[Full-disclosure] [ MDVSA-2009:165 ] ghostscript




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:165
http://www.mandriva.com/security/
_______________________________________________________________________

Package : ghostscript
Date : July 28, 2009
Affected: Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Multiple security vulnerabilities has been identified and fixed
in ghostscript:

Multiple integer overflows in JasPer 1.900.1 might allow
context-dependent attackers to have an unknown impact via a crafted
image file, related to integer multiplication for memory allocation
(CVE-2008-3520).

Buffer overflow in the jas_stream_printf function in
libjasper/base/jas_stream.c in JasPer 1.900.1 might allow
context-dependent attackers to have an unknown impact via
vectors related to the mif_hdr_put function and use of vsprintf
(CVE-2008-3522).

Previousely the ghostscript packages were statically built against
a bundled and private copy of the jasper library. This update makes
ghostscript link against the shared system jasper library which
makes it easier to address presumptive future security issues in the
jasper library.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3520
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3522
_______________________________________________________________________

Updated Packages:

Mandriva Enterprise Server 5:
522b6a5c361a4a6205516b882a92064b mes5/i586/ghostscript-8.63-62.3mdvmes5.i586.rpm
362fcaf29ec6ed28b776c5bbc7623a07 mes5/i586/ghostscript-common-8.63-62.3mdvmes5.i586.rpm
5957705fb7537c5386d8cce36db9b133 mes5/i586/ghostscript-doc-8.63-62.3mdvmes5.i586.rpm
fc18ad1734dfb9c561fe32f9fd4eaddc mes5/i586/ghostscript-dvipdf-8.63-62.3mdvmes5.i586.rpm
82848a8c21df381f3623feee9a7e5f06 mes5/i586/ghostscript-module-X-8.63-62.3mdvmes5.i586.rpm
a60ef4bbf6d230413798123d76c66256 mes5/i586/ghostscript-X-8.63-62.3mdvmes5.i586.rpm
63b592eb894b53f976d4fc46efb82c40 mes5/i586/libgs8-8.63-62.3mdvmes5.i586.rpm
0a985aa191f8fc700efeb5c3107dc5bc mes5/i586/libgs8-devel-8.63-62.3mdvmes5.i586.rpm
42bb3a1f0bdef682d8ed32dd4cd4a6f9 mes5/i586/libijs1-0.35-62.3mdvmes5.i586.rpm
eea9f8a2b112eb7382e3afcce2cf7b32 mes5/i586/libijs1-devel-0.35-62.3mdvmes5.i586.rpm
c81b2ecc80d4d336b772708f6d0597b8 mes5/SRPMS/ghostscript-8.63-62.3mdvmes5.src.rpm

Mandriva Enterprise Server 5/X86_64:
3b171f576c4da5ed378f76fef0e0aeb2 mes5/x86_64/ghostscript-8.63-62.3mdvmes5.x86_64.rpm
ed2b0836b7a4ede822c0952ef515fafd mes5/x86_64/ghostscript-common-8.63-62.3mdvmes5.x86_64.rpm
4fed216433f8b0b57e15ba2f7db56ef5 mes5/x86_64/ghostscript-doc-8.63-62.3mdvmes5.x86_64.rpm
0a7dd5e643c5847e22aad380aa2dd9fd mes5/x86_64/ghostscript-dvipdf-8.63-62.3mdvmes5.x86_64.rpm
779b16024d8e8bfd033374b6facae06d mes5/x86_64/ghostscript-module-X-8.63-62.3mdvmes5.x86_64.rpm
c71e7fd9849cd6f068692445b9d276f8 mes5/x86_64/ghostscript-X-8.63-62.3mdvmes5.x86_64.rpm
b410c041382d1e5b0660d59444e76e5d mes5/x86_64/lib64gs8-8.63-62.3mdvmes5.x86_64.rpm
6be22e00b18420ae3869c8e992457512 mes5/x86_64/lib64gs8-devel-8.63-62.3mdvmes5.x86_64.rpm
53cd9beb7f4f864c82374e12c9650686 mes5/x86_64/lib64ijs1-0.35-62.3mdvmes5.x86_64.rpm
2715b78eba10382e254d79783e5c74bd mes5/x86_64/lib64ijs1-devel-0.35-62.3mdvmes5.x86_64.rpm
c81b2ecc80d4d336b772708f6d0597b8 mes5/SRPMS/ghostscript-8.63-62.3mdvmes5.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKbzS2mqjQ0CJFipgRAhOCAJ0QvEQDjyMuVkGWpPrsqoreAvg3zACcD8Ht
pMn92KxDJ/tQMexED1MckiM=
=ykFM
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • [Full-disclosure] [ MDVSA-2009:163 ] tomcat5
    ... Affected: Enterprise Server 5.0 ... The updated packages have been patched to prevent this. ... Mandriva Enterprise Server 5/X86_64: ... All packages are signed by Mandriva for security. ...
    (Full-Disclosure)
  • [ MDVSA-2009:163 ] tomcat5
    ... Affected: Enterprise Server 5.0 ... The updated packages have been patched to prevent this. ... Mandriva Enterprise Server 5/X86_64: ... All packages are signed by Mandriva for security. ...
    (Bugtraq)
  • [Full-disclosure] [ MDVSA-2013:219 ] libtiff
    ... Updated libtiff packages fix security vulnerabilities: ... images to TIFF. ... All packages are signed by Mandriva for security. ...
    (Full-Disclosure)
  • [ MDVSA-2013:219 ] libtiff
    ... Updated libtiff packages fix security vulnerabilities: ... images to TIFF. ... All packages are signed by Mandriva for security. ...
    (Bugtraq)
  • [Full-disclosure] [ MDVSA-2009:121-1 ] lcms
    ... Multiple integer overflows allow remote attackers to execute arbitrary ... Updated Packages: ... Mandriva Linux 2008.0/X86_64: ... All packages are signed by Mandriva for security. ...
    (Full-Disclosure)