ESB-2018.2753 - [Debian] ghostscript: Multiple vulnerabilities 2018-09-14

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2753
                        ghostscript security update
                             14 September 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ghostscript
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Delete Arbitrary Files          -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-16802 CVE-2018-16585 CVE-2018-16542
                   CVE-2018-16541 CVE-2018-16540 CVE-2018-16539
                   CVE-2018-16513 CVE-2018-16511 CVE-2018-16509
                   CVE-2018-15911 CVE-2018-15910 CVE-2018-15909
                   CVE-2018-15908 CVE-2018-11645 

Reference:         ESB-2018.2684
                   ESB-2018.0393

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/09/msg00015.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : ghostscript
Version        : 9.06~dfsg-2+deb8u8
CVE ID         : CVE-2018-11645 CVE-2018-15908 CVE-2018-15909
                 CVE-2018-15910 CVE-2018-15911 CVE-2018-16509
                 CVE-2018-16511 CVE-2018-16513 CVE-2018-16539
                 CVE-2018-16540 CVE-2018-16541 CVE-2018-16542
                 CVE-2018-16585 CVE-2018-16802
Debian Bug     : 907332 908305 907703

Tavis Ormandy discovered multiple vulnerabilities in Ghostscript, an
interpreter for the PostScript language, which could result in denial of
service, the creation of files or the execution of arbitrary code if a
malformed Postscript file is processed (despite the dSAFER sandbox being
enabled).

For Debian 8 "Jessie", these problems have been fixed in version
9.06~dfsg-2+deb8u8.

We recommend that you upgrade your ghostscript packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAluaVq5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRjvQ//e4fGGBFvqsvF5B11yW90HuU5piPErwYuIn36tTHF1SqinjXwqX1AIgnH
1swYqbZ6+/S58iXlC3xUwKB5Hh2TE3NTLKO1qkq1/9Qrco7EV2IF80VfVlBfBNPy
ODKZ5YRn9PPSSYOuRrU0ElJqqhBrekwRf1vjN4Dc2ow6AaUQijeBSa038r4Yz+fj
mugoK3qwvV3Fgvx38lPbYbX30mKEN73hSnsHYek7ML/41dk1xWkiFSv5+GfFYimF
40EBxB5ymPN9wGNNkC0FamsnTHgmj4wtuKmtPB0/xZElzjKEJfviDJgXr1Il3bQe
+gK0FASQ9tJoRkiSBoFSXaFzX6Et87TjWzP2LaotTYVCkMIPdWIt2V7Hh+PULYJ5
lNjKpNkyYhXQJU+e8zJyotlxolZz4gtB+OqQqP7U7dp2c/V3ZTJoKyPP+mAHTFfN
vu8q1SWGmpu8i+mPOqWIT/ANQK/p2fiAYkXNL60p7csmogUuopd6X/a/q85+sLuX
ulV1PNBNzkE9OFgOrnWnrh153vxcydbEuk7vQxvYfNO+5bWziKpOo2WYTasWukCV
XHy9NyNrhxNz0zXK8jWsSUUMIs//hVOx5wfUMvxeywL51aWZhqBRKV6tdIHOraBC
iTbp3JW1mFIPpe/7b1xSmLHkHBj00lMBQI8Iyd0pbDjtf57R9Y0=
=HZum
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW5tDHWaOgq3Tt24GAQgZ5BAApNHDuGBM6lvVAya473fQNfaupTgMPNzN
HW9YwpH3cD2nS5EwYXaSYMXezaCvCgrmgn88ilj8MsdEdfrTTTyNVrwjvTgx0zhI
55GYlUrNoZj+LzeC4Klbrd+Wvtofav6CGQAS2ex4l9LqP4fYWgyJoTKVLxBKBEDY
MGA/N1/OyxgB/vAcezchXFRmm11eN9GTRLezuNxpxdaV35qgv5c89bk0GWFQJfCl
j8Jq2HIN1CawyGqrjy63/sroH7wpFnlblPvJo/n4PxUdHI3983nXutQAQfQTQ6iY
frHs2Aeen1N4FlVbhoPiuS3K6TJN5jBT1hu11wdgTH6kvXQ8BBUc48TDoJr1ZbU9
+CSOBJtqRoYRFwA9PNYPgEkN8j6pFz5TaB70BE7+o26NXjMHs/yEPnzVja8EZjAQ
Qmrbue5peJG0rggbkIwg+ekwM1QDNkfwtpuNVc9DO+BgSAR3O94cA9y9e3mijQ7e
AYhuTwljNNYWMGu63vhdkTRlEYzh96aXTmNMbWlVNibAkHjj9HNms2sHynI6mS/9
w9zwDOi4FWjf1Sb1c6TpLs13giHLS1widX5vnB87z9Y/79qcbkWCqbKsX71cZYew
QyERLiiScV8YL5sp3dCCYPxoGf+cMuPW8WrkBMCvd5sYKNh2tCE8qJDP5zw/+aBs
yJaYDuHUNh4=
=KTLS
-----END PGP SIGNATURE-----

« Back to bulletins