Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

1.68. ghostscript

1.68.1.  RHSA-2009:0421: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:0421
Updated ghostscript packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
Ghostscript is a set of software that provides a PostScript interpreter, a set of C procedures (the Ghostscript library, which implements the graphics capabilities in the PostScript language) and an interpreter for Portable Document Format (PDF) files.
It was discovered that the Red Hat Security Advisory RHSA-2009:0345 did not address all possible integer overflow flaws in Ghostscript's International Color Consortium Format library (icclib). Using specially-crafted ICC profiles, an attacker could create a malicious PostScript or PDF file with embedded images that could cause Ghostscript to crash or, potentially, execute arbitrary code when opened. (CVE-2009-0792)
A buffer overflow flaw and multiple missing boundary checks were found in Ghostscript. An attacker could create a specially-crafted PostScript or PDF file that could cause Ghostscript to crash or, potentially, execute arbitrary code when opened. (CVE-2008-6679, CVE-2007-6725, CVE-2009-0196)
Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly reporting the CVE-2009-0196 flaw.
Users of ghostscript are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

1.68.2.  RHSA-2009:0345: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:0345
Updated ghostscript packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3, 4, and 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
Ghostscript is a set of software that provides a PostScript(TM) interpreter, a set of C procedures (the Ghostscript library, which implements the graphics capabilities in the PostScript language) and an interpreter for Portable Document Format (PDF) files.
Multiple integer overflow flaws which could lead to heap-based buffer overflows, as well as multiple insufficient input validation flaws, were found in Ghostscript's International Color Consortium Format library (icclib). Using specially-crafted ICC profiles, an attacker could create a malicious PostScript or PDF file with embedded images which could cause Ghostscript to crash, or, potentially, execute arbitrary code when opened by the victim. (CVE-2009-0583, CVE-2009-0584)
All users of ghostscript are advised to upgrade to these updated packages, which contain a backported patch to correct these issues.

1.68.3.  RHBA-2009:1257: bug fix update

A ghostscript update that fixes several bugs is now available.
The Ghostscript suite provides a PostScript(TM) interpreter, a set of C procedures (the Ghostscript library, which implements the graphics capabilities in the PostScript language), and an interpreter for PDF files. Ghostscript translates PostScript code into many common, bitmapped formats, like those understood by most printers and displays. This enables users to display PostScript files and print them on non-PostScript printers.
This update applies the following fixes:
  • an incorrect offset computation that occurred when handling subglyphs made it possible for ghostscript to read uninitialized data. When this occurred, ghostscript would crash with a segmentation fault. This update corrects the offset computation, preventing ghostscript from reading uninitialized data. (BZ#450717)
  • the way that the Ghostscript source code used pointer aliasing could produce unexpected results when strict aliasing optimizations are in use. To avoid problems, this ghostscript update was built using the -fno-strict-aliasing option, which disables strict aliasing optimization. (BZ#465960)
  • a typographical error in the gsiparam.h header file made it possible for some PDF files to cause ghostscript to fall into an infinite loop. This update fixes the error. (BZ#473889)
  • the gdevpsu.c source file incorrectly defined the point size of A3 pages, which sometimes resulted in incorrect document page sizes. This update fixes the point size definition error , ensuring that A3 pages are always printed with the correct size. (BZ#480978)
  • this update corrects how the cvrs PostScript operator performs sign extensions. This fix prevents range errors from occurring on 64-bit platforms. (BZ#488127)
  • this update also fixes ColorSpace initialization in the InkJet Server (IJS) driver, which is used by hpijs and gimp-print drivers in some configurations. In previous releases, print jobs that did not initialize ColorSpace failed whenever they used Ghostscript to render and print PDFs on devices that used the ijs driver. (BZ#504254)
Users of ghostscript are advised to apply this update.