ESB-2018.3532 - [Debian] ghostscript: Multiple vulnerabilities 2018-11-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3532
                        ghostscript security update
                             12 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ghostscript
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Create Arbitrary Files          -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-18284 CVE-2018-18073 CVE-2018-17961
                   CVE-2018-11645  

Reference:         ESB-2018.3218
                   ESB-2018.3128
                   ESB-2018.3396

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4336

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4336-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 10, 2018                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : ghostscript
CVE ID         : CVE-2018-11645 CVE-2018-17961 CVE-2018-18073 CVE-2018-18284
Debian Bug     : 910678 910758 911175

Several vulnerabilities were discovered in Ghostscript, the GPL
PostScript/PDF interpreter, which may result in denial of service,
disclosure of existence and size of arbitrary files, or the execution of
arbitrary code if a malformed Postscript file is processed (despite the
dSAFER sandbox being enabled).

This update rebases ghostscript for stretch to the upstream version 9.25
which includes additional non-security related changes.

For the stable distribution (stretch), these problems have been fixed in
version 9.25~dfsg-0+deb9u1.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/ghostscript

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlvm/ClfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Se0A//YW62Md2U7/eOOqJ7C9xL++VpSl9R6e+6+8gJmPnaP9O7QMjVo3TWOGbm
Hsr39ILp1eGX+g6OdlcGqLuX4GokpGrWfo82QcJmMPeezQRkFwLM6D5SeRgHvTAF
MqScvxUmeZ6vCtdFYYabYfRpiRGfP63z718vh4PtkHVVy+/svS7cmScM14nDMpKl
suj5LvHLB8u3/DFHApz8SBXW9mM2skvPU9rrzx5ChHTE/e4hdSuYdfwC8zod/70N
/LRXY33Eo4SAb7PV0vtPTfg0flqpKPVzYLVOUQjev2M0aPOsIk5bIMJYy7Gn6RqM
MBnS+ojmW+glUi9y6aF50vnm9xq6Kby1YgK+V/qCAnQVkkfiQKRBMAaQWXHRfgYn
aZ0HFUDPp0DfVkSjAU2+REhx3qs4lRJe6bpznwgJQatLzWZZW8UnkPD7O7md2SyW
bAwdzF8A6833qnx6zH1RhYMTEpzEacHFqmCRCMtq90rPMeDhOKal+lcG18WfUMtf
j6CIpY4KDB8U7vK8iyS7Ozx79kk4vT5lNOrMAvp26oIio+MN2/VQgqtavTH7OpW3
dxrkM6fQQoGYwnbuYzRBHYY1PIK5QO4tUinnXQwuuaMUid/pKj+b7o0s0qlmjH+z
QIdS0yArvt5hIfkp++Go/TiEt/SNk7lSh3lGLBbkYmd7FQe3z8Q=
=q/b+
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW+i/BmaOgq3Tt24GAQgQ2RAA3CmwCTj9D20CmVYsdGTJ/WkrTEfyxRws
HltmReTn3SudyR6MYZjG9fbH2mB0P9JYiFAdrdOEOkUoH1iQH6lF3Qe1CxAjCQ6j
hR3BlrSddpXjuRPdoBdFAlZXQdLXUsn6+Y74IFx8u784lx8qGTE6Zax546KLBelM
Cw6NFjpEia16FDu7KsiKUua/DE80k3wqIX0WEFIVw+ReGC0ag4ofLwYUPwKVN3O4
dGI4i2aUHPcK3UB+35Tn8wKPBYDVg+9Q3rf6/nrG6vJvntSjohPYmFpIehFssXc0
tL/pHB0PllppXn5EyFtxZdmCYc8d0gqrnvVYFZM65FB0SoQx1H1NsJhBOCDYy2IW
XceEaBUF/eHpANcZwx4nA3UHOfi1lc3E4wUD9bqUFeUeS4+kpUQM1vvAnPZLc530
VAleSn+Q3XeZQM3iOD6TThn5NSYJ4/NB1WjHtEnVYnzs0NuNfmHAeEtwj+fPrzNH
3OalhPEJg6ShAIXS7pEA80tZm+77jm3uyL5NcTpfx0oVU23IWCBu4vgm7UTSrppb
0DsWdeux215CHuXkr94c0gCvO/LgckPToy3vjyrqeSpgrIjDd9EKhZVBJgSP8HkE
rNRMUCn1mF6j0r2Ic1Gnp9tziflkeOrbKC80mpFBbgVoOwV6PtIqW4tDKRV0kNQR
8enlX5DLYYk=
=pYhV
-----END PGP SIGNATURE-----

« Back to bulletins