_64/lib64ijs1-devel-0.35-62.2mdv2009.0.x86_64.rpm ce033e6b29aa70a42185a555eb6c378b 2009.0/SRPMS/ghostscript-8.63-62.2mdv2009.0.src.rpm Mandriva Linux 2009.1: 5461e7acb022b34273bc8259c2cb51f3 2009.1/i586/ghostscript-8.64-65.1mdv2009.1.i586.rpm fb55d8f235acf29d09d997a7336471a2 2009.1/i586/ghostscript-common-8.64-65.1mdv2009.1.i586.rpm 3e4332a4d9aeb25af76a04be3a215c85 2009.1/i586/ghostscript-doc-8.64-65.1mdv2009.1.i586.rpm cffc795a9a7b3fba5f88d616d75bd15f 2009.1/i586/ghostscript-dvipdf-8.64-65.1mdv2009.1.i586.rpm 31d045453a66587fe6f6caf4cfbbf6c8 2009.1/i586/ghostscript-module-X-8.64-65.1mdv2009.1.i586.rpm 90e8c74e4732a90506c60d81ff92d344 2009.1/i586/ghostscript-X-8.64-65.1mdv2009.1.i586.rpm 303ca01b3b4932febd96eb488fb47d53 2009.1/i586/libgs8-8.64-65.1mdv2009.1.i586.rpm 946518442e2e6493b2bf83d6a81f4d10 2009.1/i586/libgs8-devel-8.64-65.1mdv2009.1.i586.rpm 15545b1852dea3d79b46a0602c6bfc57 2009.1/i586/libijs1-0.35-65.1mdv2009.1.i586.rpm eff2cd5a24f88ef5d39fe7131f0b6f14 2009.1/i586/libijs1-devel-0.35-65.1mdv2009.1.i586.rpm 1c96f2a7290404b7075ec8ab406571df 2009.1/SRPMS/ghostscript-8.64-65.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 7d1bef1043e4ec08a4f48fdd7c64b83d 2009.1/x86_64/ghostscript-8.64-65.1mdv2009.1.x86_64.rpm 5a6c02f5643a40805b226c0e401e944c 2009.1/x86_64/ghostscript-common-8.64-65.1mdv2009.1.x86_64.rpm 205e378a2e3e78f70be416d028cfe2cd 2009.1/x86_64/ghostscript-doc-8.64-65.1mdv2009.1.x86_64.rpm e71464af0f64ad8a67d9b4cc2dc6b212 2009.1/x86_64/ghostscript-dvipdf-8.64-65.1mdv2009.1.x86_64.rpm 474271f0b74ce5c8b3cfb6dab78ffe21 2009.1/x86_64/ghostscript-module-X-8.64-65.1mdv2009.1.x86_64.rpm 00afb881b26e8ab1bc2b82b0c0d57e5a 2009.1/x86_64/ghostscript-X-8.64-65.1mdv2009.1.x86_64.rpm 679194c2b7a835a16ac3ee33ef48209c 2009.1/x86_64/lib64gs8-8.64-65.1mdv2009.1.x86_64.rpm c311ffb6c8f32e8dcdb65a35fb92aad3 2009.1/x86_64/lib64gs8-devel-8.64-65.1mdv2009.1.x86_64.rpm 4db7ecdf4f4b615965c386d881a2729e 2009.1/x86_64/lib64ijs1-0.35-65.1mdv2009.1.x86_64.rpm e9c6700684bd7ce2917fe59e19d24e08 2009.1/x86_64/lib64ijs1-devel-0.35-65.1mdv2009.1.x86_64.rpm 1c96f2a7290404b7075ec8ab406571df 2009.1/SRPMS/ghostscript-8.64-65.1mdv2009.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKRkCBmqjQ0CJFipgRAsXPAJ4wSuhitGx5GFak+Y9Vn7+DnlbZJwCfZmL8 VmzBRP7UPNfoHBoOpcgGFW0= =ZeYa -----END PGP SIGNATURE-----