VUL-0: TRACKERBUG: Multiple vulnerabilities fixed in Ghostscript v10.04.0 VUL-0: CVE-2024-46951: ghostscript: Arbitrary code execution via unchecked "Implementation" pointer in "Pattern" color space VUL-0: CVE-2024-46952: ghostscript: Buffer overflow in PDF XRef stream VUL-0: CVE-2024-46953: ghostscript: An integer overflow when parsing the page format results in path truncation, path traversal, code execution VUL-0: CVE-2024-46954: ghostscript: Arbitrary file access (and RCE) via overlong UTF-8 enconding on Windows VUL-0: CVE-2024-46955: ghostscript: Out of bounds read when reading color in "Indexed" color space VUL-0: CVE-2024-46956: ghostscript: Arbitrary code execution via out of bounds data access in filenameforall jsmeix important security

Security update for ghostscript

This update for ghostscript fixes the following issues: - Version upgrade to 10.04.0 (bsc#1232173), including fixes for: + CVE-2024-46951 (bsc#1232265) + CVE-2024-46952 (bsc#1232266) + CVE-2024-46953 (bsc#1232267) + CVE-2024-46954 (bsc#1232268) + CVE-2024-46955 (bsc#1232269) + CVE-2024-46956 (bsc#1232270) * IMPORTANT: In this release (10.04.0) we (i.e. Ghostscript upstream) have be added protection for device selection from PostScript input. This will mean that, by default, only the device specified on the command line will be permitted. Similar to the file permissions, there will be a "--permit-devices=" allowing a comma separation list of allowed devices. This will also take a single wildcard "*" allowing any device. Any application which relies on allowing PostScript to change devices during a job will have to be aware, and take action to deal with this change. The exception is "nulldevice", switching to that requires no special action. ghostscript