products/SUSE_ALP_Standard
9
0
Fork 1
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity
10dbc6ec57
SUSE_ALP_Standard/patchinfo.20241204101326815619.255638743075857/_patchinfo

45 lines
2.6 KiB
Plaintext
Raw Blame History

<patchinfo incident="129">
<!-- generated from request(s) 352984 -->
<issue tracker="bnc" id="1232173">VUL-0: TRACKERBUG: Multiple vulnerabilities fixed in Ghostscript v10.04.0</issue>
<issue tracker="bnc" id="1232265">VUL-0: CVE-2024-46951: ghostscript: Arbitrary code execution via unchecked "Implementation" pointer in "Pattern" color space</issue>
<issue tracker="bnc" id="1232266">VUL-0: CVE-2024-46952: ghostscript: Buffer overflow in PDF XRef stream</issue>
<issue tracker="bnc" id="1232267">VUL-0: CVE-2024-46953: ghostscript: An integer overflow when parsing the page format results in path truncation, path traversal, code execution</issue>
<issue tracker="bnc" id="1232268">VUL-0: CVE-2024-46954: ghostscript: Arbitrary file access (and RCE) via overlong UTF-8 enconding on Windows</issue>
<issue tracker="bnc" id="1232269">VUL-0: CVE-2024-46955: ghostscript: Out of bounds read when reading color in "Indexed" color space</issue>
<issue tracker="bnc" id="1232270">VUL-0: CVE-2024-46956: ghostscript: Arbitrary code execution via out of bounds data access in filenameforall</issue>
<issue tracker="cve" id="2024-46951"/>
<issue tracker="cve" id="2024-46952"/>
<issue tracker="cve" id="2024-46953"/>
<issue tracker="cve" id="2024-46954"/>
<issue tracker="cve" id="2024-46955"/>
<issue tracker="cve" id="2024-46956"/>
<packager>jsmeix</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for ghostscript</summary>
<description>This update for ghostscript fixes the following issues:
- Version upgrade to 10.04.0 (bsc#1232173), including fixes for:
+ CVE-2024-46951 (bsc#1232265)
+ CVE-2024-46952 (bsc#1232266)
+ CVE-2024-46953 (bsc#1232267)
+ CVE-2024-46954 (bsc#1232268)
+ CVE-2024-46955 (bsc#1232269)
+ CVE-2024-46956 (bsc#1232270)
* IMPORTANT: In this release (10.04.0)
we (i.e. Ghostscript upstream) have be added
protection for device selection from PostScript input.
This will mean that, by default, only the device specified
on the command line will be permitted. Similar to the file
permissions, there will be a "--permit-devices=" allowing
a comma separation list of allowed devices. This will also
take a single wildcard "*" allowing any device.
Any application which relies on allowing PostScript
to change devices during a job will have to be aware,
and take action to deal with this change.
The exception is "nulldevice", switching to that requires
no special action.
</description>
<package>ghostscript</package>
<seperate_build_arch/>
</patchinfo>
Reference in New Issue View Git Blame Copy Permalink