ghostscript-9.25-2.el7.2

エラータID: AXSA:2019-4296:03

Release date: 
Thursday, September 19, 2019 - 08:48
Subject: 
ghostscript-9.25-2.el7.2
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed.

Security Fix(es):

* ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator (701445) (CVE-2019-14811)

* ghostscript: Safer mode bypass by .forceput exposure in setuserparams (701444) (CVE-2019-14812)

* ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443) (CVE-2019-14813)

* ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450) (CVE-2019-14817)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-14811
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-14812
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-14813
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-14817
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Solution: 

Update packages.

CVEs: 
CVE-2019-14811
A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
CVE-2019-14812
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-14813
A flaw was found in ghostscript, versions 9.x before 9.28, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
CVE-2019-14817
A flaw was found in, ghostscript versions prior to 9.28, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
Additional Info: 

N/A

Download: 

SRPMS
  1. ghostscript-9.25-2.el7.2.src.rpm
    MD5: 16be7bdbcbec733dc5e5de9c2f827aed
    SHA-256: 151b80449995b39147544a3d7c99b90fd765e08c27dfc0df7726bba4146b203e
    Size: 31.64 MB

Asianux Server 7 for x86_64
  1. ghostscript-9.25-2.el7.2.x86_64.rpm
    MD5: 14bc23696e41de3c860c6685a06d3ba1
    SHA-256: 5773ca1f07f51d9c80d818d24c04675b82f9d2332f8e99e317d9a24db8a349fc
    Size: 110.56 kB
  2. ghostscript-cups-9.25-2.el7.2.x86_64.rpm
    MD5: 01648c3abef593e1a52edab73e1405e3
    SHA-256: 3685dc03f1da465a4e29ee738b85f9115ded26c2111a1bb828ca827bd249e5f1
    Size: 59.86 kB
  3. libgs-9.25-2.el7.2.x86_64.rpm
    MD5: e4c26d7eb7868c31b9e84b5e9e0987ac
    SHA-256: 8796e3e39a157aa2e107475ecfccfc6343f401f3864693a4be5c2ef8eaa9c4ab
    Size: 4.58 MB
  4. libgs-devel-9.25-2.el7.2.x86_64.rpm
    MD5: 597df0273b5c4efd4e6b948546a73d94
    SHA-256: 4c20b34310bb3b9f6e0a19e762709740d644f09378fb7a7511591d4e5240b11e
    Size: 55.86 kB
  5. ghostscript-9.25-2.el7.2.i686.rpm
    MD5: 042b39c81ee681e20db3fb39a5629b6e
    SHA-256: 94e154644c4c91d9ef47110a844ba1c38218012f49cb17ad3d192357d9dcaeda
    Size: 110.69 kB
  6. libgs-9.25-2.el7.2.i686.rpm
    MD5: a499ed2cfd2f7d76712b6daa601783d7
    SHA-256: 6d1e7734a9e8a5042d773226c90a9ab64aa8a4e3c68d0316d39e3589a1ae1fcc
    Size: 4.58 MB
  7. libgs-devel-9.25-2.el7.2.i686.rpm
    MD5: 2ae54accf749f1d1afc7739080221717
    SHA-256: 408c93cb84195ab7723477b928f8019bd08783933ab7923cfb88ccb38e0bbbc9
    Size: 55.90 kB