[Buildroot] [PATCH] ghostscript: security bump to version 9.26
Peter Korsgaard
peter at korsgaard.com
Mon Dec 3 22:10:15 UTC 2018
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security vulnerabilities:
> - CVE-2018-17961: Artifex Ghostscript 9.25 and earlier allows attackers to
> bypass a sandbox protection mechanism via vectors involving errorhandler
> setup. NOTE: this issue exists because of an incomplete fix for
> CVE-2018-17183.
> - CVE-2018-18284: Artifex Ghostscript 9.25 and earlier allows attackers to
> bypass a sandbox protection mechanism via vectors involving the 1Policy
> operator.
> - CVE-2018-19409: An issue was discovered in Artifex Ghostscript before
> 9.26. LockSafetyParams is not checked correctly if another device is
> used.
> - CVE-2018-19475: psi/zdevice2.c in Artifex Ghostscript before 9.26 allows
> remote attackers to bypass intended access restrictions because available
> stack space is not checked when the device remains the same.
> - CVE-2018-19476: psi/zicc.c in Artifex Ghostscript before 9.26 allows
> remote attackers to bypass intended access restrictions because of a
> setcolorspace type confusion.
> - CVE-2018-19477: psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows
> remote attackers to bypass intended access restrictions because of a
> JBIG2Decode type confusion.
> For more details, see the release notes:
> https://www.ghostscript.com/doc/9.26/History9.htm#Version9.26
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2018.02.x and 2018.08.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list