[ubuntu/noble-security] ghostscript 10.02.1~dfsg1-0ubuntu7.3 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Mon Jul 15 11:18:28 UTC 2024 

ghostscript (10.02.1~dfsg1-0ubuntu7.3) noble-security; urgency=medium

  * SECURITY UPDATE: stack-based buffer overflow via long PDF filter name
    - debian/patches/CVE-2024-29506.patch: don't allow PDF files with bad
      Filters to overflow the debug buffer in pdf/pdf_file.c.
    - CVE-2024-29506
  * SECURITY UPDATE: stack-based buffer overflows
    - debian/patches/CVE-2024-29507.patch: bounds checks when using CIDFont
      related params in pdf/pdf_font.c, pdf/pdf_warnings.h.
    - CVE-2024-29507
  * SECURITY UPDATE: heap-based pointer disclosure via constructed BaseFont
    name
    - debian/patches/CVE-2024-29508.patch: review printing of pointers in
      base/gsfont.c, base/gsicc_cache.c, base/gsmalloc.c, base/gxclmem.c,
      base/gxcpath.c, base/gxpath.c, base/szlibc.c, devices/gdevupd.c,
      devices/vector/gdevpdtb.c, psi/ialloc.c, psi/igc.c, psi/igcstr.c,
      psi/iinit.c, psi/imainarg.c, psi/isave.c, psi/iutil.c.
    - debian/patches/CVE-2024-29508-2.patch: fix compiler warning in
      optimised build in base/gsicc_cache.c.
    - debian/patches/CVE-2024-29508-3.patch: remove extra arguments in
      devices/gdevupd.c.
    - CVE-2024-29508
  * SECURITY UPDATE: heap-based overflow via PDFPassword with null byte
    - debian/patches/CVE-2024-29509.patch: don't use strlen on passwords in
      pdf/pdf_sec.c.
    - CVE-2024-29509
  * SECURITY UPDATE: directory traversal issue via OCRLanguage
    - debian/patches/CVE-2024-29511.patch: reject OCRLanguage changes after
      SAFER enabled in devices/gdevocr.c, devices/gdevpdfocr.c,
      devices/vector/gdevpdfp.c.
    - debian/patches/CVE-2024-29511-2.patch: original fix was overly
      aggressive in devices/gdevocr.c, devices/gdevpdfocr.c,
      devices/vector/gdevpdf.c, devices/vector/gdevpdfp.c.
    - CVE-2024-29511

Date: 2024-07-11 16:38:11.109624+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/ghostscript/10.02.1~dfsg1-0ubuntu7.3
-------------- next part --------------
Sorry, changesfile not available.

More information about the noble-changes mailing list