[Git][security-tracker-team/security-tracker][master] 2 commits: detailed triage for ghostscript in buster

Sat Jun 29 18:59:16 BST 2024


Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d33f6566 by Roberto C. Sánchez at 2024-06-29T13:49:17-04:00
detailed triage for ghostscript in buster

mark CVE-2023-52722, CVE-2024-29510, CVE-33871 as <ignored>

The commits which fix these vulnerabilities rely on API concepts and
functions introduced for version 9.50. It does not make sense to
backport these fixes without the associated API concepts and functions.
The diff containing the necessary changes is >10k lines, which would be
far too intrusive to backport to the older version (9.27) in buster.

- - - - -
1f4583a0 by Roberto C. Sánchez at 2024-06-29T13:58:23-04:00
LTS: drop ghostscript from dla-needed.txt, all CVEs are ignored

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -17114,15 +17114,21 @@ CVE-2023-5971 (The Save as PDF Plugin by Pdfcrowd WordPress plugin before 3.2.0
 CVE-2024-29510
 	{DSA-5692-1}
 	- ghostscript 10.03.1~dfsg~git20240518-1
+	[bullseye] - ghostscript <ignored> (fix requires API functions introduced in 9.50)
 	NOTE: https://ghostscript.readthedocs.io/en/gs10.03.1/News.html
 	NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3b1735085ecef20b29e8db3416ab36de93e86d1f (ghostpdl-10.03.1)
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707662
+	NOTE: API functions used by fixing commit were introduced in:
+	NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=9de16a6637b73e35f79d2d622de403b24e6502f2
 CVE-2024-33871
 	{DSA-5692-1}
 	- ghostscript 10.03.1~dfsg~git20240518-1
+	[bullseye] - ghostscript <ignored> (fix requires API functions introduced in 9.50)
 	NOTE: https://ghostscript.readthedocs.io/en/gs10.03.1/News.html
 	NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=7145885041bb52cc23964f0aa2aec1b1c82b5908 (ghostpdl-10.03.1)
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707754
+	NOTE: API functions used by fixing commit were introduced in:
+	NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=9de16a6637b73e35f79d2d622de403b24e6502f2
 CVE-2024-33870
 	{DSA-5692-1}
 	- ghostscript 10.03.1~dfsg~git20240518-1
@@ -21909,8 +21915,11 @@ CVE-2024-25050 (IBM i 7.2, 7.3, 7.4, 7.5 and IBM Rational Development Studio for
 CVE-2023-52722 (An issue was discovered in Artifex Ghostscript through 10.01.0. psi/zm ...)
 	{DSA-5692-1}
 	- ghostscript 10.02.0~dfsg-1
+	[bullseye] - ghostscript <ignored> (fix requires API functions introduced in 9.50)
 	NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=afd7188f74918cb51b5fb89f52b54eb16e8acfd1 (ghostpdl-10.03.0rc1)
 	NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=1ff9a695947967d2d327c45bf5145dd381fc1745 (ghostpdl-10.02.0)
+	NOTE: API functions used by fixing commit were introduced in:
+	NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=9de16a6637b73e35f79d2d622de403b24e6502f2
 CVE-2022-48685 (An issue was discovered in Logpoint 7.1 before 7.1.2. The daily execut ...)
 	NOT-FOR-US: Logpoint
 CVE-2022-48684 (An issue was discovered in Logpoint before 7.1.1. Template injection w ...)


=====================================
data/dla-needed.txt
=====================================
@@ -94,14 +94,6 @@ freeimage
   NOTE: 20240412: ELTS also have a need to update this package.
   NOTE: 20240412: We should open upstream bug reports and push fixes. See above email discussion. (ola)
 --
-ghostscript
-  NOTE: 20240510: Added by Front-Desk (ta)
-  NOTE: 20240621: I am returning the package so that someone else can assess
-  NOTE: 20240621: whether we can fix the problems or have to ignore them.
-  NOTE: 20240621: The patches rely on newly introduced API,e.g.
-  NOTE: 20240621: gs_activate_path_control,gs_is_path_control_active. I don't
-  NOTE: 20240621: think it makes sense to introduce those changes without those functions.
---
 glibc (Adrian Bunk)
   NOTE: 20240504: Re-add for remaining CVEs. (bunk)
   NOTE: 20240520: Testing fixes. (bunk)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b25d2ce47e04bc3dd9b2c05c2c285a462738276c...1f4583a0442ab914830efdab6ded5d6e9c687206

-- 
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b25d2ce47e04bc3dd9b2c05c2c285a462738276c...1f4583a0442ab914830efdab6ded5d6e9c687206
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240629/1ea5e23d/attachment-0001.htm>
