ghostscript-8.70-21.AXS4.1
エラータID: AXSA:2017-1219:01
リリース日:
2017/01/04 Wednesday - 17:32
題名:
ghostscript-8.70-21.AXS4.1
影響のあるチャネル:
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Ghostscript の getenv と filenameforall 関数は,"-dSAFER" 引数を無視し
ており,巧妙に細工された postscript ファイルによって,リモートの攻撃者がデータ
を読み込む脆弱性があります。(CVE-2013-5653)
- 現時点では CVE-2016-7977, CVE-2016-7979, CVE-2016-8602 の情報が公開されて
おりません。
CVE の情報が公開され次第情報をアップデートいたします。
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2013-5653
The getenv and filenameforall functions in Ghostscript 9.10 ignore the "-dSAFER" argument, which allows remote attackers to read data via a crafted postscript file.
The getenv and filenameforall functions in Ghostscript 9.10 ignore the "-dSAFER" argument, which allows remote attackers to read data via a crafted postscript file.
CVE-2016-7977
Ghostscript before 9.21 might allow remote attackers to bypass the SAFER mode protection mechanism and consequently read arbitrary files via the use of the .libfile operator in a crafted postscript document.
Ghostscript before 9.21 might allow remote attackers to bypass the SAFER mode protection mechanism and consequently read arbitrary files via the use of the .libfile operator in a crafted postscript document.
CVE-2016-7979
Ghostscript before 9.21 might allow remote attackers to bypass the SAFER mode protection mechanism and consequently execute arbitrary code by leveraging type confusion in .initialize_dsc_parser.
Ghostscript before 9.21 might allow remote attackers to bypass the SAFER mode protection mechanism and consequently execute arbitrary code by leveraging type confusion in .initialize_dsc_parser.
CVE-2016-8602
The .sethalftone5 function in psi/zht2.c in Ghostscript before 9.21 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Postscript document that calls .sethalftone5 with an empty operand stack.
The .sethalftone5 function in psi/zht2.c in Ghostscript before 9.21 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Postscript document that calls .sethalftone5 with an empty operand stack.
追加情報:
N/A
ダウンロード:
SRPMS
- ghostscript-8.70-21.AXS4.1.src.rpm
MD5: b5e34ccf6ac78889b9a2a784df804f78
SHA-256: 82a0837fee73d96f8d5d09cfcb93dbef0cc09f5367113b17784a9dfbb4a3de55
Size: 12.19 MB
Asianux Server 4 for x86
- ghostscript-8.70-21.AXS4.1.i686.rpm
MD5: 428d07d7b892461a3f119764b8d2a17f
SHA-256: 5ab02a14c8c80fd6ae9da427cf6bce6d8fc157538dc0e5efdb677294fd03707e
Size: 4.45 MB
Asianux Server 4 for x86_64
- ghostscript-8.70-21.AXS4.1.x86_64.rpm
MD5: 16004046d000da0599398608290a9bb9
SHA-256: 23a5c21ab422374bda1a85e2e1ec6fdf13830d0ff4442f8a57c442f546407719
Size: 4.42 MB - ghostscript-8.70-21.AXS4.1.i686.rpm
MD5: 428d07d7b892461a3f119764b8d2a17f
SHA-256: 5ab02a14c8c80fd6ae9da427cf6bce6d8fc157538dc0e5efdb677294fd03707e
Size: 4.45 MB
English