Updated packages and ghostview/ghostscript flaws
Hi I recently visited the update-pages of suse and noticed a lot of security-related packages that are related to flaws in Ghostview and ghostscript. Some of these packages I have never heard of (like cmap-adobe or CID-keyed-fonts). What are these packages and what is wrong with it? The descriptions on the site are not very detailled. Why should I update this stuff ? I know of two vulnerabilities that are related to malicious pdf or ps documents. One is in ghostscript (CAN-2002-0363). http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0363 and another is in ghostview (CAN-2001-0832). http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0832 How do I know what packages fix one of these vulnerabilities (if they indeed do so)? Greetings Bone Machine (in despair) --- "Somebody got hurt" - The Pixies ---
* Bonemach; <bonemach@sdf.lonestar.org> on 14 Oct, 2002 wrote:
I know of two vulnerabilities that are related to malicious pdf or ps documents. One is in ghostscript (CAN-2002-0363). http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0363 and another is in ghostview (CAN-2001-0832). http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0832
How do I know what packages fix one of these vulnerabilities (if they indeed do so)?
http://dinamizm.ath.cx/articles/patches.html -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
On Mon, 14 Oct 2002, Bonemach wrote:
Hi I recently visited the update-pages of suse and noticed a lot of security-related packages that are related to flaws in Ghostview and ghostscript. Some of these packages I have never heard of (like cmap-adobe or CID-keyed-fonts). What are these packages and what is wrong with it? The descriptions on the site are not very detailled. Why should I update this stuff ?
It seems from the names that they are mostly related to Asian fonts, and the info files say they are compiled from ghostscript sources (which of course were just updated for the SAFER bug as the info file says.) I downloaded one (CMap-Adobe-Identity) to find out more ... and I see Description : CMap (Character Map) files for the Adobe-Identity character collection. but none of the CMap-Adobe nor CID-keyed rpms are on my 7.3 distribution CDs. I couldn't google any docs (in English) for end-user install and use of these files -- the closest I got was http://examples.oreilly.com/cjkvinfo/adobe/00README so any pointers to docs dumbed down for an anglocentric person who doesn't know postscript font magic will be welcome Any way, for now, they are enormous downloads and don't seem to offer me more than simply updating ghostscript-x11-6.51-159.i386 Maybe SuSE 7.3 sold in Japan had an extra CD with CJKV gs fonts ?? dproc
On Mon, Oct 14, 2002 at 04:14:27PM +0200, Bonemach wrote:
Some of these packages I have never heard of (like cmap-adobe or CID-keyed-fonts). What are these packages and what is wrong with it? The descriptions on the site are not very detailled. Why should I update this stuff ?
You need to update the ghostscript interpreter itself, i.e. the package ghostscript-library. All the other packages are rebuilt along with the base package, and released along with it.
I know of two vulnerabilities that are related to malicious pdf or ps documents. One is in ghostscript (CAN-2002-0363). http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0363 and another is in ghostview (CAN-2001-0832). http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0832
How do I know what packages fix one of these vulnerabilities (if they indeed do so)?
Read our security advisories:-) Quoting from the most recent one, section "Pending": - ghostscript (CVE CAN-2002-0363) In ghostscript 6.50, setting the interpreter to SAFE mode was reversible. This could be exploited to subvert the accounts of users viewing malicious PostScript[tm], as well as the lp acount if the print system was enabled. SuSE has released updated RPMs for SuSE Linux 7.3 and SuSE Linux Enterprise Server 7 for PowerPC. No other SuSE platform is affected. - gv/ggv/kghostview (CVE CAN-2002-0832) The ghostview (gv) code had several buffer overflows when handling PostScript[tm] structural comments. These were also present in the GNOME and KDE PostScript viewers derived from it. SuSE has released fixed packages for these vulnerabilities. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
participants (4)
-
Bonemach -
dproc@dol.net -
Olaf Kirch -
Togan Muftuoglu