From f82c4ed7e8b1a928b3c3e621920106174a0de88a71f1ba7813c266ab0d86bb51 Mon Sep 17 00:00:00 2001 From: Johannes Meixner Date: Fri, 9 Nov 2018 12:40:49 +0000 Subject: [PATCH 1/3] Accepting request 647580 from home:jsmeix:branches:Printing Version upgrade to 9.26rc1 (Purely security and a few bug fixes) OBS-URL: https://build.opensuse.org/request/show/647580 OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=97 --- ghostscript-9.25.tar.gz | 3 --- ghostscript-9.26rc1.tar.gz | 3 +++ ghostscript-mini.changes | 8 ++++++++ ghostscript-mini.spec | 24 ++++++++++++------------ ghostscript.changes | 8 ++++++++ ghostscript.spec | 24 ++++++++++++------------ 6 files changed, 43 insertions(+), 27 deletions(-) delete mode 100644 ghostscript-9.25.tar.gz create mode 100644 ghostscript-9.26rc1.tar.gz diff --git a/ghostscript-9.25.tar.gz b/ghostscript-9.25.tar.gz deleted file mode 100644 index ac5ea5d..0000000 --- a/ghostscript-9.25.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:baafa64740b090bff50b220a6df3be95c46069b7e30f4b4effed28316e5b2389 -size 42017635 diff --git a/ghostscript-9.26rc1.tar.gz b/ghostscript-9.26rc1.tar.gz new file mode 100644 index 0000000..3d22694 --- /dev/null +++ b/ghostscript-9.26rc1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1ffa34c9e712c4ab035001f02689dc031ed011f7cbbbb776377a31ec5d586efa +size 42080620 diff --git a/ghostscript-mini.changes b/ghostscript-mini.changes index b48d3b7..591a4d1 100644 --- a/ghostscript-mini.changes +++ b/ghostscript-mini.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Fri Nov 9 11:25:19 CET 2018 - jsmeix@suse.de + +- Version upgrade to 9.26rc1 (first release candidate for 9.26). + Highlights in this release include: + * Purely security and a few bug fixes, there are no new features, + and no API changes to report. + ------------------------------------------------------------------- Fri Sep 14 10:47:33 CEST 2018 - jsmeix@suse.de diff --git a/ghostscript-mini.spec b/ghostscript-mini.spec index 8fd34df..c07ad0a 100644 --- a/ghostscript-mini.spec +++ b/ghostscript-mini.spec @@ -37,36 +37,36 @@ Url: http://www.ghostscript.com/ # But only with the alphabetic prefix "9.pre15rc1" would be older than the previous version number "9.14" # because rpmvercmp would treat 9.pre15rc1 as 9.pre.15.rc1 and letters are older than numbers # so that we keep additionally the previous version number to upgrade from the previous version: -#Version: 9.24pre25rc1 -# Normal version for Ghostscript releases is the upstream version: -Version: 9.25 +Version: 9.25pre26rc1 Release: 0 +# Normal version for Ghostscript releases is the upstream version: +#Version: 9.25 # tarball_version is used below to specify the directory via "setup -n": # Special tarball_version needed for Ghostscript release candidates e.g. "define tarball_version 9.15rc1". # For Ghostscript releases tarball_version and version are the same (i.e. the upstream version): -%define tarball_version %{version} -#define tarball_version 9.25rc1 +#define tarball_version %{version} +%define tarball_version 9.26rc1 # built_version is used below in the install and files sections: # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15". # For Ghostscript releases built_version and version are the same (i.e. the upstream version): -%define built_version %{version} -#define built_version 9.25 +#define built_version %{version} +%define built_version 9.26 # Source0...Source9 is for sources from upstream: # Special URLs for Ghostscript release candidates: # see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases # URL for Source0: -# wget -O ghostscript-9.25rc1.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs925rc1/ghostscript-9.25rc1.tar.gz +# wget -O ghostscript-9.26rc1.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9.26rc1/ghostscript-9.26rc1.tar.gz # URL for MD5 checksums: -# wget -O gs925rc1.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs925rc1/MD5SUMS -# MD5 checksum for Source0: 2dc56f05c4e479b9a2cbb8221f669c8f ghostscript-9.25rc1.tar.gz -#Source0: ghostscript-%{tarball_version}.tar.gz +# wget -O gs9.26rc1.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9.26rc1/MD5SUMS +# MD5 checksum for Source0: 6539d5b270721938936d721f279a3520 ghostscript-9.26rc1.tar.gz +Source0: ghostscript-%{tarball_version}.tar.gz # Normal URLs for Ghostscript releases: # URL for Source0: # wget -O ghostscript-9.25.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs925/ghostscript-9.25.tar.gz # URL for MD5 checksums: # wget -O gs925.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs925/MD5SUMS # MD5 checksum for Source0: eebd0fadbfa8e800094422ce65e94d5d ghostscript-9.25.tar.gz -Source0: ghostscript-%{version}.tar.gz +#Source0: ghostscript-%{version}.tar.gz # Patch0...Patch9 is for patches from upstream: # Source10...Source99 is for sources from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream: diff --git a/ghostscript.changes b/ghostscript.changes index 0297db0..00b5e06 100644 --- a/ghostscript.changes +++ b/ghostscript.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Fri Nov 9 11:25:19 CET 2018 - jsmeix@suse.de + +- Version upgrade to 9.26rc1 (first release candidate for 9.26). + Highlights in this release include: + * Purely security and a few bug fixes, there are no new features, + and no API changes to report. + ------------------------------------------------------------------- Fri Sep 14 10:47:33 CEST 2018 - jsmeix@suse.de diff --git a/ghostscript.spec b/ghostscript.spec index 0efeb44..ddcf347 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -57,36 +57,36 @@ Url: http://www.ghostscript.com/ # But only with the alphabetic prefix "9.pre15rc1" would be older than the previous version number "9.14" # because rpmvercmp would treat 9.pre15rc1 as 9.pre.15.rc1 and letters are older than numbers # so that we keep additionally the previous version number to upgrade from the previous version: -#Version: 9.24pre25rc1 -# Normal version for Ghostscript releases is the upstream version: -Version: 9.25 +Version: 9.25pre26rc1 Release: 0 +# Normal version for Ghostscript releases is the upstream version: +#Version: 9.25 # tarball_version is used below to specify the directory via "setup -n": # Special tarball_version needed for Ghostscript release candidates e.g. "define tarball_version 9.15rc1". # For Ghostscript releases tarball_version and version are the same (i.e. the upstream version): -%define tarball_version %{version} -#define tarball_version 9.25rc1 +#define tarball_version %{version} +%define tarball_version 9.26rc1 # built_version is used below in the install and files sections: # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15". # For Ghostscript releases built_version and version are the same (i.e. the upstream version): -%define built_version %{version} -#define built_version 9.25 +#define built_version %{version} +%define built_version 9.26 # Source0...Source9 is for sources from upstream: # Special URLs for Ghostscript release candidates: # see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases # URL for Source0: -# wget -O ghostscript-9.25rc1.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs925rc1/ghostscript-9.25rc1.tar.gz +# wget -O ghostscript-9.26rc1.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9.26rc1/ghostscript-9.26rc1.tar.gz # URL for MD5 checksums: -# wget -O gs925rc1.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs925rc1/MD5SUMS -# MD5 checksum for Source0: 2dc56f05c4e479b9a2cbb8221f669c8f ghostscript-9.25rc1.tar.gz -#Source0: ghostscript-%{tarball_version}.tar.gz +# wget -O gs9.26rc1.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9.26rc1/MD5SUMS +# MD5 checksum for Source0: 6539d5b270721938936d721f279a3520 ghostscript-9.26rc1.tar.gz +Source0: ghostscript-%{tarball_version}.tar.gz # Normal URLs for Ghostscript releases: # URL for Source0: # wget -O ghostscript-9.25.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs925/ghostscript-9.25.tar.gz # URL for MD5 checksums: # wget -O gs925.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs925/MD5SUMS # MD5 checksum for Source0: eebd0fadbfa8e800094422ce65e94d5d ghostscript-9.25.tar.gz -Source0: ghostscript-%{version}.tar.gz +#Source0: ghostscript-%{version}.tar.gz # Patch0...Patch9 is for patches from upstream: # Source10...Source99 is for sources from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream: From 98164e5415137f18548d650497a2cb93e7b1f82ded50b19e50771775945d2a70 Mon Sep 17 00:00:00 2001 From: Johannes Meixner Date: Wed, 21 Nov 2018 14:19:24 +0000 Subject: [PATCH 2/3] Accepting request 650710 from home:jsmeix:branches:Printing Version upgrade to 9.26 (Purely security and a few bug fixes) OBS-URL: https://build.opensuse.org/request/show/650710 OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=98 --- ghostscript-9.26.tar.gz | 3 +++ ghostscript-9.26rc1.tar.gz | 3 --- ghostscript-mini.changes | 21 +++++++++++++++++++++ ghostscript-mini.spec | 26 +++++++++++++------------- ghostscript.changes | 21 +++++++++++++++++++++ ghostscript.spec | 26 +++++++++++++------------- 6 files changed, 71 insertions(+), 29 deletions(-) create mode 100644 ghostscript-9.26.tar.gz delete mode 100644 ghostscript-9.26rc1.tar.gz diff --git a/ghostscript-9.26.tar.gz b/ghostscript-9.26.tar.gz new file mode 100644 index 0000000..2b11523 --- /dev/null +++ b/ghostscript-9.26.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:831fc019bd477f7cc2d481dc5395ebfa4a593a95eb2fe1eb231a97e450d7540d +size 42084660 diff --git a/ghostscript-9.26rc1.tar.gz b/ghostscript-9.26rc1.tar.gz deleted file mode 100644 index 3d22694..0000000 --- a/ghostscript-9.26rc1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1ffa34c9e712c4ab035001f02689dc031ed011f7cbbbb776377a31ec5d586efa -size 42080620 diff --git a/ghostscript-mini.changes b/ghostscript-mini.changes index 591a4d1..f057514 100644 --- a/ghostscript-mini.changes +++ b/ghostscript-mini.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Wed Nov 21 12:37:13 CET 2018 - jsmeix@suse.de + +- Version upgrade to 9.26 + Highlights in this release include: + * Security issues have been the primary focus of this release, + including solving several (well publicised) real and potential + exploits. + Thanks to Man Yue Mo of Semmle Security Research Team, + Jens Mueller of Ruhr-Universitaet Bochum and + Tavis Ormandy of Google's Project Zero + for their help to identify specific security issues. + PLEASE NOTE: + We (i.e. Ghostscript upstream) strongly urge users to upgrade + to this latest release to avoid these issues. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + For a release summary see: + http://www.ghostscript.com/doc/9.26/News.htm + For details see the News.htm and History9.htm files. + ------------------------------------------------------------------- Fri Nov 9 11:25:19 CET 2018 - jsmeix@suse.de diff --git a/ghostscript-mini.spec b/ghostscript-mini.spec index c07ad0a..f9b560d 100644 --- a/ghostscript-mini.spec +++ b/ghostscript-mini.spec @@ -26,7 +26,7 @@ BuildRequires: libtool BuildRequires: pkg-config BuildRequires: zlib-devel Summary: Minimal Ghostscript for minimal build requirements -License: AGPL-3.0 +License: AGPL-3.0-only Group: System/Libraries Url: http://www.ghostscript.com/ # Special version needed for Ghostscript release candidates (e.g. "Version: 9.14pre15rc1" for 9.15rc1). @@ -37,20 +37,20 @@ Url: http://www.ghostscript.com/ # But only with the alphabetic prefix "9.pre15rc1" would be older than the previous version number "9.14" # because rpmvercmp would treat 9.pre15rc1 as 9.pre.15.rc1 and letters are older than numbers # so that we keep additionally the previous version number to upgrade from the previous version: -Version: 9.25pre26rc1 -Release: 0 +#Version: 9.25pre26rc1 # Normal version for Ghostscript releases is the upstream version: -#Version: 9.25 +Version: 9.26 +Release: 0 # tarball_version is used below to specify the directory via "setup -n": # Special tarball_version needed for Ghostscript release candidates e.g. "define tarball_version 9.15rc1". # For Ghostscript releases tarball_version and version are the same (i.e. the upstream version): -#define tarball_version %{version} -%define tarball_version 9.26rc1 +%define tarball_version %{version} +#define tarball_version 9.26rc1 # built_version is used below in the install and files sections: # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15". # For Ghostscript releases built_version and version are the same (i.e. the upstream version): -#define built_version %{version} -%define built_version 9.26 +%define built_version %{version} +#define built_version 9.26 # Source0...Source9 is for sources from upstream: # Special URLs for Ghostscript release candidates: # see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases @@ -59,14 +59,14 @@ Release: 0 # URL for MD5 checksums: # wget -O gs9.26rc1.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9.26rc1/MD5SUMS # MD5 checksum for Source0: 6539d5b270721938936d721f279a3520 ghostscript-9.26rc1.tar.gz -Source0: ghostscript-%{tarball_version}.tar.gz +#Source0: ghostscript-%{tarball_version}.tar.gz # Normal URLs for Ghostscript releases: # URL for Source0: -# wget -O ghostscript-9.25.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs925/ghostscript-9.25.tar.gz +# wget -O ghostscript-9.26.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/ghostscript-9.26.tar.gz # URL for MD5 checksums: -# wget -O gs925.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs925/MD5SUMS -# MD5 checksum for Source0: eebd0fadbfa8e800094422ce65e94d5d ghostscript-9.25.tar.gz -#Source0: ghostscript-%{version}.tar.gz +# wget -O gs926.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/MD5SUMS +# MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz +Source0: ghostscript-%{version}.tar.gz # Patch0...Patch9 is for patches from upstream: # Source10...Source99 is for sources from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream: diff --git a/ghostscript.changes b/ghostscript.changes index 00b5e06..416dbce 100644 --- a/ghostscript.changes +++ b/ghostscript.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Wed Nov 21 12:37:13 CET 2018 - jsmeix@suse.de + +- Version upgrade to 9.26 + Highlights in this release include: + * Security issues have been the primary focus of this release, + including solving several (well publicised) real and potential + exploits. + Thanks to Man Yue Mo of Semmle Security Research Team, + Jens Mueller of Ruhr-Universitaet Bochum and + Tavis Ormandy of Google's Project Zero + for their help to identify specific security issues. + PLEASE NOTE: + We (i.e. Ghostscript upstream) strongly urge users to upgrade + to this latest release to avoid these issues. + * The usual round of bug fixes, compatibility changes, + and incremental improvements. + For a release summary see: + http://www.ghostscript.com/doc/9.26/News.htm + For details see the News.htm and History9.htm files. + ------------------------------------------------------------------- Fri Nov 9 11:25:19 CET 2018 - jsmeix@suse.de diff --git a/ghostscript.spec b/ghostscript.spec index ddcf347..0a0c3d7 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -46,7 +46,7 @@ BuildRequires: xorg-x11-devel BuildRequires: xorg-x11-fonts BuildRequires: zlib-devel Summary: The Ghostscript interpreter for PostScript and PDF -License: AGPL-3.0 +License: AGPL-3.0-only Group: System/Libraries Url: http://www.ghostscript.com/ # Special version needed for Ghostscript release candidates (e.g. "Version: 9.14pre15rc1" for 9.15rc1). @@ -57,20 +57,20 @@ Url: http://www.ghostscript.com/ # But only with the alphabetic prefix "9.pre15rc1" would be older than the previous version number "9.14" # because rpmvercmp would treat 9.pre15rc1 as 9.pre.15.rc1 and letters are older than numbers # so that we keep additionally the previous version number to upgrade from the previous version: -Version: 9.25pre26rc1 -Release: 0 +#Version: 9.25pre26rc1 # Normal version for Ghostscript releases is the upstream version: -#Version: 9.25 +Version: 9.26 +Release: 0 # tarball_version is used below to specify the directory via "setup -n": # Special tarball_version needed for Ghostscript release candidates e.g. "define tarball_version 9.15rc1". # For Ghostscript releases tarball_version and version are the same (i.e. the upstream version): -#define tarball_version %{version} -%define tarball_version 9.26rc1 +%define tarball_version %{version} +#define tarball_version 9.26rc1 # built_version is used below in the install and files sections: # Separated built_version needed in case of Ghostscript release candidates e.g. "define built_version 9.15". # For Ghostscript releases built_version and version are the same (i.e. the upstream version): -#define built_version %{version} -%define built_version 9.26 +%define built_version %{version} +#define built_version 9.26 # Source0...Source9 is for sources from upstream: # Special URLs for Ghostscript release candidates: # see https://github.com/ArtifexSoftware/ghostpdl-downloads/releases @@ -79,14 +79,14 @@ Release: 0 # URL for MD5 checksums: # wget -O gs9.26rc1.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9.26rc1/MD5SUMS # MD5 checksum for Source0: 6539d5b270721938936d721f279a3520 ghostscript-9.26rc1.tar.gz -Source0: ghostscript-%{tarball_version}.tar.gz +#Source0: ghostscript-%{tarball_version}.tar.gz # Normal URLs for Ghostscript releases: # URL for Source0: -# wget -O ghostscript-9.25.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs925/ghostscript-9.25.tar.gz +# wget -O ghostscript-9.26.tar.gz https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/ghostscript-9.26.tar.gz # URL for MD5 checksums: -# wget -O gs925.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs925/MD5SUMS -# MD5 checksum for Source0: eebd0fadbfa8e800094422ce65e94d5d ghostscript-9.25.tar.gz -#Source0: ghostscript-%{version}.tar.gz +# wget -O gs926.MD5SUMS https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/MD5SUMS +# MD5 checksum for Source0: 806bc2dedbc7f69b003f536658e08d4a ghostscript-9.26.tar.gz +Source0: ghostscript-%{version}.tar.gz # Patch0...Patch9 is for patches from upstream: # Source10...Source99 is for sources from SUSE which are intended for upstream: # Patch10...Patch99 is for patches from SUSE which are intended for upstream: From f0089d8f2b81f98086427712d3f6887a276fbd57136fe9b0f561fbf39d6a7862 Mon Sep 17 00:00:00 2001 From: Johannes Meixner Date: Fri, 30 Nov 2018 09:32:47 +0000 Subject: [PATCH 3/3] Accepting request 652826 from home:jsmeix:branches:Printing Version upgrade to 9.26 (Purely security and a few bug fixes) OBS-URL: https://build.opensuse.org/request/show/652826 OBS-URL: https://build.opensuse.org/package/show/Printing/ghostscript?expand=0&rev=99 --- ghostscript-mini.changes | 38 +++++++++++++++++++++++++++++++++++++- ghostscript.changes | 38 +++++++++++++++++++++++++++++++++++++- 2 files changed, 74 insertions(+), 2 deletions(-) diff --git a/ghostscript-mini.changes b/ghostscript-mini.changes index f057514..072c057 100644 --- a/ghostscript-mini.changes +++ b/ghostscript-mini.changes @@ -1,5 +1,5 @@ ------------------------------------------------------------------- -Wed Nov 21 12:37:13 CET 2018 - jsmeix@suse.de +Fri Nov 30 09:01:17 CET 2018 - jsmeix@suse.de - Version upgrade to 9.26 Highlights in this release include: @@ -18,6 +18,42 @@ Wed Nov 21 12:37:13 CET 2018 - jsmeix@suse.de For a release summary see: http://www.ghostscript.com/doc/9.26/News.htm For details see the News.htm and History9.htm files. + The Ghostscript 9.26 release should fix (cf. the entry below + dated 'Fri Sep 14 10:47:33 CEST 2018' what "should fix" means) + in particular those security issues (bsc#1117331) + * CVE-2018-19475: psi/zdevice2.c allows attackers to bypass + intended access restrictions + https://bugs.ghostscript.com/show_bug.cgi?id=700153 + https://bugzilla.suse.com/show_bug.cgi?id=1117327 bsc#1117327 + * CVE-2018-19476: psi/zicc.c allows attackers to bypass + intended access restrictions because of a setcolorspace + type confusion + https://bugs.ghostscript.com/show_bug.cgi?id=700169 + https://bugzilla.suse.com/show_bug.cgi?id=1117313 bsc#1117313 + * CVE-2018-19477: psi/zfjbig2.c allows attackers to bypass + intended access restrictions because of a JBIG2Decode + type confusion + https://bugs.ghostscript.com/show_bug.cgi?id=700168 + https://bugzilla.suse.com/show_bug.cgi?id=1117274 bsc#1117274 + * CVE-2018-19409: LockSafetyParams is not checked correctly + if another device is used + https://bugs.ghostscript.com/show_bug.cgi?id=700176 + https://bugzilla.suse.com/show_bug.cgi?id=1117022 bsc#1117022 + and those security issues + * CVE-2018-18284: 1Policy operator gives access to .forceput + https://bugs.ghostscript.com/show_bug.cgi?id=69963 + https://bugzilla.suse.com/show_bug.cgi?id=1112229 bsc#1112229 + * CVE-2018-18073: saved execution stacks can leak operator arrays + https://bugs.ghostscript.com/show_bug.cgi?id=699927 + https://bugzilla.suse.com/show_bug.cgi?id=1111480 bsc#1111480 + * CVE-2018-17961: bypassing executeonly to escape -dSAFER sandbox + https://bugs.ghostscript.com/show_bug.cgi?id=699816 + https://bugzilla.suse.com/show_bug.cgi?id=1111479 bsc#1111479 + * CVE-2018-17183: remote attackers could be able to supply + crafted PostScript to potentially overwrite or replace + error handlers to inject code + https://bugs.ghostscript.com/show_bug.cgi?id=699708 + https://bugzilla.suse.com/show_bug.cgi?id=1109105 bsc#1109105 ------------------------------------------------------------------- Fri Nov 9 11:25:19 CET 2018 - jsmeix@suse.de diff --git a/ghostscript.changes b/ghostscript.changes index 416dbce..c9a4692 100644 --- a/ghostscript.changes +++ b/ghostscript.changes @@ -1,5 +1,5 @@ ------------------------------------------------------------------- -Wed Nov 21 12:37:13 CET 2018 - jsmeix@suse.de +Fri Nov 30 09:01:17 CET 2018 - jsmeix@suse.de - Version upgrade to 9.26 Highlights in this release include: @@ -18,6 +18,42 @@ Wed Nov 21 12:37:13 CET 2018 - jsmeix@suse.de For a release summary see: http://www.ghostscript.com/doc/9.26/News.htm For details see the News.htm and History9.htm files. + The Ghostscript 9.26 release should fix (cf. the entry below + dated 'Fri Sep 14 10:47:33 CEST 2018' what "should fix" means) + in particular those security issues (bsc#1117331) + * CVE-2018-19475: psi/zdevice2.c allows attackers to bypass + intended access restrictions + https://bugs.ghostscript.com/show_bug.cgi?id=700153 + https://bugzilla.suse.com/show_bug.cgi?id=1117327 bsc#1117327 + * CVE-2018-19476: psi/zicc.c allows attackers to bypass + intended access restrictions because of a setcolorspace + type confusion + https://bugs.ghostscript.com/show_bug.cgi?id=700169 + https://bugzilla.suse.com/show_bug.cgi?id=1117313 bsc#1117313 + * CVE-2018-19477: psi/zfjbig2.c allows attackers to bypass + intended access restrictions because of a JBIG2Decode + type confusion + https://bugs.ghostscript.com/show_bug.cgi?id=700168 + https://bugzilla.suse.com/show_bug.cgi?id=1117274 bsc#1117274 + * CVE-2018-19409: LockSafetyParams is not checked correctly + if another device is used + https://bugs.ghostscript.com/show_bug.cgi?id=700176 + https://bugzilla.suse.com/show_bug.cgi?id=1117022 bsc#1117022 + and those security issues + * CVE-2018-18284: 1Policy operator gives access to .forceput + https://bugs.ghostscript.com/show_bug.cgi?id=69963 + https://bugzilla.suse.com/show_bug.cgi?id=1112229 bsc#1112229 + * CVE-2018-18073: saved execution stacks can leak operator arrays + https://bugs.ghostscript.com/show_bug.cgi?id=699927 + https://bugzilla.suse.com/show_bug.cgi?id=1111480 bsc#1111480 + * CVE-2018-17961: bypassing executeonly to escape -dSAFER sandbox + https://bugs.ghostscript.com/show_bug.cgi?id=699816 + https://bugzilla.suse.com/show_bug.cgi?id=1111479 bsc#1111479 + * CVE-2018-17183: remote attackers could be able to supply + crafted PostScript to potentially overwrite or replace + error handlers to inject code + https://bugs.ghostscript.com/show_bug.cgi?id=699708 + https://bugzilla.suse.com/show_bug.cgi?id=1109105 bsc#1109105 ------------------------------------------------------------------- Fri Nov 9 11:25:19 CET 2018 - jsmeix@suse.de