Security update for ghostscript SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2648-1 Final 1 1 2016-10-26T13:06:39Z current 2016-10-26T13:06:39Z 2016-10-26T13:06:39Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ghostscript This update for ghostscript fixes the following issues: - CVE-2016-8602: Fixes a NULL dereference in .sethalftone5 (boo#1004237). - CVE-2013-5653, CVE-2016-7978, CVE-2016-7979: Fix multiple -dsafer related CVE's (boo#1001951). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00062.html E-Mail link for openSUSE-SU-2016:2648-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE 13.2 ghostscript-9.15-6.1 ghostscript-debuginfo-9.15-6.1 ghostscript-debugsource-9.15-6.1 ghostscript-devel-9.15-6.1 ghostscript-mini-9.15-6.1 ghostscript-mini-debuginfo-9.15-6.1 ghostscript-mini-debugsource-9.15-6.1 ghostscript-mini-devel-9.15-6.1 ghostscript-x11-9.15-6.1 ghostscript-x11-debuginfo-9.15-6.1 ghostscript-9.15-6.1 as a component of openSUSE 13.2 ghostscript-debuginfo-9.15-6.1 as a component of openSUSE 13.2 ghostscript-debugsource-9.15-6.1 as a component of openSUSE 13.2 ghostscript-devel-9.15-6.1 as a component of openSUSE 13.2 ghostscript-mini-9.15-6.1 as a component of openSUSE 13.2 ghostscript-mini-debuginfo-9.15-6.1 as a component of openSUSE 13.2 ghostscript-mini-debugsource-9.15-6.1 as a component of openSUSE 13.2 ghostscript-mini-devel-9.15-6.1 as a component of openSUSE 13.2 ghostscript-x11-9.15-6.1 as a component of openSUSE 13.2 ghostscript-x11-debuginfo-9.15-6.1 as a component of openSUSE 13.2 The getenv and filenameforall functions in Ghostscript 9.10 ignore the "-dSAFER" argument, which allows remote attackers to read data via a crafted postscript file. CVE-2013-5653 openSUSE 13.2:ghostscript-9.15-6.1 openSUSE 13.2:ghostscript-debuginfo-9.15-6.1 openSUSE 13.2:ghostscript-debugsource-9.15-6.1 openSUSE 13.2:ghostscript-devel-9.15-6.1 openSUSE 13.2:ghostscript-mini-9.15-6.1 openSUSE 13.2:ghostscript-mini-debuginfo-9.15-6.1 openSUSE 13.2:ghostscript-mini-debugsource-9.15-6.1 openSUSE 13.2:ghostscript-mini-devel-9.15-6.1 openSUSE 13.2:ghostscript-x11-9.15-6.1 openSUSE 13.2:ghostscript-x11-debuginfo-9.15-6.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00062.html https://www.suse.com/security/cve/CVE-2013-5653.html CVE-2013-5653 https://bugzilla.suse.com/1001951 SUSE Bug 1001951 https://bugzilla.suse.com/1004237 SUSE Bug 1004237 https://bugzilla.suse.com/1036453 SUSE Bug 1036453 Use-after-free vulnerability in Ghostscript 9.20 might allow remote attackers to execute arbitrary code via vectors related to a reference leak in .setdevice. CVE-2016-7978 openSUSE 13.2:ghostscript-9.15-6.1 openSUSE 13.2:ghostscript-debuginfo-9.15-6.1 openSUSE 13.2:ghostscript-debugsource-9.15-6.1 openSUSE 13.2:ghostscript-devel-9.15-6.1 openSUSE 13.2:ghostscript-mini-9.15-6.1 openSUSE 13.2:ghostscript-mini-debuginfo-9.15-6.1 openSUSE 13.2:ghostscript-mini-debugsource-9.15-6.1 openSUSE 13.2:ghostscript-mini-devel-9.15-6.1 openSUSE 13.2:ghostscript-x11-9.15-6.1 openSUSE 13.2:ghostscript-x11-debuginfo-9.15-6.1 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00062.html https://www.suse.com/security/cve/CVE-2016-7978.html CVE-2016-7978 https://bugzilla.suse.com/1001951 SUSE Bug 1001951 https://bugzilla.suse.com/1004237 SUSE Bug 1004237 Ghostscript before 9.21 might allow remote attackers to bypass the SAFER mode protection mechanism and consequently execute arbitrary code by leveraging type confusion in .initialize_dsc_parser. CVE-2016-7979 openSUSE 13.2:ghostscript-9.15-6.1 openSUSE 13.2:ghostscript-debuginfo-9.15-6.1 openSUSE 13.2:ghostscript-debugsource-9.15-6.1 openSUSE 13.2:ghostscript-devel-9.15-6.1 openSUSE 13.2:ghostscript-mini-9.15-6.1 openSUSE 13.2:ghostscript-mini-debuginfo-9.15-6.1 openSUSE 13.2:ghostscript-mini-debugsource-9.15-6.1 openSUSE 13.2:ghostscript-mini-devel-9.15-6.1 openSUSE 13.2:ghostscript-x11-9.15-6.1 openSUSE 13.2:ghostscript-x11-debuginfo-9.15-6.1 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00062.html https://www.suse.com/security/cve/CVE-2016-7979.html CVE-2016-7979 https://bugzilla.suse.com/1001951 SUSE Bug 1001951 https://bugzilla.suse.com/1004237 SUSE Bug 1004237 The .sethalftone5 function in psi/zht2.c in Ghostscript before 9.21 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Postscript document that calls .sethalftone5 with an empty operand stack. CVE-2016-8602 openSUSE 13.2:ghostscript-9.15-6.1 openSUSE 13.2:ghostscript-debuginfo-9.15-6.1 openSUSE 13.2:ghostscript-debugsource-9.15-6.1 openSUSE 13.2:ghostscript-devel-9.15-6.1 openSUSE 13.2:ghostscript-mini-9.15-6.1 openSUSE 13.2:ghostscript-mini-debuginfo-9.15-6.1 openSUSE 13.2:ghostscript-mini-debugsource-9.15-6.1 openSUSE 13.2:ghostscript-mini-devel-9.15-6.1 openSUSE 13.2:ghostscript-x11-9.15-6.1 openSUSE 13.2:ghostscript-x11-debuginfo-9.15-6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00062.html https://www.suse.com/security/cve/CVE-2016-8602.html CVE-2016-8602 https://bugzilla.suse.com/1001951 SUSE Bug 1001951 https://bugzilla.suse.com/1004237 SUSE Bug 1004237 https://bugzilla.suse.com/1036453 SUSE Bug 1036453