Resources
List of third party libraries
https://www.ghostscript.com/doc/current/thirdparty.htm
Configuration of clazzes-ghostscript
The following configure options are used for clazzes-ghostscript
./configure --prefix=/usr/clazzes-ghostscript --enable-dynamic
--disable-cups --disable-gtk --without-x
Hence, the security review does not need to cover the CUPS library or any X-Windows or GTK-releated ghostscript issues.
Applicable Third Party Libraries
Library Name | Version | Function | License | URL |
---|---|---|---|---|
eXpat | 2.2.9 | XML parsing for XPS interpreter | MIT/eXpat License | |
FreeType | 2.10.1 | Font scaling and rendering for Ghostscript | FreeType License | |
jbig2dec | 0.17 | JBIG2 decoding for the PDF interpreter | Licensed with Ghostscript/GhostPDL | |
libjpeg | 9c | JPEG/DCT decoding/encoding | "Free" | |
LittleCMS 2 mt | 2.9mt | ICC profile based color conversion and management | MIT LICENSE | |
libpng | 1.6.37 | PNG image encoding/decoding. | libpng license | |
OpenJPEG | 2.3.1 | JPEG2000 image decoding for the PDF interpreter | BSD-style | |
libtiff | 4.1.0 | TIFF image encoding/decoding | BSD-style | |
zlib | 1.2.11 | (De)Flate compression | zlib License |
Review of CVEs
CVEs of ghostscript-9.53.3
Query:
As of 2020-12-27 no major CVEs are open against the core ghostscript project.
A long list of vulnerabilites has been fixed for ghostscript-9.51 after a thorough security review.
The most recent CVE, https://nvd.nist.gov/vuln/detail/CVE-2020-14373 is a problem specific to ghostscript-9.25, which has been delivered with RHEL. This CVE has been fixed for ghostscript-9.53, see https://bugs.ghostscript.com/show_bug.cgi?id=702851
CVEs of libexpat 2.2.9
No known CVEs as of 2020-12-27.
CVEs of freetype 2.10.1
freetype-2.10.1 is subject to the zero-day exploit
https://nvd.nist.gov/vuln/detail/CVE-2020-15999
Hence, we upgraded to freetype-2.10.4 as of svn rev. 71
CVEs of jbig2dec 0.17
jbig2dec-0.17 is subject to the following severe vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2020-12268
The patch originates from April 2020 and is actually include in the sources of ghostscript-9.53.3, which ha been manually verified.
CVEs of libjpeg-9c
libjpeg-9c is vulnerable to
https://nvd.nist.gov/vuln/detail/CVE-2020-14152
https://nvd.nist.gov/vuln/detail/CVE-2020-14153
Hence, we upgraded to libjpeg-9d as of svn rev. 72
CVEs of libpng-1.6.37
No known CVEs as of 2020-12-27.
CVEs of openjpeg-2.3.1
The vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2020-15389
only affects openjpeg cmdline tools, which are not included in ghostscript, because ghostscript actually uses the openjpeg library.
CVEs fo libtiff-4.1.0
All CVEs are reported against libtiff-4.0.x and a review of git commits revealed, that libtiff-4.1.0 is indeed incorporating all fixes for the CVEs listed above.
CVEs of zlib 1.2.11
This list contains only CVEs of third parties with correctly applying the awkward zlib API with buffer over- and/or underruns. zlib itself is not subject to any CVE, which appear during the last 3 years.