MGASA-2023-0260 - Updated ghostscript packages fix security vulnerability

Publication date: 11 Sep 2023
URL: https://advisories.mageia.org/MGASA-2023-0260.html
Type: security
Affected Mageia releases: 8, 9
CVE: CVE-2023-36664,
     CVE-2023-38559

Ghostscript through 10.01.2 mishandles permission validation for pipe
devices (with the %pipe% prefix or the | pipe character prefix).
(CVE-2023-36664)

A buffer overflow flaw was found in base/gdevdevn.c:1973 in
devn_pcx_write_rle() in ghostscript. This issue may allow a local attacker
to cause a denial of service via outputting a crafted PDF file for a DEVN
device with gs. (CVE-2023-38559)

References:
- https://bugs.mageia.org/show_bug.cgi?id=32237
- https://www.debian.org/security/2023/dsa-5446
- https://ubuntu.com/security/notices/USN-6213-1
- https://bugs.mageia.org/show_bug.cgi?id=32070
- https://ubuntu.com/security/notices/USN-6297-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36664
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38559

SRPMS:
- 8/core/ghostscript-9.53.3-2.6.mga8
- 9/core/ghostscript-10.00.0-6.2.mga9

Mageia 2023-0260: ghostscript security update

Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix)

Summary

Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix). (CVE-2023-36664)
A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This issue may allow a local attacker to cause a denial of service via outputting a crafted PDF file for a DEVN device with gs. (CVE-2023-38559)

References

- https://bugs.mageia.org/show_bug.cgi?id=32237

- https://www.debian.org/security/2023/dsa-5446

- https://ubuntu.com/security/notices/USN-6213-1

- https://bugs.mageia.org/show_bug.cgi?id=32070

- https://ubuntu.com/security/notices/USN-6297-1

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36664

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38559

Resolution

MGASA-2023-0260 - Updated ghostscript packages fix security vulnerability

SRPMS

- 8/core/ghostscript-9.53.3-2.6.mga8

- 9/core/ghostscript-10.00.0-6.2.mga9

Severity
Publication date: 11 Sep 2023
URL: https://advisories.mageia.org/MGASA-2023-0260.html
Type: security
CVE: CVE-2023-36664, CVE-2023-38559

Related News

News

Powered By

Footer Logo

Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.

Powered By

Footer Logo