Hi, On Thu, Oct 27, 2016 at 12:53:56PM +0200, Salvatore Bonaccorso wrote: > Hi > > On Thu, Oct 27, 2016 at 06:40:12AM -0400, Roberto C. Sánchez wrote: > > On Thu, Oct 27, 2016 at 12:35:16PM +0200, Moritz Muehlenhoff wrote: > > > On Thu, Oct 27, 2016 at 06:31:43AM -0400, Roberto C. Sánchez wrote: > > > > On Thu, Oct 27, 2016 at 08:54:39AM +0200, Moritz Muehlenhoff wrote: > > > > > > > > > > Salvatore mentioned that the same bug occurs when unstable has the > > > > > security > > > > > patches merged (which hasn't happened so far :-/), so this needs to > > > > > be reported > > > > > upstream. > > > > > > > > > Would that be to ghostscript upstream? I guess that with seeing the > > > > evince problem in Jessie with both ghostscript 9.06~dfsg-2+deb8u2 and > > > > 9.06~dfsg-2+deb8u3 I wasn't certain that the fault is completely with > > > > ghostscript. > > > > > > I haven't debugged this myself, but my guess is that libspectre > > > relies/relied > > > on the insecure ghostscript behaviour which got patches with the security > > > fixes... > > > > > OK. That makes sense. Thanks for clarifying. > > Edgar Fuss has now posted where the bug actually seem to be. I'm > currently building ghostscript with that. > > @Roberto: note, +deb8u1 -> +deb8u3 to see the regression, not the > intermittent +deb8u2.
Packages with that patch added are now as well on https://people.debian.org/~carnil/tmp/ghostscript/ Please test those if possible for you. Regards, Salvatore
diff -Nru ghostscript-9.06~dfsg/debian/changelog ghostscript-9.06~dfsg/debian/changelog --- ghostscript-9.06~dfsg/debian/changelog 2016-10-11 19:35:21.000000000 +0200 +++ ghostscript-9.06~dfsg/debian/changelog 2016-10-27 12:51:34.000000000 +0200 @@ -1,3 +1,13 @@ +ghostscript (9.06~dfsg-2+deb8u4) jessie-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Add 840691-Fix-.locksafe.patch patch. + Fixes regression seen with zathura and evince. Fix .locksafe. We need to + .forceput the defintion of getenv into systemdict. + Thanks to Edgar Fuß <e...@math.uni-bonn.de> (Closes: #840691) + + -- Salvatore Bonaccorso <car...@debian.org> Thu, 27 Oct 2016 12:51:34 +0200 + ghostscript (9.06~dfsg-2+deb8u3) jessie-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru ghostscript-9.06~dfsg/debian/patches/840691-Fix-.locksafe.patch ghostscript-9.06~dfsg/debian/patches/840691-Fix-.locksafe.patch --- ghostscript-9.06~dfsg/debian/patches/840691-Fix-.locksafe.patch 1970-01-01 01:00:00.000000000 +0100 +++ ghostscript-9.06~dfsg/debian/patches/840691-Fix-.locksafe.patch 2016-10-27 12:51:34.000000000 +0200 @@ -0,0 +1,24 @@ +Description: Fix .locksafe + Apparently we need to .forceput the definition of getenve into + systemdict, at least when running GSView 5.0. + . + Discovered when trying to investigate a customer bug report using + GSView 5. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=99e331527d541a8f01ad5455c4eb2aabd67281a6 +Bug-Debian: https://bugs.debian.org/840691 +Forwarded: not-needed +Author: Ken Sharp <ken.sh...@artifex.com> +Reviewed-by: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2016-10-27 + +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -2011,7 +2011,7 @@ readonly def + >> setuserparams + } + if +- systemdict /getenv {pop //false} put ++ systemdict /getenv {pop //false} .forceput + % setpagedevice has the side effect of clearing the page, but + % we will just document that. Using setpagedevice keeps the device + % properties and pagedevice .LockSafetyParams in agreement even diff -Nru ghostscript-9.06~dfsg/debian/patches/CVE-2016-8602.patch ghostscript-9.06~dfsg/debian/patches/CVE-2016-8602.patch --- ghostscript-9.06~dfsg/debian/patches/CVE-2016-8602.patch 2016-10-11 19:35:21.000000000 +0200 +++ ghostscript-9.06~dfsg/debian/patches/CVE-2016-8602.patch 2016-10-27 12:51:34.000000000 +0200 @@ -5,13 +5,6 @@ Forwarded: not-needed Author: Salvatore Bonaccorso <car...@debian.org> Last-Update: 2016-10-11 - -From f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78 Mon Sep 17 00:00:00 2001 -From: Chris Liddell <chris.lidd...@artifex.com> -Date: Sat, 8 Oct 2016 16:10:27 +0100 -Subject: [PATCH] Bug 697203: check for sufficient params in .sethalftone5 - -and param types --- psi/zht2.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff -Nru ghostscript-9.06~dfsg/debian/patches/series ghostscript-9.06~dfsg/debian/patches/series --- ghostscript-9.06~dfsg/debian/patches/series 2016-10-11 19:35:21.000000000 +0200 +++ ghostscript-9.06~dfsg/debian/patches/series 2016-10-27 12:51:34.000000000 +0200 @@ -20,3 +20,4 @@ CVE-2016-7978.patch CVE-2016-7979.patch CVE-2016-8602.patch +840691-Fix-.locksafe.patch
