Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.0629
Multiple vulnerabilities corrected in ghostscript
19 July 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ghostscript
Publisher: Mandriva
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2010-1628 CVE-2009-4270
Comment: This advisory references vulnerabilities in products which run on
platforms other than Mandriva. It is recommended that administrators
running ghostscript check for an updated version of the software
for their operating system.
Note: This bulletin contains three (3) advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:134
http://www.mandriva.com/security/
_______________________________________________________________________
Package : ghostscript
Date : July 15, 2010
Affected: 2008.0, 2009.0, 2009.1, 2010.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been found and corrected in ghostscript:
Stack-based buffer overflow in the errprintf function in base/gsmisc.c
in ghostscript 8.64 through 8.70 allows remote attackers to cause a
denial of service (crash) and possibly execute arbitrary code via a
crafted PDF file, as originally reported for debug logging code in
gdevcups.c in the CUPS output driver (CVE-2009-4270).
Ghostscript 8.64, 8.70, and possibly other versions allows
context-dependent attackers to execute arbitrary code via a
PostScript file containing unlimited recursive procedure invocations,
which trigger memory corruption in the stack of the interpreter
(CVE-2010-1628).
As a precaution ghostscriptc has been rebuilt to link against the
system libpng library which was fixed with MDVSA-2010:133
Packages for 2008.0 and 2009.0 are provided as of the Extended
Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4270
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1628
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
77eb5421a46b0d03ca9d58116a0280f9 2008.0/i586/ghostscript-8.60-55.5mdv2008.0.i586.rpm
5a39cfe3e1aba95a8d658759a3a5119e 2008.0/i586/ghostscript-common-8.60-55.5mdv2008.0.i586.rpm
3b5e53fd83a0e41975cc84c329c21594 2008.0/i586/ghostscript-doc-8.60-55.5mdv2008.0.i586.rpm
5dcd284dfa85fc4b575e012edd3b39db 2008.0/i586/ghostscript-dvipdf-8.60-55.5mdv2008.0.i586.rpm
0da4a916b42c7b2e31b496ce9978da90 2008.0/i586/ghostscript-module-X-8.60-55.5mdv2008.0.i586.rpm
32f750da9a64ae9a25391515b72dd1ca 2008.0/i586/ghostscript-X-8.60-55.5mdv2008.0.i586.rpm
ce643129766855bf3976fb29be85684b 2008.0/i586/libgs8-8.60-55.5mdv2008.0.i586.rpm
edc97f2de46cb03283436b15b93cd093 2008.0/i586/libgs8-devel-8.60-55.5mdv2008.0.i586.rpm
3e3241cb2ff1f10159e4d20110de28ae 2008.0/i586/libijs1-0.35-55.5mdv2008.0.i586.rpm
4a9ee540dd1cf0af9f1580b4e85e95c0 2008.0/i586/libijs1-devel-0.35-55.5mdv2008.0.i586.rpm
05e58cdb44a830721622f03f262c858b 2008.0/SRPMS/ghostscript-8.60-55.5mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
66084a543e49442a6c4c9643cf820d94 2008.0/x86_64/ghostscript-8.60-55.5mdv2008.0.x86_64.rpm
53145f9250eba28db65dd84697387ec5 2008.0/x86_64/ghostscript-common-8.60-55.5mdv2008.0.x86_64.rpm
f5345590252c85fe0f95917ddaf16f6e 2008.0/x86_64/ghostscript-doc-8.60-55.5mdv2008.0.x86_64.rpm
57ec8f3f89ebc005db47f0785a807118 2008.0/x86_64/ghostscript-dvipdf-8.60-55.5mdv2008.0.x86_64.rpm
63ad2bcb12966485bcea3495139e1ebd 2008.0/x86_64/ghostscript-module-X-8.60-55.5mdv2008.0.x86_64.rpm
7cf90c19eba8a01dd056723e27a51f40 2008.0/x86_64/ghostscript-X-8.60-55.5mdv2008.0.x86_64.rpm
ac8802d8efa7366b30e49883dca1295d 2008.0/x86_64/lib64gs8-8.60-55.5mdv2008.0.x86_64.rpm
e9caace723a0beae5d4183c6b96de445 2008.0/x86_64/lib64gs8-devel-8.60-55.5mdv2008.0.x86_64.rpm
798a01a8db97ea16d98e81ba6c8dea8e 2008.0/x86_64/lib64ijs1-0.35-55.5mdv2008.0.x86_64.rpm
3181d98d311b12946dc1042d89869529 2008.0/x86_64/lib64ijs1-devel-0.35-55.5mdv2008.0.x86_64.rpm
05e58cdb44a830721622f03f262c858b 2008.0/SRPMS/ghostscript-8.60-55.5mdv2008.0.src.rpm
Mandriva Linux 2009.0:
a352af34572fb9e61623d4300c55d871 2009.0/i586/ghostscript-8.63-62.5mdv2009.0.i586.rpm
803e53b01b231e877e20ae4568c4f8e9 2009.0/i586/ghostscript-common-8.63-62.5mdv2009.0.i586.rpm
b5ae1e9bd8005bc6488e69118595f251 2009.0/i586/ghostscript-doc-8.63-62.5mdv2009.0.i586.rpm
05962f8f37a5f88bf8386f20860c4f62 2009.0/i586/ghostscript-dvipdf-8.63-62.5mdv2009.0.i586.rpm
214945b1dd718ca417a3ce68e419f620 2009.0/i586/ghostscript-module-X-8.63-62.5mdv2009.0.i586.rpm
c0529b523a194b493c1b940bec07c430 2009.0/i586/ghostscript-X-8.63-62.5mdv2009.0.i586.rpm
a70d34ac01d71685dc8c8494c8626896 2009.0/i586/libgs8-8.63-62.5mdv2009.0.i586.rpm
a02fe0054f39218ef0c4567d977fb352 2009.0/i586/libgs8-devel-8.63-62.5mdv2009.0.i586.rpm
4e289a72cd71091d2edb82061a400244 2009.0/i586/libijs1-0.35-62.5mdv2009.0.i586.rpm
ae1a12a3fd40a00b5c0de26a548aef19 2009.0/i586/libijs1-devel-0.35-62.5mdv2009.0.i586.rpm
b637e0180a53c807e7140e2f85925a6a 2009.0/SRPMS/ghostscript-8.63-62.5mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
3f9f69cf8152862a4b31b7ea4c13b2ac 2009.0/x86_64/ghostscript-8.63-62.5mdv2009.0.x86_64.rpm
fb79da17f6fc6046cf4929e18e6a288d 2009.0/x86_64/ghostscript-common-8.63-62.5mdv2009.0.x86_64.rpm
360a7b1646f34a4efe01537b0cc60c66 2009.0/x86_64/ghostscript-doc-8.63-62.5mdv2009.0.x86_64.rpm
1c63d2d891288d29bd92373184fe5b4d 2009.0/x86_64/ghostscript-dvipdf-8.63-62.5mdv2009.0.x86_64.rpm
e5f01a1b3ef5578a7018a58f505ed7d5 2009.0/x86_64/ghostscript-module-X-8.63-62.5mdv2009.0.x86_64.rpm
b6f421b572edf107cad43ceae7fd3c1c 2009.0/x86_64/ghostscript-X-8.63-62.5mdv2009.0.x86_64.rpm
987f21c61e8f0912e50b1a95c1cb7038 2009.0/x86_64/lib64gs8-8.63-62.5mdv2009.0.x86_64.rpm
75f5bb7525ceb5d62b7c39d0b14990d4 2009.0/x86_64/lib64gs8-devel-8.63-62.5mdv2009.0.x86_64.rpm
48b98d77285131b557a414044edb1668 2009.0/x86_64/lib64ijs1-0.35-62.5mdv2009.0.x86_64.rpm
7067034cd5f794f80003f1e99d39d685 2009.0/x86_64/lib64ijs1-devel-0.35-62.5mdv2009.0.x86_64.rpm
b637e0180a53c807e7140e2f85925a6a 2009.0/SRPMS/ghostscript-8.63-62.5mdv2009.0.src.rpm
Mandriva Linux 2009.1:
32dd01420bbe2d9a92871d3738f2da4e 2009.1/i586/ghostscript-8.64-65.3mdv2009.1.i586.rpm
23e4d42365de5b46d4c5c9054f74346b 2009.1/i586/ghostscript-common-8.64-65.3mdv2009.1.i586.rpm
b57dcba125a5690dcc28cdb8c05f4332 2009.1/i586/ghostscript-doc-8.64-65.3mdv2009.1.i586.rpm
f4b88cdf43836f42ddceb8a1aabe763f 2009.1/i586/ghostscript-dvipdf-8.64-65.3mdv2009.1.i586.rpm
0cc3d0308cd23be9824c1200e898b714 2009.1/i586/ghostscript-module-X-8.64-65.3mdv2009.1.i586.rpm
ebb659e60af62c274bef282022152d38 2009.1/i586/ghostscript-X-8.64-65.3mdv2009.1.i586.rpm
ff943713120978fab615299743cfa51f 2009.1/i586/libgs8-8.64-65.3mdv2009.1.i586.rpm
ec0c79022a682afae03f93fe1cc8a39f 2009.1/i586/libgs8-devel-8.64-65.3mdv2009.1.i586.rpm
751d6177f35e9ffcd9756f7ce2316105 2009.1/i586/libijs1-0.35-65.3mdv2009.1.i586.rpm
4b2a5919a2aff5cea48818060fdeabdc 2009.1/i586/libijs1-devel-0.35-65.3mdv2009.1.i586.rpm
c867b4c99ead7107153a45dcd132b552 2009.1/SRPMS/ghostscript-8.64-65.3mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
f64004b9f8ac0babd18ef804baee8e42 2009.1/x86_64/ghostscript-8.64-65.3mdv2009.1.x86_64.rpm
c9eded731e1fb8e0656d223cc8a70f13 2009.1/x86_64/ghostscript-common-8.64-65.3mdv2009.1.x86_64.rpm
94d39d62799e4140c6bdd8c77d3c5ee2 2009.1/x86_64/ghostscript-doc-8.64-65.3mdv2009.1.x86_64.rpm
11f9e7b24d865dc1cc9c4f98a5c818d1 2009.1/x86_64/ghostscript-dvipdf-8.64-65.3mdv2009.1.x86_64.rpm
db63a65d1e861654b4a122b219ad8ce0 2009.1/x86_64/ghostscript-module-X-8.64-65.3mdv2009.1.x86_64.rpm
35588ab514e30f1ff522c93c04b3d0ac 2009.1/x86_64/ghostscript-X-8.64-65.3mdv2009.1.x86_64.rpm
1f9e3b056ace305a8dd051adbddfa447 2009.1/x86_64/lib64gs8-8.64-65.3mdv2009.1.x86_64.rpm
09dd08b131fd2ced7c7a37915d8ea814 2009.1/x86_64/lib64gs8-devel-8.64-65.3mdv2009.1.x86_64.rpm
c1fa0c4f8f66994067a0ecc8e62d3d98 2009.1/x86_64/lib64ijs1-0.35-65.3mdv2009.1.x86_64.rpm
6a8269b04a47973e584e9f688f1f495c 2009.1/x86_64/lib64ijs1-devel-0.35-65.3mdv2009.1.x86_64.rpm
c867b4c99ead7107153a45dcd132b552 2009.1/SRPMS/ghostscript-8.64-65.3mdv2009.1.src.rpm
Mandriva Linux 2010.0:
49383f4ecfb6c67f90b4253f2086a4ef 2010.0/i586/ghostscript-8.64-69.2mdv2010.0.i586.rpm
f9aca4fbc7cca234123d3c5af21c6f97 2010.0/i586/ghostscript-common-8.64-69.2mdv2010.0.i586.rpm
6a0128bd507a0b80b3933de2227dbbd1 2010.0/i586/ghostscript-doc-8.64-69.2mdv2010.0.i586.rpm
e6390ef67a422eef9728e694b28aeb93 2010.0/i586/ghostscript-dvipdf-8.64-69.2mdv2010.0.i586.rpm
78ede34b12fa4bfa6e22e9ee4987831e 2010.0/i586/ghostscript-module-X-8.64-69.2mdv2010.0.i586.rpm
d51a4cc8715d52b9421f5f95ae750085 2010.0/i586/ghostscript-X-8.64-69.2mdv2010.0.i586.rpm
be5f616da9bd1c3418b0f47d570df3b7 2010.0/i586/libgs8-8.64-69.2mdv2010.0.i586.rpm
7d19299369d8ea4ae713670475722fe2 2010.0/i586/libgs8-devel-8.64-69.2mdv2010.0.i586.rpm
998d12bc315dcff5def6fe2a937175ff 2010.0/i586/libijs1-0.35-69.2mdv2010.0.i586.rpm
55f1a1c8a8a9da32e4129969ecbd7b4a 2010.0/i586/libijs1-devel-0.35-69.2mdv2010.0.i586.rpm
3304d6203f6a6df245c3a719267006bc 2010.0/SRPMS/ghostscript-8.64-69.2mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
8c7785864300bc175e8f0de15e9039a7 2010.0/x86_64/ghostscript-8.64-69.2mdv2010.0.x86_64.rpm
8b3434aa65e1751390e2976f4d209593 2010.0/x86_64/ghostscript-common-8.64-69.2mdv2010.0.x86_64.rpm
0f0945a3a1e410359248f508971e3ac8 2010.0/x86_64/ghostscript-doc-8.64-69.2mdv2010.0.x86_64.rpm
6da764113d1bfbc952050b804b83bbd5 2010.0/x86_64/ghostscript-dvipdf-8.64-69.2mdv2010.0.x86_64.rpm
34718b39dd7b09d52e628f0db0f776b0 2010.0/x86_64/ghostscript-module-X-8.64-69.2mdv2010.0.x86_64.rpm
d3b3227b352b02514f8010b5cf107c96 2010.0/x86_64/ghostscript-X-8.64-69.2mdv2010.0.x86_64.rpm
0b92a8f8b4473c75f18fd9d1b25d1ae2 2010.0/x86_64/lib64gs8-8.64-69.2mdv2010.0.x86_64.rpm
f0d9d3af320d1df93720d9c02f9a5498 2010.0/x86_64/lib64gs8-devel-8.64-69.2mdv2010.0.x86_64.rpm
f264cb770d9532c68ee69c3e48a6472d 2010.0/x86_64/lib64ijs1-0.35-69.2mdv2010.0.x86_64.rpm
1b043258fa19ffe7e3b75f12c9872313 2010.0/x86_64/lib64ijs1-devel-0.35-69.2mdv2010.0.x86_64.rpm
3304d6203f6a6df245c3a719267006bc 2010.0/SRPMS/ghostscript-8.64-69.2mdv2010.0.src.rpm
Mandriva Enterprise Server 5:
5e83aa57503fbbc9208881c41bf0617d mes5/i586/ghostscript-8.63-62.5mdvmes5.1.i586.rpm
dcca03b0ae071f83d49a3df7dfe5be04 mes5/i586/ghostscript-common-8.63-62.5mdvmes5.1.i586.rpm
f6519be8e34bf9deabf5f9a8fab97b9d mes5/i586/ghostscript-doc-8.63-62.5mdvmes5.1.i586.rpm
22ad173ae67e7febf9b052f5659936d8 mes5/i586/ghostscript-dvipdf-8.63-62.5mdvmes5.1.i586.rpm
47f9eb2574eff34348b41a0124171056 mes5/i586/ghostscript-module-X-8.63-62.5mdvmes5.1.i586.rpm
71a6d36a00f818cfbdff90010563bd1c mes5/i586/ghostscript-X-8.63-62.5mdvmes5.1.i586.rpm
cd879dd0960d9f46ea929d2ff515390a mes5/i586/libgs8-8.63-62.5mdvmes5.1.i586.rpm
653648203476bfbf855139a4b380394b mes5/i586/libgs8-devel-8.63-62.5mdvmes5.1.i586.rpm
6985d25ec775b44ffe31a91e09aaa2c1 mes5/i586/libijs1-0.35-62.5mdvmes5.1.i586.rpm
caf102b269fca1da65f74c0e8beb2089 mes5/i586/libijs1-devel-0.35-62.5mdvmes5.1.i586.rpm
effe8f02d35bd41f611c0f99f834c6b1 mes5/SRPMS/ghostscript-8.63-62.5mdvmes5.1.src.rpm
Mandriva Enterprise Server 5/X86_64:
4a2946625f401314a651997e033ac21d mes5/x86_64/ghostscript-8.63-62.5mdvmes5.1.x86_64.rpm
ba4bc52599001153edf1e98a8e6ca848 mes5/x86_64/ghostscript-common-8.63-62.5mdvmes5.1.x86_64.rpm
00297d12b503b3f5659659b440bcd49e mes5/x86_64/ghostscript-doc-8.63-62.5mdvmes5.1.x86_64.rpm
d10f7b6178049a5751d3415c683d9588 mes5/x86_64/ghostscript-dvipdf-8.63-62.5mdvmes5.1.x86_64.rpm
bfd9c01188f12d58ce93ce2ef82ae167 mes5/x86_64/ghostscript-module-X-8.63-62.5mdvmes5.1.x86_64.rpm
3d5c373f2938b0ac44bfb2b6229a7593 mes5/x86_64/ghostscript-X-8.63-62.5mdvmes5.1.x86_64.rpm
599f1a6c68cb3d7013393e53dfd6521d mes5/x86_64/lib64gs8-8.63-62.5mdvmes5.1.x86_64.rpm
f715b89840a0cd1eda5fced024e132e0 mes5/x86_64/lib64gs8-devel-8.63-62.5mdvmes5.1.x86_64.rpm
22e46de13ec51543c6c4c146d09ee789 mes5/x86_64/lib64ijs1-0.35-62.5mdvmes5.1.x86_64.rpm
06795e43a579200b1175a6a7cbcd0e6a mes5/x86_64/lib64ijs1-devel-0.35-62.5mdvmes5.1.x86_64.rpm
effe8f02d35bd41f611c0f99f834c6b1 mes5/SRPMS/ghostscript-8.63-62.5mdvmes5.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:135
http://www.mandriva.com/security/
_______________________________________________________________________
Package : ghostscript
Date : July 15, 2010
Affected: Corporate 4.0
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in ghostscript:
Stack-based buffer overflow in the errprintf function in base/gsmisc.c
in ghostscript 8.64 through 8.70 allows remote attackers to cause a
denial of service (crash) and possibly execute arbitrary code via a
crafted PDF file, as originally reported for debug logging code in
gdevcups.c in the CUPS output driver (CVE-2009-4270).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4270
_______________________________________________________________________
Updated Packages:
Corporate 4.0:
6678d58a9fbaa84101ca4ac373720e4d corporate/4.0/i586/ghostscript-8.15-46.4.20060mlcs4.i586.rpm
9f43cdac3dea08e4cf9d60f852423b11 corporate/4.0/i586/ghostscript-common-8.15-46.4.20060mlcs4.i586.rpm
0fa2c2e58dd00e9bf040c1e4374534d9 corporate/4.0/i586/ghostscript-dvipdf-8.15-46.4.20060mlcs4.i586.rpm
8b9d1be9204240d6976909628c5bb540 corporate/4.0/i586/ghostscript-module-X-8.15-46.4.20060mlcs4.i586.rpm
28141332bfa7f600abf6d039532e8ac2 corporate/4.0/i586/ghostscript-X-8.15-46.4.20060mlcs4.i586.rpm
437b0369e2f73652718ca9ba256dd8f2 corporate/4.0/i586/libgs8-8.15-46.4.20060mlcs4.i586.rpm
bc5f1d8a48c96b526fbd6ad6359ca1e3 corporate/4.0/i586/libgs8-devel-8.15-46.4.20060mlcs4.i586.rpm
95e7106fab4913bf518811c4e5bb9dde corporate/4.0/i586/libijs1-0.35-46.4.20060mlcs4.i586.rpm
7c436687ba13dd887f020df9bf349751 corporate/4.0/i586/libijs1-devel-0.35-46.4.20060mlcs4.i586.rpm
8cb775bb21996923fdf7fcda83f8b875 corporate/4.0/SRPMS/ghostscript-8.15-46.4.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
885989f897cbdf06de4f162653aabf7c corporate/4.0/x86_64/ghostscript-8.15-46.4.20060mlcs4.x86_64.rpm
aebe81b69bac98a384ec372836f407e7 corporate/4.0/x86_64/ghostscript-common-8.15-46.4.20060mlcs4.x86_64.rpm
d1ebcf429948ce584862134b1cdce5b3 corporate/4.0/x86_64/ghostscript-dvipdf-8.15-46.4.20060mlcs4.x86_64.rpm
32a8d648d0bdd0112c6da2c0e88d7d7b corporate/4.0/x86_64/ghostscript-module-X-8.15-46.4.20060mlcs4.x86_64.rpm
53c9b945243254c7c0238a2f3424bae6 corporate/4.0/x86_64/ghostscript-X-8.15-46.4.20060mlcs4.x86_64.rpm
a4fb31d33215aede77de317d4a5af8cf corporate/4.0/x86_64/lib64gs8-8.15-46.4.20060mlcs4.x86_64.rpm
5a7b25aef9151d01dfeb17ab02e3f0ad corporate/4.0/x86_64/lib64gs8-devel-8.15-46.4.20060mlcs4.x86_64.rpm
30f3ea1e0c1d2596bf0134e39856afec corporate/4.0/x86_64/lib64ijs1-0.35-46.4.20060mlcs4.x86_64.rpm
a63f2d6d8347c2fc71b569db44b88508 corporate/4.0/x86_64/lib64ijs1-devel-0.35-46.4.20060mlcs4.x86_64.rpm
8cb775bb21996923fdf7fcda83f8b875 corporate/4.0/SRPMS/ghostscript-8.15-46.4.20060mlcs4.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:136
http://www.mandriva.com/security/
_______________________________________________________________________
Package : ghostscript
Date : July 15, 2010
Affected: 2010.1
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in ghostscript:
Ghostscript 8.64, 8.70, and possibly other versions allows
context-dependent attackers to execute arbitrary code via a
PostScript file containing unlimited recursive procedure invocations,
which trigger memory corruption in the stack of the interpreter
(CVE-2010-1628).
As a precaution ghostscriptc has been rebuilt to link against the
system libpng library which was fixed with MDVSA-2010:133
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1628
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2010.1:
52ada8603598f972295d5168e6fc0434 2010.1/i586/ghostscript-8.71-71.1mdv2010.1.i586.rpm
49e835c4d409a4b51500c20fe8de3d6f 2010.1/i586/ghostscript-common-8.71-71.1mdv2010.1.i586.rpm
f27827dc5bcc6b081cf601fac7b7a4ea 2010.1/i586/ghostscript-doc-8.71-71.1mdv2010.1.i586.rpm
7ce887ce718f69e4ce0b0d43d581988d 2010.1/i586/ghostscript-dvipdf-8.71-71.1mdv2010.1.i586.rpm
1b30882e7e0b02d432a2edc8c6a257b5 2010.1/i586/ghostscript-module-X-8.71-71.1mdv2010.1.i586.rpm
2cbba471eda63c968bdae3e102ec6ddd 2010.1/i586/ghostscript-X-8.71-71.1mdv2010.1.i586.rpm
76c3c503459ad32f4d9c3c0e345362f2 2010.1/i586/libgs8-8.71-71.1mdv2010.1.i586.rpm
fc07d8dbe1b83aed46c6f1f46ae15b93 2010.1/i586/libgs8-devel-8.71-71.1mdv2010.1.i586.rpm
3d9699871ced5cc5a82538f8ad17de5b 2010.1/i586/libijs1-0.35-71.1mdv2010.1.i586.rpm
321d432ea260dc490dbf6e814877f2d3 2010.1/i586/libijs1-devel-0.35-71.1mdv2010.1.i586.rpm
f17ad183fe142ca61a425a056f16275b 2010.1/SRPMS/ghostscript-8.71-71.1mdv2010.1.src.rpm
Mandriva Linux 2010.1/X86_64:
38f04afd1dce2f5b439d2c1749f1851d 2010.1/x86_64/ghostscript-8.71-71.1mdv2010.1.x86_64.rpm
2c91f0e4d93841e327aaaa6814229b6d 2010.1/x86_64/ghostscript-common-8.71-71.1mdv2010.1.x86_64.rpm
48b7d45ac50aa29a79e8d2fbd6f8cfc9 2010.1/x86_64/ghostscript-doc-8.71-71.1mdv2010.1.x86_64.rpm
b0a17230d64739907ad5c5e593fa2c1d 2010.1/x86_64/ghostscript-dvipdf-8.71-71.1mdv2010.1.x86_64.rpm
d655ed0a57875606b6425daae6c2e708 2010.1/x86_64/ghostscript-module-X-8.71-71.1mdv2010.1.x86_64.rpm
f0b74d848e9d1b1d2cc446c8c1a509c9 2010.1/x86_64/ghostscript-X-8.71-71.1mdv2010.1.x86_64.rpm
ed2a3da085458421c081a63ea261c9ce 2010.1/x86_64/lib64gs8-8.71-71.1mdv2010.1.x86_64.rpm
72aedcfba3f1f4aca1637775d6ac22dd 2010.1/x86_64/lib64gs8-devel-8.71-71.1mdv2010.1.x86_64.rpm
a02453064b2ef53d6eee3353af94bc09 2010.1/x86_64/lib64ijs1-0.35-71.1mdv2010.1.x86_64.rpm
a667c78c5c908e7984b6a816f6d5f467 2010.1/x86_64/lib64ijs1-devel-0.35-71.1mdv2010.1.x86_64.rpm
f17ad183fe142ca61a425a056f16275b 2010.1/SRPMS/ghostscript-8.71-71.1mdv2010.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFMQ+dk/iFOrG6YcBERAsBRAKDZcyJtOd9sjXls1ybbVIrJmtsDLACghEiJ
NKPobPpZX7612YP1IgEVSUE=
=lBtj
-----END PGP SIGNATURE-----