openSUSE Security Update: ghostscript security update ______________________________________________________________________________ Announcement ID: openSUSE-SU-2010:0425-1 Rating: important References: #559122 #605043 #608071 Cross-References: CVE-2009-4270 CVE-2009-4897 CVE-2010-1628 CVE-2010-1869 CVE-2010-2055 Affected Products: openSUSE 11.0 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: Specially crafted postscript (.ps) files could cause buffer overflows in ghostscript that could potentially be exploited to execute arbitrary code (CVE-2010-1628, CVE-2010-1869, CVE-2009-4270) ghostscript by default read some initialization files from the current working directory. Local attackers could potentially exploit that to have other users execute arbitrary commands by placing such files e.g. in /tmp (CVE-2010-2055). Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.0: zypper in -t patch ghostscript-devel-2705 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.0 (i586 ppc src x86_64): ghostscript-library-8.62-17.8 - openSUSE 11.0 (i586 ppc x86_64): ghostscript-devel-8.62-17.8 ghostscript-fonts-other-8.62-17.8 ghostscript-fonts-rus-8.62-17.8 ghostscript-fonts-std-8.62-17.8 ghostscript-ijs-devel-8.62-17.8 ghostscript-omni-8.62-17.8 ghostscript-x11-8.62-17.8 libgimpprint-4.2.7-258.8 libgimpprint-devel-4.2.7-258.8 References: http://support.novell.com/security/cve/CVE-2009-4270.html http://support.novell.com/security/cve/CVE-2009-4897.html http://support.novell.com/security/cve/CVE-2010-1628.html http://support.novell.com/security/cve/CVE-2010-1869.html http://support.novell.com/security/cve/CVE-2010-2055.html https://bugzilla.novell.com/559122 https://bugzilla.novell.com/605043 https://bugzilla.novell.com/608071