pool/ghostscript
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 652826 from home:jsmeix:branches:Printing

Browse Source 
Version upgrade to 9.26 (Purely security and a few bug fixes)

OBS-URL: https://build.opensuse.org/request/show/652826
OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=99
This commit is contained in:
Johannes Meixner 2018-11-30 09:32:47 +00:00 committed by Git OBS Bridge
parent 98164e5415
commit f0089d8f2b
2 changed files with 74 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
ghostscript-mini.changes
View File

@ -1,5 +1,5 @@
-------------------------------------------------------------------
Wed Nov 21 12:37:13 CET 2018 - jsmeix@suse.de
Fri Nov 30 09:01:17 CET 2018 - jsmeix@suse.de
- Version upgrade to 9.26
Highlights in this release include:
@ -18,6 +18,42 @@ Wed Nov 21 12:37:13 CET 2018 - jsmeix@suse.de
For a release summary see:
http://www.ghostscript.com/doc/9.26/News.htm
For details see the News.htm and History9.htm files.
The Ghostscript 9.26 release should fix (cf. the entry below
dated 'Fri Sep 14 10:47:33 CEST 2018' what "should fix" means)
in particular those security issues (bsc#1117331)
* CVE-2018-19475: psi/zdevice2.c allows attackers to bypass
intended access restrictions
https://bugs.ghostscript.com/show_bug.cgi?id=700153
https://bugzilla.suse.com/show_bug.cgi?id=1117327 bsc#1117327
* CVE-2018-19476: psi/zicc.c allows attackers to bypass
intended access restrictions because of a setcolorspace
type confusion
https://bugs.ghostscript.com/show_bug.cgi?id=700169
https://bugzilla.suse.com/show_bug.cgi?id=1117313 bsc#1117313
* CVE-2018-19477: psi/zfjbig2.c allows attackers to bypass
intended access restrictions because of a JBIG2Decode
type confusion
https://bugs.ghostscript.com/show_bug.cgi?id=700168
https://bugzilla.suse.com/show_bug.cgi?id=1117274 bsc#1117274
* CVE-2018-19409: LockSafetyParams is not checked correctly
if another device is used
https://bugs.ghostscript.com/show_bug.cgi?id=700176
https://bugzilla.suse.com/show_bug.cgi?id=1117022 bsc#1117022
and those security issues
* CVE-2018-18284: 1Policy operator gives access to .forceput
https://bugs.ghostscript.com/show_bug.cgi?id=69963
https://bugzilla.suse.com/show_bug.cgi?id=1112229 bsc#1112229
* CVE-2018-18073: saved execution stacks can leak operator arrays
https://bugs.ghostscript.com/show_bug.cgi?id=699927
https://bugzilla.suse.com/show_bug.cgi?id=1111480 bsc#1111480
* CVE-2018-17961: bypassing executeonly to escape -dSAFER sandbox
https://bugs.ghostscript.com/show_bug.cgi?id=699816
https://bugzilla.suse.com/show_bug.cgi?id=1111479 bsc#1111479
* CVE-2018-17183: remote attackers could be able to supply
crafted PostScript to potentially overwrite or replace
error handlers to inject code
https://bugs.ghostscript.com/show_bug.cgi?id=699708
https://bugzilla.suse.com/show_bug.cgi?id=1109105 bsc#1109105
-------------------------------------------------------------------
Fri Nov 9 11:25:19 CET 2018 - jsmeix@suse.de

38
ghostscript.changes
View File

@ -1,5 +1,5 @@
-------------------------------------------------------------------
Wed Nov 21 12:37:13 CET 2018 - jsmeix@suse.de
Fri Nov 30 09:01:17 CET 2018 - jsmeix@suse.de
- Version upgrade to 9.26
Highlights in this release include:
@ -18,6 +18,42 @@ Wed Nov 21 12:37:13 CET 2018 - jsmeix@suse.de
For a release summary see:
http://www.ghostscript.com/doc/9.26/News.htm
For details see the News.htm and History9.htm files.
The Ghostscript 9.26 release should fix (cf. the entry below
dated 'Fri Sep 14 10:47:33 CEST 2018' what "should fix" means)
in particular those security issues (bsc#1117331)
* CVE-2018-19475: psi/zdevice2.c allows attackers to bypass
intended access restrictions
https://bugs.ghostscript.com/show_bug.cgi?id=700153
https://bugzilla.suse.com/show_bug.cgi?id=1117327 bsc#1117327
* CVE-2018-19476: psi/zicc.c allows attackers to bypass
intended access restrictions because of a setcolorspace
type confusion
https://bugs.ghostscript.com/show_bug.cgi?id=700169
https://bugzilla.suse.com/show_bug.cgi?id=1117313 bsc#1117313
* CVE-2018-19477: psi/zfjbig2.c allows attackers to bypass
intended access restrictions because of a JBIG2Decode
type confusion
https://bugs.ghostscript.com/show_bug.cgi?id=700168
https://bugzilla.suse.com/show_bug.cgi?id=1117274 bsc#1117274
* CVE-2018-19409: LockSafetyParams is not checked correctly
if another device is used
https://bugs.ghostscript.com/show_bug.cgi?id=700176
https://bugzilla.suse.com/show_bug.cgi?id=1117022 bsc#1117022
and those security issues
* CVE-2018-18284: 1Policy operator gives access to .forceput
https://bugs.ghostscript.com/show_bug.cgi?id=69963
https://bugzilla.suse.com/show_bug.cgi?id=1112229 bsc#1112229
* CVE-2018-18073: saved execution stacks can leak operator arrays
https://bugs.ghostscript.com/show_bug.cgi?id=699927
https://bugzilla.suse.com/show_bug.cgi?id=1111480 bsc#1111480
* CVE-2018-17961: bypassing executeonly to escape -dSAFER sandbox
https://bugs.ghostscript.com/show_bug.cgi?id=699816
https://bugzilla.suse.com/show_bug.cgi?id=1111479 bsc#1111479
* CVE-2018-17183: remote attackers could be able to supply
crafted PostScript to potentially overwrite or replace
error handlers to inject code
https://bugs.ghostscript.com/show_bug.cgi?id=699708
https://bugzilla.suse.com/show_bug.cgi?id=1109105 bsc#1109105
-------------------------------------------------------------------
Fri Nov 9 11:25:19 CET 2018 - jsmeix@suse.de