Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 692106 (CVE-2019-10216) - <app-text/ghostscript-gpl-9.28_rc4: -dSAFER escape via .buildfont1 (CVE-2019-10216)
Summary: <app-text/ghostscript-gpl-9.28_rc4: -dSAFER escape via .buildfont1 (CVE-2019-...
Status: RESOLVED FIXED
Alias: CVE-2019-10216
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on: CVE-2019-14811, CVE-2019-14812, CVE-2019-14813, CVE-2019-14817
Blocks:
  Show dependency tree
 
Reported: 2019-08-13 23:10 UTC by GLSAMaker/CVETool Bot
Modified: 2020-04-01 19:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-08-13 23:10:22 UTC
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2019-08-13 23:12:15 UTC
The .buildfont1 does not sufficiently protect its environment. A specially crafted PostScript script can override the typecheck error handler to retrieve a reference to .forceput. This can be used to disable -dSAFER and, for example, access files outside of the restricted area.

Upstream patch: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19
Comment 2 Arfrever Frehtes Taifersar Arahesis 2019-10-24 01:32:31 UTC
Ghostscript 9.50 was released on 2019-10-15:
https://ghostscript.com/pipermail/gs-devel/2019-October/010232.html

"""
The more astute among you might notice that 9.28 has morphed into 9.50.
In a recent discussion amongst the Ghostscript developers, it became
clear that the redesign and reimplementation of the file security
features warranted more recognition than just the usual single digit
version increment. Hence we opted to bump it up to 9.50.
"""
Comment 3 Arfrever Frehtes Taifersar Arahesis 2019-10-24 23:36:36 UTC
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=afdbdbedba9222816f18bbf03d102bdb73ce3a15

commit afdbdbedba9222816f18bbf03d102bdb73ce3a15
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-24 22:18:04 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-24 22:29:05 +0000

    app-text/ghostscript-gpl: bump to v9.50
    
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-04-01 19:45:01 UTC
New GLSA request filed.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2020-04-01 19:53:19 UTC
This issue was resolved and addressed in
 GLSA 202004-03 at https://security.gentoo.org/glsa/202004-03
by GLSA coordinator Thomas Deutschmann (whissi).