Issued:
2012-02-02
Updated:
2012-02-02

RHSA-2012:0096 - Security Advisory

Synopsis

Moderate: ghostscript security update

Type/Severity

Security Advisory: Moderate

Topic

Updated ghostscript packages that fix two security issues are now available
for Red Hat Enterprise Linux 4.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

Ghostscript is a set of software that provides a PostScript interpreter, a
set of C procedures (the Ghostscript library, which implements the graphics
capabilities in the PostScript language) and an interpreter for Portable
Document Format (PDF) files.

Ghostscript included the current working directory in its library search
path by default. If a user ran Ghostscript without the "-P-" option in an
attacker-controlled directory containing a specially-crafted PostScript
library file, it could cause Ghostscript to execute arbitrary PostScript
code. With this update, Ghostscript no longer searches the current working
directory for library files by default. (CVE-2010-4820)

Note: The fix for CVE-2010-4820 could possibly break existing
configurations. To use the previous, vulnerable behavior, run Ghostscript
with the "-P" option (to always search the current working directory
first).

A flaw was found in the way Ghostscript interpreted PostScript Type 1 and
PostScript Type 2 font files. An attacker could create a specially-crafted
PostScript Type 1 or PostScript Type 2 font file that, when interpreted,
could cause Ghostscript to crash or, potentially, execute arbitrary code.
(CVE-2010-4054)

Users of Ghostscript are advised to upgrade to these updated packages,
which contain backported patches to correct these issues.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

  • Red Hat Enterprise Linux Server 4 x86_64
  • Red Hat Enterprise Linux Server 4 ia64
  • Red Hat Enterprise Linux Server 4 i386
  • Red Hat Enterprise Linux Workstation 4 x86_64
  • Red Hat Enterprise Linux Workstation 4 ia64
  • Red Hat Enterprise Linux Workstation 4 i386
  • Red Hat Enterprise Linux Desktop 4 x86_64
  • Red Hat Enterprise Linux Desktop 4 i386
  • Red Hat Enterprise Linux for IBM z Systems 4 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390
  • Red Hat Enterprise Linux for Power, big endian 4 ppc

Fixes

  • BZ - 646086 - CVE-2010-4054 ghostscript: glyph data access improper input validation
  • BZ - 771853 - CVE-2010-4820 ghostscript: CWD included in the default library search path

CVEs

References

Red Hat Enterprise Linux Server 4

SRPM
ghostscript-7.07-33.13.el4.src.rpm SHA-256: aeca7cb6b7aa01c7b7f1ff460c027ef97d0fc8e0296173ea78459b0f6c0a842c
x86_64
ghostscript-7.07-33.13.el4.i386.rpm SHA-256: edd1b65ccb1ab4bce6bcc686ef9aa5984eb0b1b26254af2d28a197ee2a0d1dc2
ghostscript-7.07-33.13.el4.i386.rpm SHA-256: edd1b65ccb1ab4bce6bcc686ef9aa5984eb0b1b26254af2d28a197ee2a0d1dc2
ghostscript-7.07-33.13.el4.x86_64.rpm SHA-256: 4fcd1baa1912ecbee5b7c8d85e9f1df8b01d7bde04229f4e431eaa67d94a9b7a
ghostscript-7.07-33.13.el4.x86_64.rpm SHA-256: 4fcd1baa1912ecbee5b7c8d85e9f1df8b01d7bde04229f4e431eaa67d94a9b7a
ghostscript-devel-7.07-33.13.el4.x86_64.rpm SHA-256: 5e014545e1c2e4ff16f5b59dd78669896726a78f06ebf85c2911978f0573d801
ghostscript-devel-7.07-33.13.el4.x86_64.rpm SHA-256: 5e014545e1c2e4ff16f5b59dd78669896726a78f06ebf85c2911978f0573d801
ghostscript-gtk-7.07-33.13.el4.x86_64.rpm SHA-256: 980337aa40ba047cf1b954c7e33edce95e522f24cbac7153c84ec3f8d15903a3
ghostscript-gtk-7.07-33.13.el4.x86_64.rpm SHA-256: 980337aa40ba047cf1b954c7e33edce95e522f24cbac7153c84ec3f8d15903a3
ia64
ghostscript-7.07-33.13.el4.i386.rpm SHA-256: edd1b65ccb1ab4bce6bcc686ef9aa5984eb0b1b26254af2d28a197ee2a0d1dc2
ghostscript-7.07-33.13.el4.i386.rpm SHA-256: edd1b65ccb1ab4bce6bcc686ef9aa5984eb0b1b26254af2d28a197ee2a0d1dc2
ghostscript-7.07-33.13.el4.ia64.rpm SHA-256: 8f7fa65f355a8ce3c7ffd3a4cab2319d344a363dffb7b149191337bac97f9ce8
ghostscript-7.07-33.13.el4.ia64.rpm SHA-256: 8f7fa65f355a8ce3c7ffd3a4cab2319d344a363dffb7b149191337bac97f9ce8
ghostscript-devel-7.07-33.13.el4.ia64.rpm SHA-256: 2883b89b65cf80d278fd6968b8f2790797fb7ae4bfec777784cb08ea041fcf52
ghostscript-devel-7.07-33.13.el4.ia64.rpm SHA-256: 2883b89b65cf80d278fd6968b8f2790797fb7ae4bfec777784cb08ea041fcf52
ghostscript-gtk-7.07-33.13.el4.ia64.rpm SHA-256: 020e00c9b2407058d0af4fedbeb23c6b99c25c07a158b0b49ba1c37cb50f5d87
ghostscript-gtk-7.07-33.13.el4.ia64.rpm SHA-256: 020e00c9b2407058d0af4fedbeb23c6b99c25c07a158b0b49ba1c37cb50f5d87
i386
ghostscript-7.07-33.13.el4.i386.rpm SHA-256: edd1b65ccb1ab4bce6bcc686ef9aa5984eb0b1b26254af2d28a197ee2a0d1dc2
ghostscript-7.07-33.13.el4.i386.rpm SHA-256: edd1b65ccb1ab4bce6bcc686ef9aa5984eb0b1b26254af2d28a197ee2a0d1dc2
ghostscript-devel-7.07-33.13.el4.i386.rpm SHA-256: cd18984ae4667295a8c4f8c7a96887434c5d6b68e873f4fca4335a429275c08a
ghostscript-devel-7.07-33.13.el4.i386.rpm SHA-256: cd18984ae4667295a8c4f8c7a96887434c5d6b68e873f4fca4335a429275c08a
ghostscript-gtk-7.07-33.13.el4.i386.rpm SHA-256: bca7d508bacdc35c4f0b4013a1d765fd004df6dde1d6353d27bec6900e6b45e2
ghostscript-gtk-7.07-33.13.el4.i386.rpm SHA-256: bca7d508bacdc35c4f0b4013a1d765fd004df6dde1d6353d27bec6900e6b45e2

Red Hat Enterprise Linux Workstation 4

SRPM
ghostscript-7.07-33.13.el4.src.rpm SHA-256: aeca7cb6b7aa01c7b7f1ff460c027ef97d0fc8e0296173ea78459b0f6c0a842c
x86_64
ghostscript-7.07-33.13.el4.i386.rpm SHA-256: edd1b65ccb1ab4bce6bcc686ef9aa5984eb0b1b26254af2d28a197ee2a0d1dc2
ghostscript-7.07-33.13.el4.x86_64.rpm SHA-256: 4fcd1baa1912ecbee5b7c8d85e9f1df8b01d7bde04229f4e431eaa67d94a9b7a
ghostscript-devel-7.07-33.13.el4.x86_64.rpm SHA-256: 5e014545e1c2e4ff16f5b59dd78669896726a78f06ebf85c2911978f0573d801
ghostscript-gtk-7.07-33.13.el4.x86_64.rpm SHA-256: 980337aa40ba047cf1b954c7e33edce95e522f24cbac7153c84ec3f8d15903a3
ia64
ghostscript-7.07-33.13.el4.i386.rpm SHA-256: edd1b65ccb1ab4bce6bcc686ef9aa5984eb0b1b26254af2d28a197ee2a0d1dc2
ghostscript-7.07-33.13.el4.ia64.rpm SHA-256: 8f7fa65f355a8ce3c7ffd3a4cab2319d344a363dffb7b149191337bac97f9ce8
ghostscript-devel-7.07-33.13.el4.ia64.rpm SHA-256: 2883b89b65cf80d278fd6968b8f2790797fb7ae4bfec777784cb08ea041fcf52
ghostscript-gtk-7.07-33.13.el4.ia64.rpm SHA-256: 020e00c9b2407058d0af4fedbeb23c6b99c25c07a158b0b49ba1c37cb50f5d87
i386
ghostscript-7.07-33.13.el4.i386.rpm SHA-256: edd1b65ccb1ab4bce6bcc686ef9aa5984eb0b1b26254af2d28a197ee2a0d1dc2
ghostscript-devel-7.07-33.13.el4.i386.rpm SHA-256: cd18984ae4667295a8c4f8c7a96887434c5d6b68e873f4fca4335a429275c08a
ghostscript-gtk-7.07-33.13.el4.i386.rpm SHA-256: bca7d508bacdc35c4f0b4013a1d765fd004df6dde1d6353d27bec6900e6b45e2

Red Hat Enterprise Linux Desktop 4

SRPM
ghostscript-7.07-33.13.el4.src.rpm SHA-256: aeca7cb6b7aa01c7b7f1ff460c027ef97d0fc8e0296173ea78459b0f6c0a842c
x86_64
ghostscript-7.07-33.13.el4.i386.rpm SHA-256: edd1b65ccb1ab4bce6bcc686ef9aa5984eb0b1b26254af2d28a197ee2a0d1dc2
ghostscript-7.07-33.13.el4.x86_64.rpm SHA-256: 4fcd1baa1912ecbee5b7c8d85e9f1df8b01d7bde04229f4e431eaa67d94a9b7a
ghostscript-devel-7.07-33.13.el4.x86_64.rpm SHA-256: 5e014545e1c2e4ff16f5b59dd78669896726a78f06ebf85c2911978f0573d801
ghostscript-gtk-7.07-33.13.el4.x86_64.rpm SHA-256: 980337aa40ba047cf1b954c7e33edce95e522f24cbac7153c84ec3f8d15903a3
i386
ghostscript-7.07-33.13.el4.i386.rpm SHA-256: edd1b65ccb1ab4bce6bcc686ef9aa5984eb0b1b26254af2d28a197ee2a0d1dc2
ghostscript-devel-7.07-33.13.el4.i386.rpm SHA-256: cd18984ae4667295a8c4f8c7a96887434c5d6b68e873f4fca4335a429275c08a
ghostscript-gtk-7.07-33.13.el4.i386.rpm SHA-256: bca7d508bacdc35c4f0b4013a1d765fd004df6dde1d6353d27bec6900e6b45e2

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
ghostscript-7.07-33.13.el4.src.rpm SHA-256: aeca7cb6b7aa01c7b7f1ff460c027ef97d0fc8e0296173ea78459b0f6c0a842c
s390x
ghostscript-7.07-33.13.el4.s390.rpm SHA-256: a01e8000d7482c3f734827c261c9cf4cae80ae9b50103f94090b642230938cc6
ghostscript-7.07-33.13.el4.s390x.rpm SHA-256: eb66969056ac21e58f3029fe4a544dc9ea56d160ad2b1391089de92b25a44e6f
ghostscript-devel-7.07-33.13.el4.s390x.rpm SHA-256: 4f75c91c6747515935e0d1b51ffc14b5c9c658025a2c87c3f7547c6d37283436
ghostscript-gtk-7.07-33.13.el4.s390x.rpm SHA-256: d5f7d744fc8ced2af99210b32773a7c4ab14c904accc6afd2a990d7c990d4723
s390
ghostscript-7.07-33.13.el4.s390.rpm SHA-256: a01e8000d7482c3f734827c261c9cf4cae80ae9b50103f94090b642230938cc6
ghostscript-devel-7.07-33.13.el4.s390.rpm SHA-256: 9c5d8eb36a8c1774e080d2900992b4bbadec3b02f7d818ac0b6d0813cf94afb8
ghostscript-gtk-7.07-33.13.el4.s390.rpm SHA-256: b16916a7757f3993193948b8ee763bde650afb2b31856bdbee11884e272bd415

Red Hat Enterprise Linux for Power, big endian 4

SRPM
ghostscript-7.07-33.13.el4.src.rpm SHA-256: aeca7cb6b7aa01c7b7f1ff460c027ef97d0fc8e0296173ea78459b0f6c0a842c
ppc
ghostscript-7.07-33.13.el4.ppc.rpm SHA-256: 35180707811f32cf1481bc8486e861424c18007340a7808e5d9ed4aac7ac2abd
ghostscript-7.07-33.13.el4.ppc64.rpm SHA-256: 190a87dc774b2a7c35b08c675053c797429ca87f6343bdefcbfbdf270f1db84f
ghostscript-devel-7.07-33.13.el4.ppc.rpm SHA-256: e21304602b9fa9b50d04287bc60e2b533fe8075cd2356566dc35d78e2223402d
ghostscript-gtk-7.07-33.13.el4.ppc.rpm SHA-256: 28986429bd02bcb2bc14f3af9f354810dd57b33e47dafd7bdc15dd0d09b95e7e

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.