Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 932125 (CVE-2023-52722, CVE-2024-29510, CVE-2024-33869, CVE-2024-33870, CVE-2024-33871) - <app-text/ghostscript-gpl-10.03.1: Multiple vulnerabilities
Summary: <app-text/ghostscript-gpl-10.03.1: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2023-52722, CVE-2024-29510, CVE-2024-33869, CVE-2024-33870, CVE-2024-33871
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa+]
Keywords:
Depends on: 935302
Blocks:
  Show dependency tree
 
Reported: 2024-05-18 04:48 UTC by Sam James
Modified: 2024-12-14 08:28 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-05-18 04:48:22 UTC
```
--- /tmp/mgorny-dev-scripts/portage/app-text/ghostscript-gpl-10.03.0-r1/work/ghostscript-10.03.0/doc/News.html  2024-03-07 08:41:29.000000000 +0000
+++ /tmp/mgorny-dev-scripts/portage/app-text/ghostscript-gpl-10.03.1/work/ghostscript-10.03.1/doc/News.html     2024-05-02 10:45:25.000000000 +0100
@@ -5,16 +5,28 @@
 <!-- [1.0 end visible header] ============================================== -->
 
 <!-- [2.0 begin contents] ================================================== -->
-<h2><a name="Version10.03.0"></a>Version 10.03.0 (2024-03-06)</h2>
+<h2><a name="Version10.03.1"></a>Version 10.03.1 (2024-05-02)</h2>
 <p> Highlights in this release include:
 <ul>
 <li>
+<p>Fixes for CVE-2024-33869, CVE-2023-52722, CVE-2024-33870, CVE-2024-33871 and CVE-2024-29510
+</li>
+<li>
+<p><b>IMPORTANT:</b> For the 10.04.0 release (fall/autumn 2024) we will be adding protection for
+device selection from PostScript input. This will mean that, by default, only the device specified
+on the command line will be permitted. Similar to the file permissions, there will be a &quot;--permit-devices=&quot;
+allowing a comma separation list of allowed devices. This will also take a single wildcard &quot;*&quot; allowing any device.
+<p>Any application which relies on allowing PostScript to change devices during a job will have to be aware, and take action
+to deal with this change.
+<p>The exception is &quot;nulldevice&quot;, switching to that requires no special action.
+</li>
+<li>
[...]
```
Comment 1 Larry the Git Cow gentoo-dev 2024-05-18 04:49:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=43885d30528e8aab209fef02ff7f893596422e54

commit 43885d30528e8aab209fef02ff7f893596422e54
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-05-18 04:19:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-05-18 04:48:29 +0000

    app-text/ghostscript-gpl: add 10.03.1
    
    Bug: https://bugs.gentoo.org/932125
    Signed-off-by: Sam James <sam@gentoo.org>

 app-text/ghostscript-gpl/Manifest                  |   1 +
 .../ghostscript-gpl/ghostscript-gpl-10.03.1.ebuild | 196 +++++++++++++++++++++
 2 files changed, 197 insertions(+)
Comment 2 Hans de Graaff gentoo-dev Security 2024-05-19 05:41:33 UTC
CVE-2023-52722

An issue was discovered in Artifex Ghostscript through 10.01.0. psi/zmisc1.c, when SAFER mode is used, allows eexec seeds other than the Type 1 standard.


Currently there is no information published on the other CVEs.
Comment 4 Larry the Git Cow gentoo-dev 2024-09-22 05:52:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f1955fe192a70cb17b3cc29ef3ff2409a0acb4f7

commit f1955fe192a70cb17b3cc29ef3ff2409a0acb4f7
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-22 05:52:02 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-22 05:52:13 +0000

    [ GLSA 202409-03 ] GPL Ghostscript: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/932125
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-03.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)