Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 910294 (CVE-2023-36664) - <app-text/ghostscript-gpl-10.01.2: Code execution vulnerability
Summary: <app-text/ghostscript-gpl-10.01.2: Code execution vulnerability
Status: IN_PROGRESS
Alias: CVE-2023-36664
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL: https://www.kroll.com/en/insights/pub...
Whiteboard: A2 [glsa+]
Keywords:
Depends on: 910308
Blocks:
  Show dependency tree
 
Reported: 2023-07-13 13:31 UTC by Hanno Böck
Modified: 2024-02-12 02:27 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2023-07-13 13:31:45 UTC
This sounds bad:
https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability

10.01.2, which contains the fix, is already in the tree, but not yet stabilized.
Comment 1 Maxxim 2023-07-13 16:28:22 UTC
Version 10.01.2 should be stabilized asap, this is serious.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-07-25 03:31:19 UTC
GLSA request filed
Comment 3 Larry the Git Cow gentoo-dev 2023-09-17 05:26:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=9c38541fc770d5ef98f0327092ae33c0bab71167

commit 9c38541fc770d5ef98f0327092ae33c0bab71167
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-09-17 05:24:21 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-09-17 05:26:26 +0000

    [ GLSA 202309-03 ] GPL Ghostscript: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/904245
    Bug: https://bugs.gentoo.org/910294
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202309-03.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
Comment 4 Hans de Graaff gentoo-dev Security 2024-01-21 11:12:38 UTC
Ping. Please remove the vulnerable version 10.01.1.
Comment 5 Larry the Git Cow gentoo-dev 2024-02-12 02:27:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb992af9d6c86f4a7a60cca4d086851e05092804

commit bb992af9d6c86f4a7a60cca4d086851e05092804
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2024-02-12 02:26:59 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-02-12 02:26:59 +0000

    app-text/ghostscript-gpl: drop 10.01.1
    
    Bug: https://bugs.gentoo.org/910294
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 app-text/ghostscript-gpl/Manifest                  |   1 -
 .../ghostscript-gpl/ghostscript-gpl-10.01.1.ebuild | 190 ---------------------
 2 files changed, 191 deletions(-)