Scientific Linux alert SLSA-2018:2918-1 (ghostscript)


From:
               Scott Reid <svreid@fnal.gov> 
To:
               <scientific-linux-errata@listserv.fnal.gov> 
Subject:
               Security ERRATA Important: ghostscript on SL7.x x86_64 
Date:
               Tue, 16 Oct 2018 14:25:08 +0000
Message-ID:
               <20181016142508.29511.27841@slpackages.fnal.gov>
Synopsis:          Important: ghostscript security update
Advisory ID:       SLSA-2018:2918-1
Issue Date:        2018-10-16
CVE Numbers:       CVE-2018-10194
                   CVE-2018-16509
                   CVE-2018-15910
                   CVE-2018-16542
--

Security Fix(es):

* It was discovered that the ghostscript /invalidaccess checks fail under
certain conditions. An attacker could possibly exploit this to bypass the
- -dSAFER protection and, for example, execute arbitrary shell commands
via a specially crafted PostScript document. (CVE-2018-16509)

* ghostscript: LockDistillerParams type confusion (699656)
(CVE-2018-15910)

* ghostscript: .definemodifiedfont memory corruption if /typecheck is
handled (699668) (CVE-2018-16542)

* ghostscript: Stack-based out-of-bounds write in pdf_set_text_matrix
function in gdevpdts.c (CVE-2018-10194)
--

SL7
  x86_64
    ghostscript-9.07-29.el7_5.2.i686.rpm
    ghostscript-9.07-29.el7_5.2.x86_64.rpm
    ghostscript-cups-9.07-29.el7_5.2.x86_64.rpm
    ghostscript-debuginfo-9.07-29.el7_5.2.i686.rpm
    ghostscript-debuginfo-9.07-29.el7_5.2.x86_64.rpm
    ghostscript-devel-9.07-29.el7_5.2.i686.rpm
    ghostscript-devel-9.07-29.el7_5.2.x86_64.rpm
    ghostscript-gtk-9.07-29.el7_5.2.x86_64.rpm
    ghostscript-9.07-29.el7_5.2.src.rpm
  noarch
    ghostscript-doc-9.07-29.el7_5.2.noarch.rpm

- Scientific Linux Development Team

From:		Scott Reid <svreid@fnal.gov>
To:		<scientific-linux-errata@listserv.fnal.gov>
Subject:		Security ERRATA Important: ghostscript on SL7.x x86_64
Date:		Tue, 16 Oct 2018 14:25:08 +0000
Message-ID:		<20181016142508.29511.27841@slpackages.fnal.gov>