Security Advisory updated ghostscript packages fix vulnerabilities

Advisory: RHSA-2003:209-02
Type: Security Advisory
Severity: N/A
Issued on: 2003-06-24
Last updated on: 2003-06-24
Affected Products: Red Hat Linux 7.1 for iSeries
Red Hat Linux 7.1 for pSeries
OVAL: N/A
CVEs (cve.mitre.org): CVE-2002-0363
CVE-2003-0354

Details

Updated packages are available for GNU Ghostscript under the iSeries and
pSeries architectures which fix various security vulnerabilities.

Ghostscript is a program for displaying PostScript files or printing them
to non-PostScript printers.

An untrusted PostScript file can cause ghostscript to execute arbitrary
commands due to insufficient checking. Since ghostscript is often used
during the course of printing a document (and is run as user lp), all
users should install the packages contained in this erratum.

The problem was fixed in the 6.53 source release of GNU Ghostscript, and
the fix has been backported and applied to the packages referenced by this
advisory.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0363 to this issue.

Please note that this vulnerability is different to the "local file read"
issue corrected by our previous Ghostscript errata (RHSA-2001:112 and
RHSA-2001:138)

A flaw in unpatched versions of Ghostscript before 7.07 allows malicious
postscript files to execute arbitrary commands even with -dSAFER enabled.
Note that this vulnerability does not affect Ghostscript when the Red Hat
-dPARANOIDSAFER option is used. Therefore, a malicious print job cannot be
used to exploit this vulnerability under Red Hat Linux.

Users of Ghostscript are advised to upgrade to these updated packages,
which contain a backported patch and are not vulnerable to this issue.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Linux 7.1 for iSeries
SRPMS:
ftp://updates.redhat.com/7.1/en/os/iSeries/SRPMS/ghostscript-6.51-16.1.7x.1.src.rpm
Missing file		     17f5e1f86295677e4ad75fc202d26159
 
iSeries:
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/ghostscript-6.51-16.1.7x.1.ppc.rpm
Missing file		     bdea16a905efe2fbd97ef62f1fc9cc4b
 
Red Hat Linux 7.1 for pSeries
SRPMS:
ftp://updates.redhat.com/7.1/en/os/pSeries/SRPMS/ghostscript-6.51-16.1.7x.1.src.rpm
Missing file		     17f5e1f86295677e4ad75fc202d26159
 
pSeries:
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/ghostscript-6.51-16.1.7x.1.ppc.rpm
Missing file		     bdea16a905efe2fbd97ef62f1fc9cc4b
 

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0363
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0354
http://www.ghostscript.com/pipermail/gs-cvs/2003-May/003276.html

Keywords

ghostscript, PARANOIDSAFER, SAFER

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/