Advisories : Security problems with ghostscript

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : Security problems with ghostscript

Title:	Security problems with ghostscript
Released by:	Caldera
Date:	22nd November 2000
Printable version:	Click here

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



______________________________________________________________________________

   Caldera Systems, Inc.  Security Advisory



Subject: Two security problems with ghostscript

Advisory number: CSSA-2000-041.0

Issue date: 2000 November, 22

Cross reference:

______________________________________________________________________________





1. Problem Description



   Ghostscript creates temporary files insecurely. In addition,

   it is linked in a way that makes it pick up shared libraries

   from the current directory it is in.



   Both problems can probably be exploited to gain increased

   privilege on the system.



2. Vulnerable Versions



   System                       Package

   -----------------------------------------------------------

   OpenLinux Desktop 2.3        All packages previous to

   ghostscript-5.10-16



   OpenLinux eServer 2.3        All packages previous to

   and OpenLinux eBuilder       ghostscript-5.10-16



   OpenLinux eDesktop 2.4 All packages previous to

                                ghostscript-5.10-16



3. Solution



   Workaround:



     none



   The proper solution is to upgrade to the fixed packages



4. OpenLinux Desktop 2.3



   4.1 Location of Fixed Packages



       The upgrade packages can be found on Caldera's FTP site at:



       http://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/



       The corresponding source code package can be found at:



       http://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS



   4.2 Verification



   e3ff617e515cfd03be8854aff089376e  RPMS/ghostscript-5.10-16.i386.rpm

   f9002fe0592b1d8b88641c10cba2cafe  RPMS/ghostscript-doc-5.10-16.i386.rpm

   3d2610bbd43160e2cc3b234bc43cea4d  RPMS/ghostscript-fonts-5.10-16.i386.rpm

   7ca69d444653f0b9e12d69f55873edea  SRPMS/ghostscript-5.10-16.src.rpm  



   4.3 Installing Fixed Packages



       Upgrade the affected packages with the following commands:



  rpm -Fhv ghostscript-*.i386.rpm



5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0



   5.1 Location of Fixed Packages



       The upgrade packages can be found on Caldera's FTP site at:



       http://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/



       The corresponding source code package can be found at:



       http://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS



   5.2 Verification



   ba2ee8c950b3b9ce1791554b5d8e759d  RPMS/ghostscript-5.10-16.i386.rpm

   1645f133c8e557eede173dc6266707fa  RPMS/ghostscript-doc-5.10-16.i386.rpm

   88143839c0685864f2d671c6aa7c40bb  RPMS/ghostscript-fonts-5.10-16.i386.rpm

   7ca69d444653f0b9e12d69f55873edea  SRPMS/ghostscript-5.10-16.src.rpm 



   5.3 Installing Fixed Packages



       Upgrade the affected packages with the following commands:



  rpm -Fhv ghostscript-*.i386.rpm



6. OpenLinux eDesktop 2.4



   6.1 Location of Fixed Packages



       The upgrade packages can be found on Caldera's FTP site at:



       http://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/



       The corresponding source code package can be found at:



       http://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS



   6.2 Verification



   f327bc2ef65c6d66f99d72317d23789b  RPMS/ghostscript-5.10-16.i386.rpm

   7202ab90cbd173fd252c624138710abf  RPMS/ghostscript-doc-5.10-16.i386.rpm

   e1d0ee2161ead248a859d10bcc1dcf6c  RPMS/ghostscript-fonts-5.10-16.i386.rpm

   7ca69d444653f0b9e12d69f55873edea  SRPMS/ghostscript-5.10-16.src.rpm 



   6.3 Installing Fixed Packages



       Upgrade the affected packages with the following commands:



  rpm -Fhv ghostscript-*.i386.rpm



7. References



   This and other Caldera security resources are located at:



   http://www.calderasystems.com/support/security/index.html



   This security fix closes Caldera's internal Problem Report 8307.



8. Disclaimer



   Caldera Systems, Inc. is not responsible for the misuse of any of the

   information we provide on this website and/or through our security

   advisories. Our advisories are a service to our customers intended to

   promote secure installation and use of Caldera OpenLinux.



9. Acknowledgements



   Caldera Systems wishes to thank Dr. Werner Fink of SuSE,

   for discovering the bug and notifying us.



______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.0.1 (GNU/Linux)

Comment: For info see http://www.gnupg.org



iD8DBQE6G+9P18sy83A/qfwRAkS1AJ9il/Q9CTF8cZV/fD1YhCW/stpVhACfbsEo

Tpo6ZRg+ig4sf5k6k+v7fFs=

=YOJJ

-----END PGP SIGNATURE-----



From psy@twins.pk.edu.pl  Thu Nov 23 12:19:19 2000