Bug 939342 (CVE-2015-3228)

Summary: VUL-0: CVE-2015-3228: ghostscript,ghostscript-library: out of bound read/write cause by integer overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P2 - High CC: astieger, jsmeix, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: SUSE Other   
URL: https://smash.suse.de/issue/119239/
Whiteboard: CVSSv2:RedHat:CVE-2015-3228:4.0:(AV:N/AC:H/Au:N/C:P/I:N/A:P) CVSSv2:NVD:CVE-2015-3228:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) maint:released:sle10-sp3:62241 maint:running:63120:important
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Reproducer

Comment 6 Swamp Workflow Management 2015-07-28 08:37:16 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-08-11.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62237
Comment 16 Johannes Meixner 2015-07-29 12:09:41 UTC
Fixed and submitted for openSUSE 13.2
-----------------------------------------------------------------------------
$ osc maintenancerequest -m 'Fixed CVE-2015-3228 (bsc#939342)'
 home:jsmeix:branches:openSUSE:13.2:Update
 ghostscript.openSUSE_13.2_Update openSUSE:13.2:Update
Using target project 'openSUSE:Maintenance'
319390
-----------------------------------------------------------------------------
Comment 17 Bernhard Wiedemann 2015-07-29 13:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (939342) was mentioned in
https://build.opensuse.org/request/show/319390 13.2 / ghostscript
Comment 18 Johannes Meixner 2015-07-29 13:16:41 UTC
Fixed and submitted for openSUSE 13.1
-------------------------------------------------------------------------
$ osc maintenancerequest -m 'Fixed CVE-2015-3228 (bsc#939342)'
 home:jsmeix:branches:openSUSE:13.1:Update
 ghostscript.openSUSE_13.1_Update openSUSE:13.1:Update
Using target project 'openSUSE:Maintenance'
319411
-------------------------------------------------------------------------
Comment 19 Johannes Meixner 2015-07-29 13:55:54 UTC
Fixed and submitted for "Printing" and forwarded to Factory
-------------------------------------------------------------------------
$ osc submitrequest -m 'Fixed CVE-2015-3228 (bsc#939342)'
 home:jsmeix:branches:Printing ghostscript Printing ghostscript
created request id 319418

$ osc request accept -m 'Fixed CVE-2015-3228 (bsc#939342)' 319418
Result of change request state: ok
openSUSE:Factory
Forward this submit to it? ([y]/n)y
Fixed CVE-2015-3228 (bsc#939342) (forwarded request 319418 from jsmeix)
New request # 319420
-------------------------------------------------------------------------

The issue is now fixed everywhere.
Comment 20 Johannes Meixner 2015-07-29 13:57:48 UTC
Reopened and reassigned to security-team for further processing.
Comment 21 Bernhard Wiedemann 2015-07-29 14:00:11 UTC
This is an autogenerated message for OBS integration:
This bug (939342) was mentioned in
https://build.opensuse.org/request/show/319411 13.1 / ghostscript
https://build.opensuse.org/request/show/319420 Factory / ghostscript
Comment 22 Swamp Workflow Management 2015-08-06 12:32:42 UTC
openSUSE-SU-2015:1352-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 939342
CVE References: CVE-2015-3228
Sources used:
openSUSE 13.2 (src):    ghostscript-9.15-3.1, ghostscript-mini-9.15-3.1
openSUSE 13.1 (src):    ghostscript-9.07-3.3.1, ghostscript-mini-9.07-3.3.1
Comment 24 Swamp Workflow Management 2016-03-24 15:08:53 UTC
SUSE-SU-2016:0884-1: An update that solves one vulnerability and has one errata is now available.

Category: security (low)
Bug References: 939342,963017
CVE References: CVE-2015-3228
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ghostscript-9.15-6.5
SUSE Linux Enterprise Software Development Kit 12 (src):    ghostscript-9.15-6.5
SUSE Linux Enterprise Server 12-SP1 (src):    ghostscript-9.15-6.5
SUSE Linux Enterprise Server 12 (src):    ghostscript-9.15-6.5
SUSE Linux Enterprise Desktop 12-SP1 (src):    ghostscript-9.15-6.5
SUSE Linux Enterprise Desktop 12 (src):    ghostscript-9.15-6.5
Comment 25 Swamp Workflow Management 2016-04-05 12:07:48 UTC
openSUSE-SU-2016:0951-1: An update that solves one vulnerability and has one errata is now available.

Category: security (low)
Bug References: 939342,963017
CVE References: CVE-2015-3228
Sources used:
openSUSE Leap 42.1 (src):    ghostscript-9.15-5.1, ghostscript-mini-9.15-5.1
Comment 26 Swamp Workflow Management 2016-10-11 16:10:12 UTC
SUSE-SU-2016:2493-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1001951,939342
CVE References: CVE-2013-5653,CVE-2015-3228,CVE-2016-7977,CVE-2016-7979
Sources used:
SUSE OpenStack Cloud 5 (src):    ghostscript-library-8.62-32.38.1
SUSE Manager Proxy 2.1 (src):    ghostscript-library-8.62-32.38.1
SUSE Manager 2.1 (src):    ghostscript-library-8.62-32.38.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ghostscript-library-8.62-32.38.1
SUSE Linux Enterprise Server 11-SP4 (src):    ghostscript-library-8.62-32.38.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    ghostscript-library-8.62-32.38.1
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    ghostscript-library-8.62-32.38.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    ghostscript-library-8.62-32.38.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ghostscript-library-8.62-32.38.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    ghostscript-library-8.62-32.38.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    ghostscript-library-8.62-32.38.1
Comment 27 Marcus Meissner 2016-12-22 12:33:22 UTC
released