Skip to navigation

Security Advisory Moderate: ghostscript security update

Advisory: RHSA-2012:0096-1
Type: Security Advisory
Severity: Moderate
Issued on: 2012-02-02
Last updated on: 2012-02-02
Affected Products: Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 4)
CVEs (cve.mitre.org): CVE-2010-4054
CVE-2010-4820

Details

Updated ghostscript packages that fix two security issues are now available
for Red Hat Enterprise Linux 4.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Ghostscript is a set of software that provides a PostScript interpreter, a
set of C procedures (the Ghostscript library, which implements the graphics
capabilities in the PostScript language) and an interpreter for Portable
Document Format (PDF) files.

Ghostscript included the current working directory in its library search
path by default. If a user ran Ghostscript without the "-P-" option in an
attacker-controlled directory containing a specially-crafted PostScript
library file, it could cause Ghostscript to execute arbitrary PostScript
code. With this update, Ghostscript no longer searches the current working
directory for library files by default. (CVE-2010-4820)

Note: The fix for CVE-2010-4820 could possibly break existing
configurations. To use the previous, vulnerable behavior, run Ghostscript
with the "-P" option (to always search the current working directory
first).

A flaw was found in the way Ghostscript interpreted PostScript Type 1 and
PostScript Type 2 font files. An attacker could create a specially-crafted
PostScript Type 1 or PostScript Type 2 font file that, when interpreted,
could cause Ghostscript to crash or, potentially, execute arbitrary code.
(CVE-2010-4054)

Users of Ghostscript are advised to upgrade to these updated packages,
which contain backported patches to correct these issues.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

Red Hat Desktop (v. 4)

SRPMS:
ghostscript-7.07-33.13.el4.src.rpm     MD5: 3428106dd3d38c241a11e17a8953c849
SHA-256: aeca7cb6b7aa01c7b7f1ff460c027ef97d0fc8e0296173ea78459b0f6c0a842c
 
IA-32:
ghostscript-7.07-33.13.el4.i386.rpm     MD5: 56d38c42bd2c5e9af8c0ff889ff95b16
SHA-256: edd1b65ccb1ab4bce6bcc686ef9aa5984eb0b1b26254af2d28a197ee2a0d1dc2
ghostscript-devel-7.07-33.13.el4.i386.rpm     MD5: 4763a706ee4976f113738ae29a5ec67d
SHA-256: cd18984ae4667295a8c4f8c7a96887434c5d6b68e873f4fca4335a429275c08a
ghostscript-gtk-7.07-33.13.el4.i386.rpm     MD5: a87a7e543a15621da463d631bf9cb953
SHA-256: bca7d508bacdc35c4f0b4013a1d765fd004df6dde1d6353d27bec6900e6b45e2
 
x86_64:
ghostscript-7.07-33.13.el4.i386.rpm     MD5: 56d38c42bd2c5e9af8c0ff889ff95b16
SHA-256: edd1b65ccb1ab4bce6bcc686ef9aa5984eb0b1b26254af2d28a197ee2a0d1dc2
ghostscript-7.07-33.13.el4.x86_64.rpm     MD5: e8dea01f4b73b2a5be0482412ea2cc95
SHA-256: 4fcd1baa1912ecbee5b7c8d85e9f1df8b01d7bde04229f4e431eaa67d94a9b7a
ghostscript-devel-7.07-33.13.el4.x86_64.rpm     MD5: 7594a731f4b5876c779a3ea4c518fe9b
SHA-256: 5e014545e1c2e4ff16f5b59dd78669896726a78f06ebf85c2911978f0573d801
ghostscript-gtk-7.07-33.13.el4.x86_64.rpm     MD5: 7922cb8f3927f4e4d59dde3eded759ef
SHA-256: 980337aa40ba047cf1b954c7e33edce95e522f24cbac7153c84ec3f8d15903a3
 
Red Hat Enterprise Linux AS (v. 4)

SRPMS:
ghostscript-7.07-33.13.el4.src.rpm     MD5: 3428106dd3d38c241a11e17a8953c849
SHA-256: aeca7cb6b7aa01c7b7f1ff460c027ef97d0fc8e0296173ea78459b0f6c0a842c
 
IA-32:
ghostscript-7.07-33.13.el4.i386.rpm     MD5: 56d38c42bd2c5e9af8c0ff889ff95b16
SHA-256: edd1b65ccb1ab4bce6bcc686ef9aa5984eb0b1b26254af2d28a197ee2a0d1dc2
ghostscript-devel-7.07-33.13.el4.i386.rpm     MD5: 4763a706ee4976f113738ae29a5ec67d
SHA-256: cd18984ae4667295a8c4f8c7a96887434c5d6b68e873f4fca4335a429275c08a
ghostscript-gtk-7.07-33.13.el4.i386.rpm     MD5: a87a7e543a15621da463d631bf9cb953
SHA-256: bca7d508bacdc35c4f0b4013a1d765fd004df6dde1d6353d27bec6900e6b45e2
 
IA-64:
ghostscript-7.07-33.13.el4.i386.rpm     MD5: 56d38c42bd2c5e9af8c0ff889ff95b16
SHA-256: edd1b65ccb1ab4bce6bcc686ef9aa5984eb0b1b26254af2d28a197ee2a0d1dc2
ghostscript-7.07-33.13.el4.ia64.rpm     MD5: 7c470290fc39f54fd96395e1512e5245
SHA-256: 8f7fa65f355a8ce3c7ffd3a4cab2319d344a363dffb7b149191337bac97f9ce8
ghostscript-devel-7.07-33.13.el4.ia64.rpm     MD5: f3b03bcc3956bdb11f8652624b61d206
SHA-256: 2883b89b65cf80d278fd6968b8f2790797fb7ae4bfec777784cb08ea041fcf52
ghostscript-gtk-7.07-33.13.el4.ia64.rpm     MD5: 97620a5033da75e875c67f8d14ad3606
SHA-256: 020e00c9b2407058d0af4fedbeb23c6b99c25c07a158b0b49ba1c37cb50f5d87
 
PPC:
ghostscript-7.07-33.13.el4.ppc.rpm     MD5: afdac04fd8feb2d72291550cec82c8d3
SHA-256: 35180707811f32cf1481bc8486e861424c18007340a7808e5d9ed4aac7ac2abd
ghostscript-7.07-33.13.el4.ppc64.rpm     MD5: 36e229286fca210c7d50645375fbe647
SHA-256: 190a87dc774b2a7c35b08c675053c797429ca87f6343bdefcbfbdf270f1db84f
ghostscript-devel-7.07-33.13.el4.ppc.rpm     MD5: 10fc62f825290756b4ed127890cbf36c
SHA-256: e21304602b9fa9b50d04287bc60e2b533fe8075cd2356566dc35d78e2223402d
ghostscript-gtk-7.07-33.13.el4.ppc.rpm     MD5: bdf9e181fff5d7cf0fce739f9b7aac88
SHA-256: 28986429bd02bcb2bc14f3af9f354810dd57b33e47dafd7bdc15dd0d09b95e7e
 
s390:
ghostscript-7.07-33.13.el4.s390.rpm     MD5: e956c52517afb9bb6237455119d2192f
SHA-256: a01e8000d7482c3f734827c261c9cf4cae80ae9b50103f94090b642230938cc6
ghostscript-devel-7.07-33.13.el4.s390.rpm     MD5: aa6f04fe7fd5eb2940e97dc8866ef099
SHA-256: 9c5d8eb36a8c1774e080d2900992b4bbadec3b02f7d818ac0b6d0813cf94afb8
ghostscript-gtk-7.07-33.13.el4.s390.rpm     MD5: 84cff30d7d8a75bda721c6458d2676e8
SHA-256: b16916a7757f3993193948b8ee763bde650afb2b31856bdbee11884e272bd415
 
s390x:
ghostscript-7.07-33.13.el4.s390.rpm     MD5: e956c52517afb9bb6237455119d2192f
SHA-256: a01e8000d7482c3f734827c261c9cf4cae80ae9b50103f94090b642230938cc6
ghostscript-7.07-33.13.el4.s390x.rpm     MD5: baf163dcdbccdafa9de37ed736bfa333
SHA-256: eb66969056ac21e58f3029fe4a544dc9ea56d160ad2b1391089de92b25a44e6f
ghostscript-devel-7.07-33.13.el4.s390x.rpm     MD5: 8aeddc155db4ae4dbfe9ca0ba5cd7cb7
SHA-256: 4f75c91c6747515935e0d1b51ffc14b5c9c658025a2c87c3f7547c6d37283436
ghostscript-gtk-7.07-33.13.el4.s390x.rpm     MD5: 49ad856bae7a3b2a284ec1c74efa559f
SHA-256: d5f7d744fc8ced2af99210b32773a7c4ab14c904accc6afd2a990d7c990d4723
 
x86_64:
ghostscript-7.07-33.13.el4.i386.rpm     MD5: 56d38c42bd2c5e9af8c0ff889ff95b16
SHA-256: edd1b65ccb1ab4bce6bcc686ef9aa5984eb0b1b26254af2d28a197ee2a0d1dc2
ghostscript-7.07-33.13.el4.x86_64.rpm     MD5: e8dea01f4b73b2a5be0482412ea2cc95
SHA-256: 4fcd1baa1912ecbee5b7c8d85e9f1df8b01d7bde04229f4e431eaa67d94a9b7a
ghostscript-devel-7.07-33.13.el4.x86_64.rpm     MD5: 7594a731f4b5876c779a3ea4c518fe9b
SHA-256: 5e014545e1c2e4ff16f5b59dd78669896726a78f06ebf85c2911978f0573d801
ghostscript-gtk-7.07-33.13.el4.x86_64.rpm     MD5: 7922cb8f3927f4e4d59dde3eded759ef
SHA-256: 980337aa40ba047cf1b954c7e33edce95e522f24cbac7153c84ec3f8d15903a3
 
Red Hat Enterprise Linux ES (v. 4)

SRPMS:
ghostscript-7.07-33.13.el4.src.rpm     MD5: 3428106dd3d38c241a11e17a8953c849
SHA-256: aeca7cb6b7aa01c7b7f1ff460c027ef97d0fc8e0296173ea78459b0f6c0a842c
 
IA-32:
ghostscript-7.07-33.13.el4.i386.rpm     MD5: 56d38c42bd2c5e9af8c0ff889ff95b16
SHA-256: edd1b65ccb1ab4bce6bcc686ef9aa5984eb0b1b26254af2d28a197ee2a0d1dc2
ghostscript-devel-7.07-33.13.el4.i386.rpm     MD5: 4763a706ee4976f113738ae29a5ec67d
SHA-256: cd18984ae4667295a8c4f8c7a96887434c5d6b68e873f4fca4335a429275c08a
ghostscript-gtk-7.07-33.13.el4.i386.rpm     MD5: a87a7e543a15621da463d631bf9cb953
SHA-256: bca7d508bacdc35c4f0b4013a1d765fd004df6dde1d6353d27bec6900e6b45e2
 
IA-64:
ghostscript-7.07-33.13.el4.i386.rpm     MD5: 56d38c42bd2c5e9af8c0ff889ff95b16
SHA-256: edd1b65ccb1ab4bce6bcc686ef9aa5984eb0b1b26254af2d28a197ee2a0d1dc2
ghostscript-7.07-33.13.el4.ia64.rpm     MD5: 7c470290fc39f54fd96395e1512e5245
SHA-256: 8f7fa65f355a8ce3c7ffd3a4cab2319d344a363dffb7b149191337bac97f9ce8
ghostscript-devel-7.07-33.13.el4.ia64.rpm     MD5: f3b03bcc3956bdb11f8652624b61d206
SHA-256: 2883b89b65cf80d278fd6968b8f2790797fb7ae4bfec777784cb08ea041fcf52
ghostscript-gtk-7.07-33.13.el4.ia64.rpm     MD5: 97620a5033da75e875c67f8d14ad3606
SHA-256: 020e00c9b2407058d0af4fedbeb23c6b99c25c07a158b0b49ba1c37cb50f5d87
 
x86_64:
ghostscript-7.07-33.13.el4.i386.rpm     MD5: 56d38c42bd2c5e9af8c0ff889ff95b16
SHA-256: edd1b65ccb1ab4bce6bcc686ef9aa5984eb0b1b26254af2d28a197ee2a0d1dc2
ghostscript-7.07-33.13.el4.x86_64.rpm     MD5: e8dea01f4b73b2a5be0482412ea2cc95
SHA-256: 4fcd1baa1912ecbee5b7c8d85e9f1df8b01d7bde04229f4e431eaa67d94a9b7a
ghostscript-devel-7.07-33.13.el4.x86_64.rpm     MD5: 7594a731f4b5876c779a3ea4c518fe9b
SHA-256: 5e014545e1c2e4ff16f5b59dd78669896726a78f06ebf85c2911978f0573d801
ghostscript-gtk-7.07-33.13.el4.x86_64.rpm     MD5: 7922cb8f3927f4e4d59dde3eded759ef
SHA-256: 980337aa40ba047cf1b954c7e33edce95e522f24cbac7153c84ec3f8d15903a3
 
Red Hat Enterprise Linux WS (v. 4)

SRPMS:
ghostscript-7.07-33.13.el4.src.rpm     MD5: 3428106dd3d38c241a11e17a8953c849
SHA-256: aeca7cb6b7aa01c7b7f1ff460c027ef97d0fc8e0296173ea78459b0f6c0a842c
 
IA-32:
ghostscript-7.07-33.13.el4.i386.rpm     MD5: 56d38c42bd2c5e9af8c0ff889ff95b16
SHA-256: edd1b65ccb1ab4bce6bcc686ef9aa5984eb0b1b26254af2d28a197ee2a0d1dc2
ghostscript-devel-7.07-33.13.el4.i386.rpm     MD5: 4763a706ee4976f113738ae29a5ec67d
SHA-256: cd18984ae4667295a8c4f8c7a96887434c5d6b68e873f4fca4335a429275c08a
ghostscript-gtk-7.07-33.13.el4.i386.rpm     MD5: a87a7e543a15621da463d631bf9cb953
SHA-256: bca7d508bacdc35c4f0b4013a1d765fd004df6dde1d6353d27bec6900e6b45e2
 
IA-64:
ghostscript-7.07-33.13.el4.i386.rpm     MD5: 56d38c42bd2c5e9af8c0ff889ff95b16
SHA-256: edd1b65ccb1ab4bce6bcc686ef9aa5984eb0b1b26254af2d28a197ee2a0d1dc2
ghostscript-7.07-33.13.el4.ia64.rpm     MD5: 7c470290fc39f54fd96395e1512e5245
SHA-256: 8f7fa65f355a8ce3c7ffd3a4cab2319d344a363dffb7b149191337bac97f9ce8
ghostscript-devel-7.07-33.13.el4.ia64.rpm     MD5: f3b03bcc3956bdb11f8652624b61d206
SHA-256: 2883b89b65cf80d278fd6968b8f2790797fb7ae4bfec777784cb08ea041fcf52
ghostscript-gtk-7.07-33.13.el4.ia64.rpm     MD5: 97620a5033da75e875c67f8d14ad3606
SHA-256: 020e00c9b2407058d0af4fedbeb23c6b99c25c07a158b0b49ba1c37cb50f5d87
 
x86_64:
ghostscript-7.07-33.13.el4.i386.rpm     MD5: 56d38c42bd2c5e9af8c0ff889ff95b16
SHA-256: edd1b65ccb1ab4bce6bcc686ef9aa5984eb0b1b26254af2d28a197ee2a0d1dc2
ghostscript-7.07-33.13.el4.x86_64.rpm     MD5: e8dea01f4b73b2a5be0482412ea2cc95
SHA-256: 4fcd1baa1912ecbee5b7c8d85e9f1df8b01d7bde04229f4e431eaa67d94a9b7a
ghostscript-devel-7.07-33.13.el4.x86_64.rpm     MD5: 7594a731f4b5876c779a3ea4c518fe9b
SHA-256: 5e014545e1c2e4ff16f5b59dd78669896726a78f06ebf85c2911978f0573d801
ghostscript-gtk-7.07-33.13.el4.x86_64.rpm     MD5: 7922cb8f3927f4e4d59dde3eded759ef
SHA-256: 980337aa40ba047cf1b954c7e33edce95e522f24cbac7153c84ec3f8d15903a3
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

646086 - CVE-2010-4054 ghostscript: glyph data access improper input validation
771853 - CVE-2010-4820 ghostscript: CWD included in the default library search path


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/