Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 676154 - app-text/ghostscript-gpl vulnerability CVE-2019-6116
Summary: app-text/ghostscript-gpl vulnerability CVE-2019-6116
Status: RESOLVED DUPLICATE of bug 676264
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [upstream/ebuild]
Depends on:
Reported: 2019-01-24 09:55 UTC by Guillaume Ceccarelli
Modified: 2019-03-27 23:59 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Guillaume Ceccarelli 2019-01-24 09:55:44 UTC
Google Project Zero's Tavis Ormandy recently disclosed a vulnerability in ghostscript allowing for arbitrary code execution when manipulating postscript files.

It's notably possible to trigger the the bug through a simple imagemagick / graphicmagick "convert anyfile.jpg" call, which can probably lead to RCE on any number of systems doing user-submitted image file conversions.

Patches are referenced in the OpenWall announcement, and they are in the official ghostscript git, so we can probably expect an official release fixing the problem at some point.

Other references:

There are six patches in total from the announcement, but two of them don't seem to apply cleanly on top of ghostscript-9.26.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2019-03-27 23:59:29 UTC

*** This bug has been marked as a duplicate of bug 676264 ***