Oval Definition:oval:com.redhat.rhsa:def:20120095
Revision Date:2012-02-02Version:638
Title:RHSA-2012:0095: ghostscript security update (Moderate)
Description:Ghostscript is a set of software that provides a PostScript interpreter, a set of C procedures (the Ghostscript library, which implements the graphics capabilities in the PostScript language) and an interpreter for Portable Document Format (PDF) files.

  • An integer overflow flaw was found in Ghostscript's TrueType bytecode interpreter. An attacker could create a specially-crafted PostScript or PDF file that, when interpreted, could cause Ghostscript to crash or, potentially, execute arbitrary code. (CVE-2009-3743)

  • It was found that Ghostscript always tried to read Ghostscript system initialization files from the current working directory before checking other directories, even if a search path that did not contain the current working directory was specified with the "-I" option, or the "-P-" option was used (to prevent the current working directory being searched first). If a user ran Ghostscript in an attacker-controlled directory containing a system initialization file, it could cause Ghostscript to execute arbitrary PostScript code. (CVE-2010-2055)

  • Ghostscript included the current working directory in its library search path by default. If a user ran Ghostscript without the "-P-" option in an attacker-controlled directory containing a specially-crafted PostScript library file, it could cause Ghostscript to execute arbitrary PostScript code. With this update, Ghostscript no longer searches the current working directory for library files by default. (CVE-2010-4820)

    Note: The fix for CVE-2010-4820 could possibly break existing configurations. To use the previous, vulnerable behavior, run Ghostscript with the "-P" option (to always search the current working directory first).

  • A flaw was found in the way Ghostscript interpreted PostScript Type 1 and PostScript Type 2 font files. An attacker could create a specially-crafted PostScript Type 1 or PostScript Type 2 font file that, when interpreted, could cause Ghostscript to crash or, potentially, execute arbitrary code. (CVE-2010-4054)

    Users of Ghostscript are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
    • Family:unixClass:patch
    Status:Reference(s):CVE-2009-3743
    CVE-2009-3743
    CVE-2010-2055
    CVE-2010-2055
    CVE-2010-4054
    CVE-2010-4054
    CVE-2010-4820
    CVE-2010-4820
    RHSA-2012:0095
    RHSA-2012:0095-01
    RHSA-2012:0095-01
    Platform(s):Red Hat Enterprise Linux 5
    Red Hat Enterprise Linux 6
    		Product(s):
    Definition Synopsis
  • Red Hat Enterprise Linux must be installed
  • OR Package Information
  • Red Hat Enterprise Linux 5 is installed
  • AND
  • ghostscript is earlier than 0:8.70-6.el5_7.6
  • AND ghostscript is signed with Red Hat redhatrelease2 key
  • ghostscript-devel is earlier than 0:8.70-6.el5_7.6
  • AND ghostscript-devel is signed with Red Hat redhatrelease2 key
  • ghostscript-gtk is earlier than 0:8.70-6.el5_7.6
  • AND ghostscript-gtk is signed with Red Hat redhatrelease2 key
  • OR Package Information
  • Red Hat Enterprise Linux 6 is installed
  • AND
  • ghostscript is earlier than 0:8.70-11.el6_2.6
  • AND ghostscript is signed with Red Hat redhatrelease2 key
  • ghostscript-devel is earlier than 0:8.70-11.el6_2.6
  • AND ghostscript-devel is signed with Red Hat redhatrelease2 key
  • ghostscript-doc is earlier than 0:8.70-11.el6_2.6
  • AND ghostscript-doc is signed with Red Hat redhatrelease2 key
  • ghostscript-gtk is earlier than 0:8.70-11.el6_2.6
  • AND ghostscript-gtk is signed with Red Hat redhatrelease2 key
    • BACK