Security update missing for ghostscript CVE-2023-36664
Hi, I am sure most of you have recently learned about critical security issues in ghostscript. I am surprised to not find any OpenSUSE updates addressing this issue, nor any announcements on the openSUSE Security Announce mailing list. Am I missing something, or is CVE-2023-36664 currently unaddressed? Best regards Christian
On Thu, Jul 20, 2023 at 02:50:45PM -0000, Christian K via openSUSE Factory wrote:
Hi,
I am sure most of you have recently learned about critical security issues in ghostscript. I am surprised to not find any OpenSUSE updates addressing this issue, nor any announcements on the openSUSE Security Announce mailing list.
Am I missing something, or is CVE-2023-36664 currently unaddressed?
Up to begin of this week we failed to post updates to the opensuse security annonce lists for some months. Now we are doing that since Monday. The update was however released last Friday, see this announcement: https://lists.suse.com/pipermail/sle-security-updates/2023-July/015493.html and https://suse.com/security/cve/CVE-2023-36664.html Ciao, Marcus
Am 20.07.23 um 16:50 schrieb Christian K via openSUSE Factory:
Hi,
I am sure most of you have recently learned about critical security issues in ghostscript. I am surprised to not find any OpenSUSE updates addressing this issue, nor any announcements on the openSUSE Security Announce mailing list.
Am I missing something, or is CVE-2023-36664 currently unaddressed?
Best regards Christian
https://bugzilla.opensuse.org/show_bug.cgi?id=1212711 https://build.opensuse.org/request/show/1096685 https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/H...
Thanks for pointing those out. I am still confused, I reckon the fixed version for Leap 15.4 is package version 9.56 as seen at https://build.opensuse.org/package/binaries/Printing/ghostscript/15.4 yet I am unable to see that version it in the updates repo http://download.opensuse.org/update/leap/15.4/sle/x86_64/ Am I looking in the wrong place?
On Thu, Jul 20, 2023 at 03:44:07PM -0000, Christian K via openSUSE Factory wrote:
Thanks for pointing those out.
I am still confused, I reckon the fixed version for Leap 15.4 is package version 9.56 as seen at https://build.opensuse.org/package/binaries/Printing/ghostscript/15.4
yet I am unable to see that version it in the updates repo http://download.opensuse.org/update/leap/15.4/sle/x86_64/
Am I looking in the wrong place?
It's here I think: https://download.opensuse.org/update/leap/15.4/sle/x86_64/ghostscript-9.52-1... and the relevant changelog entry is: * Thu Jun 29 2023 jsmeix@suse.com - CVE-2023-36664.patch fixes CVE-2023-36664 see https://bugs.ghostscript.com/show_bug.cgi?id=706761 "OS command injection in %pipe% access" and https://bugs.ghostscript.com/show_bug.cgi?id=706778 "%pipe% allowed_path bypass" and bsc#1212711 "permission validation mishandling for pipe devices (with the %pipe% prefix or the | pipe character prefix)" -- ============================ Roger Whittaker ============================
Yes this is correct, updates of packages inherited from SLES are distributed in the sle-update repository. On Thu, 2023-07-20 at 17:24 +0100, Roger Whittaker wrote:
On Thu, Jul 20, 2023 at 03:44:07PM -0000, Christian K via openSUSE Factory wrote:
Thanks for pointing those out.
I am still confused, I reckon the fixed version for Leap 15.4 is package version 9.56 as seen at https://build.opensuse.org/package/binaries/Printing/ghostscript/15.4
yet I am unable to see that version it in the updates repo http://download.opensuse.org/update/leap/15.4/sle/x86_64/
Am I looking in the wrong place?
It's here I think:
https://download.opensuse.org/update/leap/15.4/sle/x86_64/ghostscript-9.52-1...
and the relevant changelog entry is:
* Thu Jun 29 2023 jsmeix@suse.com - CVE-2023-36664.patch fixes CVE-2023-36664 see https://bugs.ghostscript.com/show_bug.cgi?id=706761 "OS command injection in %pipe% access" and https://bugs.ghostscript.com/show_bug.cgi?id=706778 "%pipe% allowed_path bypass" and bsc#1212711 "permission validation mishandling for pipe devices (with the %pipe% prefix or the | pipe character prefix)"
participants (5)
-
Ben Greiner -
Christian K -
Lubos Kocman -
Marcus Meissner -
Roger Whittaker