Accepting request 652826 from home:jsmeix:branches:Printing

Version upgrade to 9.26 (Purely security and a few bug fixes)

OBS-URL: https://build.opensuse.org/request/show/652826
OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=99

ghostscript-mini.changes

@@ -1,5 +1,5 @@
 -------------------------------------------------------------------
-Wed Nov 21 12:37:13 CET 2018 - jsmeix@suse.de
+Fri Nov 30 09:01:17 CET 2018 - jsmeix@suse.de
 
 - Version upgrade to 9.26
   Highlights in this release include:
@@ -18,6 +18,42 @@ Wed Nov 21 12:37:13 CET 2018 - jsmeix@suse.de
   For a release summary see:
   http://www.ghostscript.com/doc/9.26/News.htm
   For details see the News.htm and History9.htm files.
+  The Ghostscript 9.26 release should fix (cf. the entry below
+  dated 'Fri Sep 14 10:47:33 CEST 2018' what "should fix" means)
+  in particular those security issues (bsc#1117331)
+  * CVE-2018-19475: psi/zdevice2.c allows attackers to bypass
+    intended access restrictions
+    https://bugs.ghostscript.com/show_bug.cgi?id=700153
+    https://bugzilla.suse.com/show_bug.cgi?id=1117327 bsc#1117327
+  * CVE-2018-19476: psi/zicc.c allows attackers to bypass
+    intended access restrictions because of a setcolorspace
+    type confusion
+    https://bugs.ghostscript.com/show_bug.cgi?id=700169
+    https://bugzilla.suse.com/show_bug.cgi?id=1117313 bsc#1117313
+  * CVE-2018-19477: psi/zfjbig2.c allows attackers to bypass
+    intended access restrictions because of a JBIG2Decode
+    type confusion
+    https://bugs.ghostscript.com/show_bug.cgi?id=700168
+    https://bugzilla.suse.com/show_bug.cgi?id=1117274 bsc#1117274
+  * CVE-2018-19409: LockSafetyParams is not checked correctly
+    if another device is used
+    https://bugs.ghostscript.com/show_bug.cgi?id=700176
+    https://bugzilla.suse.com/show_bug.cgi?id=1117022 bsc#1117022
+  and those security issues
+  * CVE-2018-18284: 1Policy operator gives access to .forceput
+    https://bugs.ghostscript.com/show_bug.cgi?id=69963
+    https://bugzilla.suse.com/show_bug.cgi?id=1112229 bsc#1112229
+  * CVE-2018-18073: saved execution stacks can leak operator arrays
+    https://bugs.ghostscript.com/show_bug.cgi?id=699927
+    https://bugzilla.suse.com/show_bug.cgi?id=1111480 bsc#1111480
+  * CVE-2018-17961: bypassing executeonly to escape -dSAFER sandbox
+    https://bugs.ghostscript.com/show_bug.cgi?id=699816
+    https://bugzilla.suse.com/show_bug.cgi?id=1111479 bsc#1111479
+  * CVE-2018-17183: remote attackers could be able to supply
+    crafted PostScript to potentially overwrite or replace
+    error handlers to inject code
+    https://bugs.ghostscript.com/show_bug.cgi?id=699708
+    https://bugzilla.suse.com/show_bug.cgi?id=1109105 bsc#1109105
 
 -------------------------------------------------------------------
 Fri Nov  9 11:25:19 CET 2018 - jsmeix@suse.de

ghostscript.changes

@@ -1,5 +1,5 @@
 -------------------------------------------------------------------
-Wed Nov 21 12:37:13 CET 2018 - jsmeix@suse.de
+Fri Nov 30 09:01:17 CET 2018 - jsmeix@suse.de
 
 - Version upgrade to 9.26
   Highlights in this release include:
@@ -18,6 +18,42 @@ Wed Nov 21 12:37:13 CET 2018 - jsmeix@suse.de
   For a release summary see:
   http://www.ghostscript.com/doc/9.26/News.htm
   For details see the News.htm and History9.htm files.
+  The Ghostscript 9.26 release should fix (cf. the entry below
+  dated 'Fri Sep 14 10:47:33 CEST 2018' what "should fix" means)
+  in particular those security issues (bsc#1117331)
+  * CVE-2018-19475: psi/zdevice2.c allows attackers to bypass
+    intended access restrictions
+    https://bugs.ghostscript.com/show_bug.cgi?id=700153
+    https://bugzilla.suse.com/show_bug.cgi?id=1117327 bsc#1117327
+  * CVE-2018-19476: psi/zicc.c allows attackers to bypass
+    intended access restrictions because of a setcolorspace
+    type confusion
+    https://bugs.ghostscript.com/show_bug.cgi?id=700169
+    https://bugzilla.suse.com/show_bug.cgi?id=1117313 bsc#1117313
+  * CVE-2018-19477: psi/zfjbig2.c allows attackers to bypass
+    intended access restrictions because of a JBIG2Decode
+    type confusion
+    https://bugs.ghostscript.com/show_bug.cgi?id=700168
+    https://bugzilla.suse.com/show_bug.cgi?id=1117274 bsc#1117274
+  * CVE-2018-19409: LockSafetyParams is not checked correctly
+    if another device is used
+    https://bugs.ghostscript.com/show_bug.cgi?id=700176
+    https://bugzilla.suse.com/show_bug.cgi?id=1117022 bsc#1117022
+  and those security issues
+  * CVE-2018-18284: 1Policy operator gives access to .forceput
+    https://bugs.ghostscript.com/show_bug.cgi?id=69963
+    https://bugzilla.suse.com/show_bug.cgi?id=1112229 bsc#1112229
+  * CVE-2018-18073: saved execution stacks can leak operator arrays
+    https://bugs.ghostscript.com/show_bug.cgi?id=699927
+    https://bugzilla.suse.com/show_bug.cgi?id=1111480 bsc#1111480
+  * CVE-2018-17961: bypassing executeonly to escape -dSAFER sandbox
+    https://bugs.ghostscript.com/show_bug.cgi?id=699816
+    https://bugzilla.suse.com/show_bug.cgi?id=1111479 bsc#1111479
+  * CVE-2018-17183: remote attackers could be able to supply
+    crafted PostScript to potentially overwrite or replace
+    error handlers to inject code
+    https://bugs.ghostscript.com/show_bug.cgi?id=699708
+    https://bugzilla.suse.com/show_bug.cgi?id=1109105 bsc#1109105
 
 -------------------------------------------------------------------
 Fri Nov  9 11:25:19 CET 2018 - jsmeix@suse.de