Summary: | <app-text/ghostscript-gpl-8.71-r6: insecure handling of initialization (CVE-2010-2055) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Peter Volkov (RETIRED) <pva> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED DUPLICATE | ||
Severity: | normal | CC: | printing |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://bugs.ghostscript.com/show_bug.cgi?id=691350#c19 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Peter Volkov (RETIRED)
2010-06-01 11:09:05 UTC
Ghostscript has been fixed to not search the current working directory any more and also honor the -P- option as of ghostscript >=9.00, see URL. http://ghostscript.com/doc/9.00/Use.htm#Finding_files If the test succeeds, Ghostscript tries to open the file using the name given. Otherwise it tries directories in this order: 1. The current directory if enabled by the -P switch; 2. ... "By default, Ghostscript no longer searches the current directory first but provides -P switch for a degree of backward compatibility." @security: this can probably be resolved, see comment #1 and the fact that only version 9.0* is left in the tree... Thanks, Andreas and Timo. This is CVE-2010-2055, which was already addressed in bug 332061, fixed with app-text/ghostscript-gpl-8.71-r6. *** This bug has been marked as a duplicate of bug 332061 *** |