Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 671732 (CVE-2018-19409)

Summary: <app-text/ghostscript-gpl-9.26: improperly implemented security check in zsetdevice function in psi/zdevice.c (CVE-2018-19409)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: printing
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa+ glsa+ blocked cve]
Package list:
app-text/ghostscript-gpl-9.26
 Runtime testing required: ---
Bug Depends on: 668846    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2018-11-23 01:42:28 UTC 
CVE-2018-19409 (https://nvd.nist.gov/vuln/detail/CVE-2018-19409):
  An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams
  is not checked correctly if another device is used.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-11-23 16:30:38 UTC 
Raising severity, can be used in a combined attack involving less to get root.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2018-11-24 19:49:51 UTC 
This issue was resolved and addressed in
 GLSA 201811-12 at https://security.gentoo.org/glsa/201811-12
by GLSA coordinator Aaron Bauman (b-man).