Adding patchinfo patchinfo.20241204101326815619.255638743075857

2024-12-05 14:25:42 +01:00 · 2024-12-05 14:25:42 +01:00 · 8d04302020
commit 8d04302020
parent e051077904
1 changed files with 45 additions and 0 deletions
--- a/patchinfo.20241204101326815619.255638743075857/_patchinfo
+++ b/patchinfo.20241204101326815619.255638743075857/_patchinfo
@ -0,0 +1,45 @@
+<patchinfo>
+  <!-- generated from request(s) 352984 -->
+  <issue tracker="bnc" id="1232173">VUL-0: TRACKERBUG: Multiple vulnerabilities fixed in Ghostscript v10.04.0</issue>
+  <issue tracker="bnc" id="1232265">VUL-0: CVE-2024-46951: ghostscript: Arbitrary code execution via unchecked "Implementation" pointer in "Pattern" color space</issue>
+  <issue tracker="bnc" id="1232266">VUL-0: CVE-2024-46952: ghostscript: Buffer overflow in PDF XRef stream</issue>
+  <issue tracker="bnc" id="1232267">VUL-0: CVE-2024-46953: ghostscript: An integer overflow when parsing the page format results in path truncation, path traversal, code execution</issue>
+  <issue tracker="bnc" id="1232268">VUL-0: CVE-2024-46954: ghostscript: Arbitrary file access (and RCE) via overlong UTF-8 enconding on Windows</issue>
+  <issue tracker="bnc" id="1232269">VUL-0: CVE-2024-46955: ghostscript: Out of bounds read when reading color in "Indexed" color space</issue>
+  <issue tracker="bnc" id="1232270">VUL-0: CVE-2024-46956: ghostscript: Arbitrary code execution via out of bounds data access in filenameforall</issue>
+  <issue tracker="cve" id="2024-46951"/>
+  <issue tracker="cve" id="2024-46952"/>
+  <issue tracker="cve" id="2024-46953"/>
+  <issue tracker="cve" id="2024-46954"/>
+  <issue tracker="cve" id="2024-46955"/>
+  <issue tracker="cve" id="2024-46956"/>
+  <packager>jsmeix</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for ghostscript</summary>
+  <description>This update for ghostscript fixes the following issues:
+
+- Version upgrade to 10.04.0 (bsc#1232173), including fixes for:
+    + CVE-2024-46951 (bsc#1232265)
+    + CVE-2024-46952 (bsc#1232266)
+    + CVE-2024-46953 (bsc#1232267)
+    + CVE-2024-46954 (bsc#1232268)
+    + CVE-2024-46955 (bsc#1232269)
+    + CVE-2024-46956 (bsc#1232270)
+  * IMPORTANT: In this release (10.04.0)
+    we (i.e. Ghostscript upstream) have be added
+    protection for device selection from PostScript input.
+    This will mean that, by default, only the device specified
+    on the command line will be permitted. Similar to the file
+    permissions, there will be a "--permit-devices=" allowing
+    a comma separation list of allowed devices. This will also
+    take a single wildcard "*" allowing any device.
+    Any application which relies on allowing PostScript
+    to change devices during a job will have to be aware,
+    and take action to deal with this change.
+    The exception is "nulldevice", switching to that requires
+    no special action. 
+</description>
+  <package>ghostscript</package>
+  <seperate_build_arch/>
+</patchinfo>