[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-security] ghostscript allows execution of arbitrary code
- To: linux-security
- Subject: [linux-security] ghostscript allows execution of arbitrary code
- From: Martin Siegert <siegert@sfu.ca>
- Date: Tue, 4 Jun 2002 18:40:58 -0700
- User-Agent: Mutt/1.2.5.1i
Topic
=====
ghostscript can be tricked into executing arbitrary code
Problem Description
===================
An untrusted PostScript file can cause ghostscript to execute arbitrary
commands due to insufficient checking. This is a serious thread because
ghostscript is used when viewing PostScript files (using gv or ghostview)
or printing PostScript files to non-PostScript printers.
Affected Systems
================
ghostscript versions < 6.53 (this is the GNU ghostscript version; there
also exists a corresponding Aladdin version)
Solution
========
upgrade to version 6.53 (or patched version for your distribution)
RedHat 6.x
----------
First check whether you have ghostscript installed: rpm -q ghostscript
If you have ghostscript install, do:
rpm -Uvh ghostscript-6.51-16.1.6x.1.i386.rpm \
VFlib2-2.25.1-11.6x.i386.rpm \
xtt-fonts-0.19990222-8.6x.noarch.rpm
(using the -Fvh flags does not work because of the new packages VFlib2 and
xtt-fonts the new version depends on; for the same reason check-rpms
cannot handle this update).
RedHat 7.0
----------
I do not have a RH 7.0 box, but I suspect that the upgrade procedure is
similar to RH6.2, i.e., first check whether ghostscript is installed
and then:
rpm -Uvh ghostscript-6.51-16.1.7x.i386.rpm \
VFlib2-2.25.1-12.i386.rpm \
xtt-fonts-0.19990222-9.noarch.rpm
RedHat 7.1
----------
rpm -Fvh ghostscript-6.51-16.1.7x.i386.rpm
RedHat 7.2
----------
rpm -Fvh ghostscript-6.51-16.2.i386.rpm \
printconf-0.3.61-4.1.i386.rpm \
printconf-gui-0.3.61-4.1.i386.rpm
RedHat 7.3
----------
rpm -Fvh ghostscript-6.52-9.4.i386.rpm