Ubuntu
ghostscript package

[FFe] Ghostscript 9.24 - Highly recommended by upstream for security

Bug #1791279 reported by Till Kamppeter
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ghostscript (Ubuntu)
Fix Released
High
Unassigned
Ubuntu ubuntu-18.10

Bug Description

Artifex announced their Ghostscript 9.24 release as follows:

----------
Artifex Software, Inc. is happy to announce the release of
GPL Ghostscript 9.24 and GhostPDL 9.24.

Note that due to some recently discovered security related issues, we
strongly recommend updating installations to 9.24, as soon as possible.
----------

And in the release notes on

https://www.ghostscript.com/doc/9.24/News.htm

they write:

----------
Security issues have been the primary focus of this release, including solving several (well publicised) real and potential exploits.
PLEASE NOTE: We strongly urge users to upgrade to this latest release to avoid these issues.
----------

I also talked with the Canonical/Ubuntu security team and Steve Beattie writes

----------
Yes, that would be great if we could move ghostscript forward in
cosmic to the 9.24 version. Happy to add the Security Team's support for
this in a FFE bg report, if needed.
----------

Therefore I want to upgrade Cosmic's Ghostscript (currently 9.23) to version 9.24.

Asummary of the changes in the new version you find on

https://www.ghostscript.com/doc/9.24/News.htm

Details you can see on

https://www.ghostscript.com/doc/9.24/History9.htm#Version9.24

Tags: security
Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Build log of the new Ghostscript 9.24 package using

pbuilder-dist cosmic ghostscript_9.24~dfsg+1-0ubuntu1.dsc

Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Install log of ghostscript 9.24 package.

Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Tested Ghostscript by displaying PDF files ("gs file.pdf") and printing jobs through queues using Ghostscript (driverless printer using Apple AirPrint). Seems all to work.

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Approved, please proceed with the upload ASAP.

Changed in ghostscript (Ubuntu):
status: New → Triaged
Till Kamppeter (till-kamppeter)
Changed in ghostscript (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ghostscript - 9.25~dfsg+1-0ubuntu1

---------------
ghostscript (9.25~dfsg+1-0ubuntu1) cosmic; urgency=medium

  * New upstream bug fix release
    Highlights:
    - Highly recommended by upstream, release done to fix regressions in 9.24.
    - This release fixes problems with argument handling, some unintended
      results of the security fixes to the SAFER file access restrictions
      (specifically accessing ICC profile files), and some additional security
      issues over the recent 9.24 release.
    - Note: The ps2epsi utility does not, and cannot call Ghostscript with
      the -dSAFER command line option. It should never be called with input
      from untrusted sources.
  * Removed patch 020180906-bc3df07-*.patch backported from upstream.
  * Refreshed patches 2003_support_multiarch.patch and
    2007_suggest_install_ghostscript-doc_in_code.patch with quilt.
  * debian/libgs9.symbols: Updated for new upstream source. Applied patch
    which dpkg-gensymbols generated.

 -- Till Kamppeter <email address hidden> Thu, 13 Sep 2018 20:27:06 +0200

Changed in ghostscript (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.