``` --- /tmp/mgorny-dev-scripts/portage/app-text/ghostscript-gpl-10.03.0-r1/work/ghostscript-10.03.0/doc/News.html 2024-03-07 08:41:29.000000000 +0000 +++ /tmp/mgorny-dev-scripts/portage/app-text/ghostscript-gpl-10.03.1/work/ghostscript-10.03.1/doc/News.html 2024-05-02 10:45:25.000000000 +0100 @@ -5,16 +5,28 @@ <!-- [1.0 end visible header] ============================================== --> <!-- [2.0 begin contents] ================================================== --> -<h2><a name="Version10.03.0"></a>Version 10.03.0 (2024-03-06)</h2> +<h2><a name="Version10.03.1"></a>Version 10.03.1 (2024-05-02)</h2> <p> Highlights in this release include: <ul> <li> +<p>Fixes for CVE-2024-33869, CVE-2023-52722, CVE-2024-33870, CVE-2024-33871 and CVE-2024-29510 +</li> +<li> +<p><b>IMPORTANT:</b> For the 10.04.0 release (fall/autumn 2024) we will be adding protection for +device selection from PostScript input. This will mean that, by default, only the device specified +on the command line will be permitted. Similar to the file permissions, there will be a "--permit-devices=" +allowing a comma separation list of allowed devices. This will also take a single wildcard "*" allowing any device. +<p>Any application which relies on allowing PostScript to change devices during a job will have to be aware, and take action +to deal with this change. +<p>The exception is "nulldevice", switching to that requires no special action. +</li> +<li> [...] ```
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=43885d30528e8aab209fef02ff7f893596422e54 commit 43885d30528e8aab209fef02ff7f893596422e54 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-05-18 04:19:04 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-05-18 04:48:29 +0000 app-text/ghostscript-gpl: add 10.03.1 Bug: https://bugs.gentoo.org/932125 Signed-off-by: Sam James <sam@gentoo.org> app-text/ghostscript-gpl/Manifest | 1 + .../ghostscript-gpl/ghostscript-gpl-10.03.1.ebuild | 196 +++++++++++++++++++++ 2 files changed, 197 insertions(+)
CVE-2023-52722 An issue was discovered in Artifex Ghostscript through 10.01.0. psi/zmisc1.c, when SAFER mode is used, allows eexec seeds other than the Type 1 standard. Currently there is no information published on the other CVEs.
https://www.openwall.com/lists/oss-security/2024/06/28/2
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=f1955fe192a70cb17b3cc29ef3ff2409a0acb4f7 commit f1955fe192a70cb17b3cc29ef3ff2409a0acb4f7 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-09-22 05:52:02 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-09-22 05:52:13 +0000 [ GLSA 202409-03 ] GPL Ghostscript: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/932125 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202409-03.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+)
