| <<<Back 1 day (to 2018/04/19) | 20180420 |
deekej | hello kens, small question - is ghostscript 9.22 or 9.23 affected by the CVE-2018-10194 as well? | 12:20.51 |
| (http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879) | 12:21.06 |
kens | Everything is | 12:21.24 |
| Though I understand that versions afetr 9.20 'mask' the problem, they still output a broken PDF. | 12:21.46 |
deekej | kens: ok, thanks :) did you guys received a reproducer for this at all? | 12:21.49 |
kens | They just don't seg fault | 12:21.54 |
deekej | oh, I see | 12:22.01 |
kens | Yes the buyg file is attached to the bug | 12:22.04 |
deekej | I don't have access to it. I need to wait for our security guys to provide a reproducer for it. | 12:22.29 |
chrisl | I can add you to the CC list for the bug | 12:22.49 |
kens | :-) Beat me to it | 12:22.59 |
deekej | is it OK guys? I haven't signed any document for you yet... :-/ | 12:23.36 |
kens | Well its fixed, and the stated policy is to make them public some (short'ish) tiem after they are fixed | 12:23.59 |
chrisl | I trust you to use the file responsibly | 12:24.02 |
| deekej: You should be able to get it now - I think | 12:24.16 |
kens | So I don't see a problem with giving you very slightly early access | 12:24.16 |
deekej | ok, thanks :) appreciated | 12:24.34 |
kens | Hmm well 9.18 doesn't seg fault on Windows either. | 12:26.06 |
| And I don't have a copy that old on Linux right at the moment, but I guess you can check it | 12:26.27 |
deekej | kens: I have to check it for 9.22, 9.07, and 8.70... :D *sigh* | 12:27.56 |
kens | Oh that will be fun | 12:28.03 |
| I've no idea what will happen with 9.07 and 8.70, they use a different implementation of 'printf' | 12:28.29 |
deekej | and I have other CVEs I should fix, yet nobody has found a fix for it yet... :D (git-bisect does not show anything, yet it is fixed in 9.23 :D ) | 12:28.47 |
kens | Umm, really ? | 12:29.02 |
| It coudl have been reported as a different problem of course, and fixed that way | 12:29.17 |
| But presumably if you bisect it, at some point the problem must be present, and then disappear | 12:30.07 |
deekej | ah, ok, so looking back at the issue, it was not classified as CVE as far as I can tell | 12:30.24 |
kens | That's entirely possible | 12:30.32 |
| I might even say its common | 12:30.43 |
deekej | kens: that's the problem - on RHEL-7, the ghostscript build received so much modification that it's a combination of several things, that's why we are unable to find the fix with the bisect | 12:31.29 |
| there's some part on our side causing the problem | 12:31.40 |
kens | Oh, well presumably you could bisect the vanilla Ghostscript sources, assuming the problem isn't limited to that specific, oh it is specific to your implementation? | 12:32.16 |
| I guess we can't help with that | 12:32.27 |
deekej | it's specific partially to way we deal with fonts I would say | 12:32.37 |
| I will be looking into this more on Monday :) | 12:32.51 |
kens | Enjoy :-) | 12:32.56 |
deekej | opens a beer and cracks his knuckles :D | 12:33.56 |
| Forward 1 day (to 2018/04/21)>>> | |