[Buildroot] [PATCH] ghostscript: security bump to version 9.26

Peter Korsgaard peter at korsgaard.com
Thu Nov 29 18:58:03 UTC 2018


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security vulnerabilities:
 >  - CVE-2018-17961: Artifex Ghostscript 9.25 and earlier allows attackers to
 >    bypass a sandbox protection mechanism via vectors involving errorhandler
 >    setup.  NOTE: this issue exists because of an incomplete fix for
 >    CVE-2018-17183.

 > - CVE-2018-18284: Artifex Ghostscript 9.25 and earlier allows attackers to
 >   bypass a sandbox protection mechanism via vectors involving the 1Policy
 >   operator.

 > - CVE-2018-19409: An issue was discovered in Artifex Ghostscript before
 >   9.26.  LockSafetyParams is not checked correctly if another device is
 >   used.

 > - CVE-2018-19475: psi/zdevice2.c in Artifex Ghostscript before 9.26 allows
 >   remote attackers to bypass intended access restrictions because available
 >   stack space is not checked when the device remains the same.

 > - CVE-2018-19476: psi/zicc.c in Artifex Ghostscript before 9.26 allows
 >   remote attackers to bypass intended access restrictions because of a
 >   setcolorspace type confusion.

 > - CVE-2018-19477: psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows
 >   remote attackers to bypass intended access restrictions because of a
 >   JBIG2Decode type confusion.

 > For more details, see the release notes:
 > https://www.ghostscript.com/doc/9.26/History9.htm#Version9.26

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard



More information about the buildroot mailing list