Bug 932125 (CVE-2023-52722, CVE-2024-29510, CVE-2024-33869, CVE-2024-33870, CVE-2024-33871)

Summary:	<app-text/ghostscript-gpl-10.03.1: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	normal	CC:	codec, printing
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	A2 [stable]
Package list:		Runtime testing required:	---
Bug Depends on:	935302
Bug Blocks:

Description Sam James archtester

2024-05-18 04:48:22 UTC

```
--- /tmp/mgorny-dev-scripts/portage/app-text/ghostscript-gpl-10.03.0-r1/work/ghostscript-10.03.0/doc/News.html  2024-03-07 08:41:29.000000000 +0000
+++ /tmp/mgorny-dev-scripts/portage/app-text/ghostscript-gpl-10.03.1/work/ghostscript-10.03.1/doc/News.html     2024-05-02 10:45:25.000000000 +0100
@@ -5,16 +5,28 @@
 <!-- [1.0 end visible header] ============================================== -->
 
 <!-- [2.0 begin contents] ================================================== -->
-<h2><a name="Version10.03.0"></a>Version 10.03.0 (2024-03-06)</h2>
+<h2><a name="Version10.03.1"></a>Version 10.03.1 (2024-05-02)</h2>
 <p> Highlights in this release include:
 <ul>
 <li>
+<p>Fixes for CVE-2024-33869, CVE-2023-52722, CVE-2024-33870, CVE-2024-33871 and CVE-2024-29510
+</li>
+<li>
+<p><b>IMPORTANT:</b> For the 10.04.0 release (fall/autumn 2024) we will be adding protection for
+device selection from PostScript input. This will mean that, by default, only the device specified
+on the command line will be permitted. Similar to the file permissions, there will be a &quot;--permit-devices=&quot;
+allowing a comma separation list of allowed devices. This will also take a single wildcard &quot;*&quot; allowing any device.
+<p>Any application which relies on allowing PostScript to change devices during a job will have to be aware, and take action
+to deal with this change.
+<p>The exception is &quot;nulldevice&quot;, switching to that requires no special action.
+</li>
+<li>
[...]
```

Comment 1 Larry the Git Cow gentoo-dev

2024-05-18 04:49:55 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=43885d30528e8aab209fef02ff7f893596422e54

commit 43885d30528e8aab209fef02ff7f893596422e54
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-05-18 04:19:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-05-18 04:48:29 +0000

    app-text/ghostscript-gpl: add 10.03.1
    
    Bug: https://bugs.gentoo.org/932125
    Signed-off-by: Sam James <sam@gentoo.org>

 app-text/ghostscript-gpl/Manifest                  |   1 +
 .../ghostscript-gpl/ghostscript-gpl-10.03.1.ebuild | 196 +++++++++++++++++++++
 2 files changed, 197 insertions(+)

Comment 2 Hans de Graaff gentoo-dev

2024-05-19 05:41:33 UTC

CVE-2023-52722

An issue was discovered in Artifex Ghostscript through 10.01.0. psi/zmisc1.c, when SAFER mode is used, allows eexec seeds other than the Type 1 standard.


Currently there is no information published on the other CVEs.

Comment 3 Sam James archtester

2024-07-01 20:19:34 UTC

https://www.openwall.com/lists/oss-security/2024/06/28/2