LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

MeeGo alert MeeGo-SA-10:35 (ghostscript)



From:
    	      "Ware, Ryan R" <ryan.r.ware@intel.com> 


To:
    	      "meego-security@meego.com" <meego-security@meego.com> 


Subject:
    	      [MeeGo-security] [MeeGo-SA-10:35.ghostscript] Incorrect
 Initialization Files Allow Arbitrary PS Commands 


Date:
    	      Thu, 20 Jan 2011 16:40:10 -0700


Message-ID:
    	      <FDA72B18-A659-4C12-98B2-05484F061473@intel.com>


Archive-link:
    	      Article, Thread
              


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
MeeGo-SA-10:35.ghostscript                                  Security Advisory
                                                                MeeGo Project

Topic:          Incorrect Initialization Files Allow Arbitrary PS Commands

Category:       Graphics
Module:         ghostscript
Announced:      November 3, 2010
Affects:        MeeGo 1.0
Corrected:      November 3, 2010
MeeGo BID:      3995
CVE:            CVE-2010-2055

For general information regarding MeeGo Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://www.MeeGo.com/>.

I.   Background

Ghostscript is a set of software that provides a PostScript
interpreter, a set of C procedures (the Ghostscript library, which
implements the graphics capabilities in the PostScript language) and
an interpreter for Portable Document Format (PDF) files. Ghostscript
translates PostScript code into many common, bitmapped formats, like
those understood by your printer or screen. Ghostscript is normally
used to display PostScript files and to print PostScript files to
non-PostScript printers.

II.  Problem Description

CVE-2010-2055: Ghostscript 8.71 and earlier reads initialization files
from the current working directory, which allows local users to
execute arbitrary PostScript commands via a Trojan horse file, related
to improper support for the -P- option to the gs program.
CVSS v2 Base: 7.2 (HIGH)
Access Vector: Locally exploitable

III. Impact

CVE-2010-2055: Unauthorized disclosure of information, modification
or disruption of service due to design error
IV.  Workaround

None

V.   Solution

Update to package ghostscript-9.00-11.1 or later.

VI.  References

http://bugs.meego.com/show_bug.cgi?id=3995
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-...
https://nvd.nist.gov/cwe.cfm#NVD-CWE-DesignError

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (Darwin)

iQEcBAEBAgAGBQJNOMRNAAoJEEsJm1wYvCMbZloH/Ax9zoAbkdAwPdm2Ga060hCQ
dwMCxCvyA6eogWq5GzQVg4BDcg1EAlRLapzQezLZkTr3ctGdPuuCe+sANgjTRRIA
22Llfslwc0FfZkwGazPTUxtmSZYCRK/kQFp4deavRjwdgU/roqCVkBcr/HC3NGWQ
Tt5YS0+JeCTH1zYoZaCS1Q0aZWZl8gw07kMfCMkJnAaitz7sgM38Ktn3c2oIH7jU
/QVNqVGRiE1jL9JjX9I7KcQMiYNfYF4H/Y5eugOD5Fyanxntpzf06MgWFITjWU2/
mjs4HjzZqg6aEvRD67Q9bR/coCy2B38c5GXlRBusZF9Qza/U9g0/QheuUdSgvmQ=
=sMsa
-----END PGP SIGNATURE-----
_______________________________________________
MeeGo-security mailing list
MeeGo-security@meego.com
http://lists.meego.com/listinfo/meego-security
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds