User: Password:
|
|
Subscribe / Log in / New account

MeeGo alert MeeGo-SA-10:35 (ghostscript)

From:  "Ware, Ryan R" <ryan.r.ware@intel.com>
To:  "meego-security@meego.com" <meego-security@meego.com>
Subject:  [MeeGo-security] [MeeGo-SA-10:35.ghostscript] Incorrect Initialization Files Allow Arbitrary PS Commands
Date:  Thu, 20 Jan 2011 16:40:10 -0700
Message-ID:  <FDA72B18-A659-4C12-98B2-05484F061473@intel.com>
Archive-link:  Article, Thread

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= MeeGo-SA-10:35.ghostscript Security Advisory MeeGo Project Topic: Incorrect Initialization Files Allow Arbitrary PS Commands Category: Graphics Module: ghostscript Announced: November 3, 2010 Affects: MeeGo 1.0 Corrected: November 3, 2010 MeeGo BID: 3995 CVE: CVE-2010-2055 For general information regarding MeeGo Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://www.MeeGo.com/>. I. Background Ghostscript is a set of software that provides a PostScript interpreter, a set of C procedures (the Ghostscript library, which implements the graphics capabilities in the PostScript language) and an interpreter for Portable Document Format (PDF) files. Ghostscript translates PostScript code into many common, bitmapped formats, like those understood by your printer or screen. Ghostscript is normally used to display PostScript files and to print PostScript files to non-PostScript printers. II. Problem Description CVE-2010-2055: Ghostscript 8.71 and earlier reads initialization files from the current working directory, which allows local users to execute arbitrary PostScript commands via a Trojan horse file, related to improper support for the -P- option to the gs program. CVSS v2 Base: 7.2 (HIGH) Access Vector: Locally exploitable III. Impact CVE-2010-2055: Unauthorized disclosure of information, modification or disruption of service due to design error IV. Workaround None V. Solution Update to package ghostscript-9.00-11.1 or later. VI. References http://bugs.meego.com/show_bug.cgi?id=3995 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... https://nvd.nist.gov/cwe.cfm#NVD-CWE-DesignError -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (Darwin) iQEcBAEBAgAGBQJNOMRNAAoJEEsJm1wYvCMbZloH/Ax9zoAbkdAwPdm2Ga060hCQ dwMCxCvyA6eogWq5GzQVg4BDcg1EAlRLapzQezLZkTr3ctGdPuuCe+sANgjTRRIA 22Llfslwc0FfZkwGazPTUxtmSZYCRK/kQFp4deavRjwdgU/roqCVkBcr/HC3NGWQ Tt5YS0+JeCTH1zYoZaCS1Q0aZWZl8gw07kMfCMkJnAaitz7sgM38Ktn3c2oIH7jU /QVNqVGRiE1jL9JjX9I7KcQMiYNfYF4H/Y5eugOD5Fyanxntpzf06MgWFITjWU2/ mjs4HjzZqg6aEvRD67Q9bR/coCy2B38c5GXlRBusZF9Qza/U9g0/QheuUdSgvmQ= =sMsa -----END PGP SIGNATURE----- _______________________________________________ MeeGo-security mailing list MeeGo-security@meego.com http://lists.meego.com/listinfo/meego-security


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds