List of third party libraries
https://www.ghostscript.com/doc/current/thirdparty.htm
The following configure options are used for clazzes-ghostscript
./configure --prefix=/usr/clazzes-ghostscript --enable-dynamic
--disable-cups --disable-gtk --without-x
Hence, the security review does not need to cover the CUPS library or any X-Windows or GTK-releated ghostscript issues.
Library Name | Version | Function | License | URL |
---|---|---|---|---|
eXpat | 2.2.9 | XML parsing for XPS interpreter | MIT/eXpat License | |
FreeType | 2.10.1 | Font scaling and rendering for Ghostscript | FreeType License | |
jbig2dec | 0.17 | JBIG2 decoding for the PDF interpreter | Licensed with Ghostscript/GhostPDL | |
libjpeg | 9c | JPEG/DCT decoding/encoding | "Free" | |
LittleCMS 2 mt | 2.9mt | ICC profile based color conversion and management | MIT LICENSE | |
libpng | 1.6.37 | PNG image encoding/decoding. | libpng license | |
OpenJPEG | 2.3.1 | JPEG2000 image decoding for the PDF interpreter | BSD-style | |
libtiff | 4.1.0 | TIFF image encoding/decoding | BSD-style | |
zlib | 1.2.11 | (De)Flate compression | zlib License |
Query:
As of 2020-12-27 no major CVEs are open against the core ghostscript project.
A long list of vulnerabilites has been fixed for ghostscript-9.51 after a thorough security review.
The most recent CVE, https://nvd.nist.gov/vuln/detail/CVE-2020-14373 is a problem specific to ghostscript-9.25, which has been delivered with RHEL. This CVE has been fixed for ghostscript-9.53, see https://bugs.ghostscript.com/show_bug.cgi?id=702851
No known CVEs as of 2020-12-27.
freetype-2.10.1 is subject to the zero-day exploit
https://nvd.nist.gov/vuln/detail/CVE-2020-15999
Hence, we upgraded to freetype-2.10.4 as of svn rev. 71
jbig2dec-0.17 is subject to the following severe vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2020-12268
The patch originates from April 2020 and is actually include in the sources of ghostscript-9.53.3, which ha been manually verified.
libjpeg-9c is vulnerable to
https://nvd.nist.gov/vuln/detail/CVE-2020-14152
https://nvd.nist.gov/vuln/detail/CVE-2020-14153
Hence, we upgraded to libjpeg-9d as of svn rev. 72
No known CVEs as of 2020-12-27.
The vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2020-15389
only affects openjpeg cmdline tools, which are not included in ghostscript, because ghostscript actually uses the openjpeg library.
All CVEs are reported against libtiff-4.0.x and a review of git commits revealed, that libtiff-4.1.0 is indeed incorporating all fixes for the CVEs listed above.
This list contains only CVEs of third parties with correctly applying the awkward zlib API with buffer over- and/or underruns. zlib itself is not subject to any CVE, which appear during the last 3 years.