Summary: | <app-text/ghostscript-gpl-8.71-r6: Multiple vulnerabilities (CVE-2010-{1628,2055}) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | jaak, pva | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://bugs.ghostscript.com/show_bug.cgi?id=691295 | ||||||
Whiteboard: | B2 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Alex Legler (RETIRED)
2010-08-10 14:51:57 UTC
This is not yet fixed in 8.71, but there's a patch upstream (bug in $URL) at http://bugs.ghostscript.com/attachment.cgi?id=6350 CVE-2010-2055 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2055): Ghostscript 8.71 and earlier reads initialization files from the current working directory, which allows local users to execute arbitrary PostScript commands via a Trojan horse file, related to improper support for the -P- option to the gs program. For the second issue: Patch: http://bugs.ghostscript.com/attachment.cgi?id=6441 Bug: http://bugs.ghostscript.com/show_bug.cgi?id=691350 Thanks, fixed with ghostscript-gpl-8.71-r6. I took Dr. Werner Fink's patch from upstream bug #691350 for <=8.71. =media-fonts/urw-fonts-2.4.9 needs to get stabilized along with ghostscript-gpl-8.71-r6. It is a new dependency over -r1 (replacing gnu-gs-fonts-std). ~mips is the only arch which still needs to keyword urw-fonts, see KEYWORDREQ bug #288861). Can this go stable now? (In reply to comment #5) > Can this go stable now? Yes please, stabilize: =media-fonts/urw-fonts-2.4.9 (bug #288861) =app-text/ghostscript-gpl-8.71-r6 *** Bug 340493 has been marked as a duplicate of this bug. *** Arches, please test and mark stable: =media-fonts/urw-fonts-2.4.9 (bug #288861) =app-text/ghostscript-gpl-8.71-r6 Target keywords for both packages: "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" Created attachment 251139 [details]
Build log
everything seems to go through on amd64.
I know QA notice, but I do not know if they are known errors and/or if they are resolvable or not.
Stable for HPPA. x86 stable amd64 done ppc64 done alpha/arm/ia64/s390/sh/sparc stable ppc done too Thanks, folks. GLSA request filed. Thanks guys. No vulnerable version in tree anymore. Nothing left to do for printing. *** Bug 322357 has been marked as a duplicate of this bug. *** This issue was resolved and addressed in GLSA 201412-17 at http://security.gentoo.org/glsa/glsa-201412-17.xml by GLSA coordinator Sean Amoss (ackle). |