| Summary: | corruption of operand stack | ||
|---|---|---|---|
| Product: | Ghostscript | Reporter: | Chris Liddell (chrisl) <chris.liddell> |
| Component: | PS Interpreter | Assignee: | Chris Liddell (chrisl) <chris.liddell> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | arasanpoo, cbuissar, gabriel.gilder, henry.stiles, mhart, omarandemad, sbeattie, seth.arnold, spiri_alecs |
| Priority: | P4 | ||
| Version: | master | ||
| Hardware: | PC | ||
| OS: | Linux | ||
| Customer: | Word Size: | --- | |
|
Comment 2
Chris Liddell (chrisl)
2017-04-27 01:24:03 UTC
This is fixed with: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4f83478c88 and https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=04b37bbce1 This was assigned CVE-2017-8291. Thanks. What is the new version of ghostscript build with this issue fix. (In reply to Poovarasan Dhanapal from comment #5) > What is the new version of ghostscript build with this issue fix. Any SHA from our Git repository after the stated commit. Will there be a release cut soon with this patch? Would be great to have available via package managers. (In reply to Gabriel Gilder from comment #7) > Will there be a release cut soon with this patch? Would be great to have > available via package managers. The next release of Ghostscript is due for September. Debian, Ubuntu, Fedora have all patched their respective Ghostscript packages and rolled out the fix (amongst others). I'm sure the other distros will be doing so soon - and if they don't, they're unlikely to pull in a new version, either, so.... Note that to support some (rather unpleasant and rarely used) features, the following revision is required in addition to the above commits: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=57f20719 (This relates to pstoedit's use of Ghostscript). (In reply to Chris Liddell (chrisl) from comment #3) > This is fixed with: > https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4f83478c88 > > and > > https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=04b37bbce1 Hi Chris, I get a Gateway Timeout message when clicking these links. Any chance you could post the version number here? Thanks! (In reply to Alecs from comment #11) > (In reply to Chris Liddell (chrisl) from comment #3) > > This is fixed with: > > https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4f83478c88 > > > > and > > > > https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=04b37bbce1 > > Hi Chris, > > I get a Gateway Timeout message when clicking these links. I'm afraid our server is undergoing a lot of load a the moment, we're trying to work out why. You will need to get the patches from here, so keep trying from time to time, it should eventually get solved. > Any chance you > could post the version number here? There is no version number, we have not made a new release and do not currently plan to make another release until our regularly scheduled release in September. For people backporting patches, please note that in addition to the additional patch that Chris Liddell highlighted in Comment 10, the following patch is also needed http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ccfd2c75 as just applying 57f20719 will result in a ghostscript that segfaults with the original reproducer. |