Alerts This Week
Warning Icon 1 659
Alerts This Week
Warning Icon 1 659

openSUSE: 2018:4138-1 Important: Ghostscript Access Issues and Fixes

opensuse
Calendar Grey December 15, 2018
Dist Opensuse Esm H88
A vital security enhancement regarding ghostscript on openSUSE addresses several weaknesses. Discover further details regarding this update initiative.
An update that solves 8 vulnerabilities and has one errata is now available.

Description

This update for ghostscript to version 9.26 fixes the following issues:

Security issues fixed:

- CVE-2018-19475: Fixed bypass of an intended access restriction in

psi/zdevice2.c (bsc#1117327)

- CVE-2018-19476: Fixed bypass of an intended access restriction in

psi/zicc.c (bsc#1117313)

- CVE-2018-19477: Fixed bypass of an intended access restriction in

psi/zfjbig2.c (bsc#1117274)

- CVE-2018-19409: Check if another device is used correctly in

LockSafetyParams (bsc#1117022)

- CVE-2018-18284: Fixed potential sandbox escape through 1Policy operator

(bsc#1112229)

- CVE-2018-18073: Fixed leaks through operator in saved execution stacks

(bsc#1111480)

- CVE-2018-17961: Fixed a -dSAFER sandbox escape by bypassing executeonly

(bsc#1111479)

- CVE-2018-17183: Fixed a potential code injection by specially crafted

PostScript files (bsc#1109105)

Version update to 9.26 (bsc#1117331):

- Security issues have been the primary...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory ghostscript important code injection access restriction openSUSE sandbox escape

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1552=1

Package List

- openSUSE Leap 15.0 (i586 x86_64):

ghostscript-9.26-lp150.2.9.1

ghostscript-debuginfo-9.26-lp150.2.9.1

ghostscript-debugsource-9.26-lp150.2.9.1

ghostscript-devel-9.26-lp150.2.9.1

ghostscript-mini-9.26-lp150.2.9.1

ghostscript-mini-debuginfo-9.26-lp150.2.9.1

ghostscript-mini-debugsource-9.26-lp150.2.9.1

ghostscript-mini-devel-9.26-lp150.2.9.1

ghostscript-x11-9.26-lp150.2.9.1

ghostscript-x11-debuginfo-9.26-lp150.2.9.1

- openSUSE Leap 15.0 (x86_64):

libspectre-debugsource-0.2.8-lp150.2.6.2

libspectre-devel-0.2.8-lp150.2.6.2

libspectre1-0.2.8-lp150.2.6.2

libspectre1-debuginfo-0.2.8-lp150.2.6.2

References

https://www.suse.com/security/cve/CVE-2018-17183.html

https://www.suse.com/security/cve/CVE-2018-17961.html

https://www.suse.com/security/cve/CVE-2018-18073.html

https://www.suse.com/security/cve/CVE-2018-18284.html

https://www.suse.com/security/cve/CVE-2018-19409.html

https://www.suse.com/security/cve/CVE-2018-19475.html

https://www.suse.com/security/cve/CVE-2018-19476.html

https://www.suse.com/security/cve/CVE-2018-19477.html

https://bugzilla.suse.com/1109105

https://bugzilla.suse.com/1111479

https://bugzilla.suse.com/1111480

https://bugzilla.suse.com/1112229

https://bugzilla.suse.com/1117022

https://bugzilla.suse.com/1117274

https://bugzilla.suse.com/1117313

https://bugzilla.suse.com/1117327

https://bugzilla.suse.com/1117331

--

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2018:4138-1
Rating: important
Affected Products: openSUSE Leap 15.0 le.

Topics%20covered

Topics Covered

security advisory ghostscript important code injection access restriction openSUSE sandbox escape

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here