Bug 270800

Summary: print/ghostscript10: please fix CVE-2023-28879 by updating to 10.01.1
Product: Ports & Packages Reporter: Matthias Andree <mandree>
Component: Individual Port(s)Assignee: Matthias Andree <mandree>
Status: Closed FIXED    
Severity: Affects Many People CC: diizzy, fernape, michael.osipov, ports-secteam
Priority: --- Keywords: security
Version: LatestFlags: michael.osipov: maintainer-feedback+
mandree: merge-quarterly+
Hardware: Any   
OS: Any   
URL: https://artifex.com/news/critical-security-vulnerability-fixed-in-ghostscript
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270823
Attachments:
Description Flags
Patch for ghostscript10 (port only) none

Description Matthias Andree freebsd_committer freebsd_triage 2023-04-12 20:24:21 UTC
Please update to 10.01.1 which fixes CVE-2023-28879, and add a vulndb entry, see https://artifex.com/news/critical-security-vulnerability-fixed-in-ghostscript
Comment 1 Daniel Engberg freebsd_committer freebsd_triage 2023-04-12 21:50:30 UTC
Created attachment 241449 [details]
Patch for ghostscript10 (port only)

Poudriere testport OK - 12.4 amd64, 13.2 i386
Comment 2 Michael Osipov 2023-04-13 06:18:18 UTC
Will test as well and give my consent.
Comment 3 Michael Osipov 2023-04-13 08:09:26 UTC
(In reply to Daniel Engberg from comment #1)

The patch works for me, please commit and MFH to 2023Q2.

Thank you!
Comment 4 Fernando ApesteguĂ­a freebsd_committer freebsd_triage 2023-04-13 08:58:03 UTC
^Triage: reporter is committer, assign accordingly.
Comment 5 Fernando ApesteguĂ­a freebsd_committer freebsd_triage 2023-04-13 09:01:48 UTC
Also, please remember to add an entry to VuXML: https://docs.freebsd.org/en/books/porters-handbook/book/#security-notify-vuxml-testing

cd security/vuxml && make newentry CVE_ID=CVE-2023-28879 should get you half way.
Comment 6 commit-hook freebsd_committer freebsd_triage 2023-04-13 19:21:04 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=83831bbefd984abe6b35bcaa13eb99f60a8fd470

commit 83831bbefd984abe6b35bcaa13eb99f60a8fd470
Author:     Daniel Engberg <diizzy@FreeBSD.org>
AuthorDate: 2023-04-13 19:18:19 +0000
Commit:     Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2023-04-13 19:20:07 +0000

    print/ghostscript10: update to 10.01.1

    to fix
    Security:       CVE-2023-28879
    Security:       25872b25-da2d-11ed-b715-a1e76793953b
    PR:             270800
    Approved by:    Michael Osipov (maintainer)
    MFH:            2023Q2

 print/ghostscript10/Makefile | 2 +-
 print/ghostscript10/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 7 commit-hook freebsd_committer freebsd_triage 2023-04-13 19:24:06 UTC
A commit in branch 2023Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=0d5a7e35c0d07e17650cfdcd58b0a0e7e815d7f2

commit 0d5a7e35c0d07e17650cfdcd58b0a0e7e815d7f2
Author:     Daniel Engberg <diizzy@FreeBSD.org>
AuthorDate: 2023-04-13 19:18:19 +0000
Commit:     Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2023-04-13 19:20:39 +0000

    print/ghostscript10: update to 10.01.1

    to fix
    Security:       CVE-2023-28879
    Security:       25872b25-da2d-11ed-b715-a1e76793953b
    PR:             270800
    Approved by:    Michael Osipov (maintainer)
    MFH:            2023Q2

    (cherry picked from commit 83831bbefd984abe6b35bcaa13eb99f60a8fd470)

 print/ghostscript10/Makefile | 2 +-
 print/ghostscript10/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)