FS#60370 - [ghostscript] Backport fixes for CVE-2018-17961
Attached to Project:
Arch Linux
Opened by Tommy Schmitt (spinka) - Wednesday, 10 October 2018, 10:36 GMT
Last edited by Andreas Radke (AndyRTR) - Friday, 26 October 2018, 14:05 GMT
Opened by Tommy Schmitt (spinka) - Wednesday, 10 October 2018, 10:36 GMT
Last edited by Andreas Radke (AndyRTR) - Friday, 26 October 2018, 14:05 GMT
|
Details
Description:
Yet another ghostscript vulnerability was found: https://www.openwall.com/lists/oss-security/2018/10/09/4 https://bugs.chromium.org/p/project-zero/issues/detail?id=1682&desc=2 Fixing it requires backporting two upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a54c9e61e7d0 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a6807394bd94 |
This task depends upon
Closed by Andreas Radke (AndyRTR)
Friday, 26 October 2018, 14:05 GMT
Reason for closing: Fixed
Additional comments about closing: 9.25-4
Friday, 26 October 2018, 14:05 GMT
Reason for closing: Fixed
Additional comments about closing: 9.25-4
CVE-2018-17961
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17961
https://bugs.chromium.org/p/project-zero/issues/detail?id=1682
CVE-2018-18073
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18073
https://bugs.chromium.org/p/project-zero/issues/detail?id=1690
CVE-2018-18284
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18284
https://bugs.chromium.org/p/project-zero/issues/detail?id=1696
Public exploits available for all of them.
For now the only workaround is to install ghostscript-git from AUR.
I think you can consider switching to upstream git snapshot temporarily until they make new release.
Debian did backport with total of 33 patches but I think this is harder route:
https://salsa.debian.org/printing-team/ghostscript/commit/5c1ed12f4c4eefed920231c7c790458a3000c7f1