GNU bug report logs - #32663
[PATCH 0/2] Ghostscript fixes

Previous Next

Package: guix-patches;

Reported by: Marius Bakke <mbakke <at> fastmail.com>

Date: Sat, 8 Sep 2018 11:09:02 UTC

Severity: normal

Tags: patch

Done: Ricardo Wurmus <rekado <at> elephly.net>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Marius Bakke <mbakke <at> fastmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: 32663 <at> debbugs.gnu.org
Subject: [bug#32663] [PATCH 0/2] Ghostscript fixes
Date: Sun, 09 Sep 2018 14:27:39 +0200

[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:

> On Sat, Sep 08, 2018 at 01:08:16PM +0200, Marius Bakke wrote:
>> These patches aim to fix the recent security issues in Ghostscript.
>> I have verified that the reproducers in
>> <https://bugs.chromium.org/p/project-zero/issues/detail?id=1640> no
>> longer work with these patches.
>> 
>> Marius Bakke (2):
>>   gnu: jbig2dec: Replace with 0.15 [security fixes].
>>   gnu: ghostscript: Update replacement to 9.24 [security fixes].
>
> Thanks! Looks good to me assuming Ghostscript 9.24 is ABI compatible
> with 9.23.

There are changes[0], but they are internal to the library and so
*should* be harmless.  Unfortunately I haven't been able to get the
--drop-private-types or --harmless options of abidiff working.

The same goes for jbig2dec, although it's more complicated since it
includes a static library (to be removed on core-updates).  It does not
look like any of the consumers actually use it, though.

Will push this after some more testing, as well as including the patch
suggested by Tavis on oss-sec.

[0] <https://bugs.gnu.org/32670>

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 6 years and 107 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.