[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-security] ghostscript bugs
- To: linux-security
- Subject: [linux-security] ghostscript bugs
- Date: Fri, 24 Nov 2000 11:30:10 -0800 (PST)
Topic
=====
ghostscript creates temp files in an insecure way and also searches for
libraries in the current directory
Problem Description
===================
ghostscript uses temporary files to do some of its work. Unfortunately
the method used to create those files wasn't secure: mktemp was used
to create a name for a temporary file, but the file was not opened
safely. A second problem is that during build the LD_RUN_PATH environment
variable was set to the empty string, which causes the dynamic linker
to look in the current directory for shared libraries.
Affected Systems
================
all systems that have ghostscript installed
(that should be all systems - how can you live without it? :-)
Solution
========
RedHat 6.x
rpm -Fvh ghostscript-5.50-8_6.x.i386.rpm
RedHat 7.0
rpm -Fvh ghostscript-5.50-8.i386.rpm
Debian
upgrade to gs_5.10-10.1_i386.deb
Mandrake 6.x
rpm -Fvh ghostscript-5.10-10.1mdk.i586.rpm
Mandrake 7.0
rpm -Fvh ghostscript-5.10-17.1mdk.i586.rpm \
ghostscript-Both-5.10-17.1mdk.i586.rpm \
ghostscript-PrintOnly-5.10-17.1mdk.i586.rpm
ghostscript-SVGALIB-5.10-17.1mdk.i586.rpm \
ghostscript-X-5.10-17.1mdk.i586.rpm
Mandrake 7.1
rpm -Fvh ghostscript-5.50-9.1mdk.i586.rpm \
ghostscript-Both-5.50-9.1mdk.i586.rpm \
ghostscript-PrintOnly-5.50-9.1mdk.i586.rpm \
ghostscript-SVGALIB-5.50-9.1mdk.i586.rpm \
ghostscript-X-5.50-9.1mdk.i586.rpm
Mandrake 7.2
rpm -Fvh ghostscript-5.50-35.1mdk.i586.rpm \
ghostscript-module-SVGALIB-5.50-35.1mdk.i586.rpm \
ghostscript-module-X-5.50-35.1mdk.i586.rpm \
ghostscript-utils-5.50-35.1mdk.i586.rpm