[Adding debian-lts@lists.debian.org to CC]
Ola Lundqvist wrote:
> I started to look into ghostscript but I could not find any CVE for
> it. Do you remember which CVE that you had in mind?
It was CVE-2016-9601, but:
commit 3999fc68814dbeb21394d0f49d4cb424bee59da8
Author: jmm <jmm@e39458fd-73e7-0310-bf30-c45bca0a0e42>
Date: Thu Jan 5 12:17:38 2017 +0000
fix source package, the vulnerability seems to be in jbig2dec, which is
used by ghostscript these days
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@47750
e39458fd-73e7-0310-bf30-c45bca0a0e42
diff --git a/data/CVE/list b/data/CVE/list
index adbfb066..24d2f097 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -11310,7 +11310,7 @@ CVE-2016-9602
RESERVED
CVE-2016-9601 [Heap-buffer overflow due to Integer overflow in jbig2_image_new
function]
RESERVED
- - ghostscript <unfixed>
+ - jbig2dec <unfixed>
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697457
CVE-2016-9600 [Null Pointer Dereference due to missing check for UNKNOWN color
space in JP2 encoder]
RESERVED
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org / chris-lamb.co.uk
`-
