Mageia alert MGASA-2018-0408 (ghostscript)


From:
               Mageia Updates <buildsystem-daemon@mageia.org> 
To:
               updates-announce@ml.mageia.org 
Subject:
               [updates-announce] MGASA-2018-0408: Updated ghostscript packages fix security vulnerabilities 
Date:
               Fri, 19 Oct 2018 20:37:26 +0200
Message-ID:
               <20181019183726.2CE50A0017@duvel.mageia.org>
MGASA-2018-0408 - Updated ghostscript packages fix security vulnerabilities

Publication date: 19 Oct 2018
URL: https://advisories.mageia.org/MGASA-2018-0408.html
Type: security
Affected Mageia releases: 6
CVE: CVE-2018-17961,
     CVE-2018-18073,
     CVE-2018-18284

Description:
Updated ghostscript packages fix many bugs and security vulnerabilities:

Bypassing executeonly to escape -dSAFER sandbox. (CVE-2018-17961)

Saved execution stacks can leak operator arrays. (CVE-2018-18073)

1Policy operator gives access to .forceput. (CVE-2018-18284)

References:
- https://bugs.mageia.org/show_bug.cgi?id=23659
- https://www.openwall.com/lists/oss-security/2018/10/09/4
- https://www.openwall.com/lists/oss-security/2018/10/11/3
- https://www.openwall.com/lists/oss-security/2018/10/10/12
- https://www.openwall.com/lists/oss-security/2018/10/16/2
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1...

SRPMS:
- 6/core/ghostscript-9.25-1.2.mga6

From:		Mageia Updates <buildsystem-daemon@mageia.org>
To:		updates-announce@ml.mageia.org
Subject:		[updates-announce] MGASA-2018-0408: Updated ghostscript packages fix security vulnerabilities
Date:		Fri, 19 Oct 2018 20:37:26 +0200
Message-ID:		<20181019183726.2CE50A0017@duvel.mageia.org>