-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
NotDashEscaped: You need gpg to verify this message

==========================================================================
Ubuntu Security Notice USN-6835-1
June 17, 2024

ghostscript vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Ghostscript.

Software Description:
- ghostscript: PostScript and PDF interpreter

Details:

It was discovered that Ghostscript did not properly restrict eexec
seeds to those specified by the Type 1 Font Format standard when
SAFER mode is used. An attacker could use this issue to bypass SAFER
restrictions and cause unspecified impact. (CVE-2023-52722)
This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.10.

Thomas Rinsma discovered that Ghostscript did not prevent changes to
uniprint device argument strings after SAFER is activated, resulting
in a format-string vulnerability. An attacker could possibly use this
to execute arbitrary code. (CVE-2024-29510)

Zdenek Hutyra discovered that Ghostscript did not properly perform
path reduction when validating paths. An attacker could use this to
access file locations outside of those allowed by SAFER policy and
possibly execute arbitrary code. (CVE-2024-33869)

Zdenek Hutyra discovered that Ghostscript did not properly check
arguments when reducing paths. An attacker could use this to
access file locations outside of those allowed by SAFER policy.
(CVE-2024-33870)

Zdenek Hutyra discovered that the "Driver" parameter for Ghostscript's
"opvp"/"oprp" device allowed specifying the name of an arbitrary dynamic
library to load. An attacker could use this to execute arbitrary code.
(CVE-2024-33871)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  ghostscript                     10.02.1~dfsg1-0ubuntu7.1
  ghostscript-doc                 10.02.1~dfsg1-0ubuntu7.1

Ubuntu 23.10
  ghostscript                     10.01.2~dfsg1-0ubuntu2.3
  ghostscript-doc                 10.01.2~dfsg1-0ubuntu2.3
  ghostscript-x                   10.01.2~dfsg1-0ubuntu2.3

Ubuntu 22.04 LTS
  ghostscript                     9.55.0~dfsg1-0ubuntu5.7
  ghostscript-doc                 9.55.0~dfsg1-0ubuntu5.7
  ghostscript-x                   9.55.0~dfsg1-0ubuntu5.7

Ubuntu 20.04 LTS
  ghostscript                     9.50~dfsg-5ubuntu4.12
  ghostscript-doc                 9.50~dfsg-5ubuntu4.12
  ghostscript-x                   9.50~dfsg-5ubuntu4.12

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6835-1
  CVE-2023-52722, CVE-2024-29510, CVE-2024-33869, CVE-2024-33870,
  CVE-2024-33871

Package Information:
  https://launchpad.net/ubuntu/+source/ghostscript/10.02.1~dfsg1-0ubuntu7.1
  https://launchpad.net/ubuntu/+source/ghostscript/10.01.2~dfsg1-0ubuntu2.3
  https://launchpad.net/ubuntu/+source/ghostscript/9.55.0~dfsg1-0ubuntu5.7
  https://launchpad.net/ubuntu/+source/ghostscript/9.50~dfsg-5ubuntu4.12
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETB/nIDy9nvCSgAUj3gXQmO/Tr3wFAmZwxK4ACgkQ3gXQmO/T
r3yOAQ/+NUTiKTAkI/XpceJpULY0tJiBZR37xhnxiKSuFoAQY5RrRuGxpC6sPXwi
16Xoyo2gvDEfeaV4zn/jCfw4Lf4L1+JNbAOS1Yvnvg0Ags+b/bAUAlMV0E+7Jyap
gVbd7T8c2oIMFFq6S78qi5Gl4kyHYiVAgxZNtJiMztTpF+qG2frcObLIW5JpzQZ3
mZIRtoSAjyhKOoAfq2BXq/nuk0GzXu4wGEN2FEag6VRRW92Ti0rfdYjNYgcQ44Ii
VTM5bYtvIjqI+uLbUEUiPQ91OZ4yg3K/pTRLnIVyoAo95Huqc6N+lZmXD97yokXj
m4BU1iWSFBUS2kf/3aoNtkGqhIv/2sGYs3CNHBC23eE7IXsBbwaCpeF8Ogsx2eKe
phpJMeCtvdTmq4+s0l5r4mwAKhHuvklQGwHe/5sDpJbZTW1qtdWmFzXaiKyHGDDw
0nEyKkRKP0c3yC6I0Aht2gVk/pYiwhpVe5TGICl0lbRXO7DEEU5ns2t+C0xnMBz4
cV2FE6rouRDJTlFPWtLmxT0BpHn+xBMLabEuPFJAlXRjy9dLKPrZVgkXe/9NROQm
hUCuuKAHLKWK8rZC1c3T2DiE9dDQZs9KUZRKB0ZhZzLYC+pGu8DW9Ud6NDMB3LAO
yDANPKeEG+09Ho2u4NbhbuLUMSzvNazZDpm2ZMi1vECul/nZ/ns=
=WJrB
-----END PGP SIGNATURE-----

Ubuntu 6835-1: Ghostscript Security Advisory Updates

June 17, 2024
Several security issues were fixed in Ghostscript.

Summary

Ubuntu Security Notice USN-6835-1 June 17, 2024 ghostscript vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Ghostscript. Software Description: - ghostscript: PostScript and PDF interpreter Details: It was discovered that Ghostscript did not properly restrict eexec seeds to those specified by the Type 1 Font Format standard when SAFER mode is used. An attacker could use this issue to bypass SAFER restrictions and cause unspecified impact. (CVE-2023-52722) This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.10. Thomas Rinsma discovered that Ghostscript did not prevent changes to uniprint device argument strings after SAFER is activated, resulting in a format-string vulnerability. An attacker could possibly use this to execute arbitrary code. (CVE-2024-29510) Zdenek Hutyra discovered that Ghostscript did not properly perform path reduction when validating paths. An attacker could use this to access file locations outside of those allowed by SAFER policy and possibly execute arbitrary code. (CVE-2024-33869) Zdenek Hutyra discovered that Ghostscript did not properly check arguments when reducing paths. An attacker could use this to access file locations outside of those allowed by SAFER policy. (CVE-2024-33870) Zdenek Hutyra discovered that the "Driver" parameter for Ghostscript's "opvp"/"oprp" device allowed specifying the name of an arbitrary dynamic library to load. An attacker could use this to execute arbitrary code. (CVE-2024-33871)

Update Instructions

The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS ghostscript 10.02.1~dfsg1-0ubuntu7.1 ghostscript-doc 10.02.1~dfsg1-0ubuntu7.1 Ubuntu 23.10 ghostscript 10.01.2~dfsg1-0ubuntu2.3 ghostscript-doc 10.01.2~dfsg1-0ubuntu2.3 ghostscript-x 10.01.2~dfsg1-0ubuntu2.3 Ubuntu 22.04 LTS ghostscript 9.55.0~dfsg1-0ubuntu5.7 ghostscript-doc 9.55.0~dfsg1-0ubuntu5.7 ghostscript-x 9.55.0~dfsg1-0ubuntu5.7 Ubuntu 20.04 LTS ghostscript 9.50~dfsg-5ubuntu4.12 ghostscript-doc 9.50~dfsg-5ubuntu4.12 ghostscript-x 9.50~dfsg-5ubuntu4.12 In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-6835-1

CVE-2023-52722, CVE-2024-29510, CVE-2024-33869, CVE-2024-33870,

CVE-2024-33871

Severity
Hash: SHA512

Package Information

https://launchpad.net/ubuntu/+source/ghostscript/10.02.1~dfsg1-0ubuntu7.1 https://launchpad.net/ubuntu/+source/ghostscript/10.01.2~dfsg1-0ubuntu2.3 https://launchpad.net/ubuntu/+source/ghostscript/9.55.0~dfsg1-0ubuntu5.7 https://launchpad.net/ubuntu/+source/ghostscript/9.50~dfsg-5ubuntu4.12 -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEETB/nIDy9nvCSgAUj3gXQmO/Tr3wFAmZwxK4ACgkQ3gXQmO/T r3yOAQ/+NUTiKTAkI/XpceJpULY0tJiBZR37xhnxiKSuFoAQY5RrRuGxpC6sPXwi 16Xoyo2gvDEfeaV4zn/jCfw4Lf4L1+JNbAOS1Yvnvg0Ags+b/bAUAlMV0E+7Jyap gVbd7T8c2oIMFFq6S78qi5Gl4kyHYiVAgxZNtJiMztTpF+qG2frcObLIW5JpzQZ3 mZIRtoSAjyhKOoAfq2BXq/nuk0GzXu4wGEN2FEag6VRRW92Ti0rfdYjNYgcQ44Ii VTM5bYtvIjqI+uLbUEUiPQ91OZ4yg3K/pTRLnIVyoAo95Huqc6N+lZmXD97yokXj m4BU1iWSFBUS2kf/3aoNtkGqhIv/2sGYs3CNHBC23eE7IXsBbwaCpeF8Ogsx2eKe phpJMeCtvdTmq4+s0l5r4mwAKhHuvklQGwHe/5sDpJbZTW1qtdWmFzXaiKyHGDDw 0nEyKkRKP0c3yC6I0Aht2gVk/pYiwhpVe5TGICl0lbRXO7DEEU5ns2t+C0xnMBz4 cV2FE6rouRDJTlFPWtLmxT0BpHn+xBMLabEuPFJAlXRjy9dLKPrZVgkXe/9NROQm hUCuuKAHLKWK8rZC1c3T2DiE9dDQZs9KUZRKB0ZhZzLYC+pGu8DW9Ud6NDMB3LAO yDANPKeEG+09Ho2u4NbhbuLUMSzvNazZDpm2ZMi1vECul/nZ/ns= =WJrB -----END PGP SIGNATURE-----

Related News

Google Releases Chrome 130 with Critical Security Fixes for 17 Flaws
3 - 5 min read
Google recently unveiled Chrome 130 , an update that addresses several security vulnerabilities to ensure the web browser's safety and reliability.
U.S. Investigation into China-Backed Telecom Companies Hack: The Role & Risks of Encryption Backdoors
3 - 5 min read
U.S. authorities are on high alert as they investigate an alleged Chinese state-sponsored hack targeting major U.S. telecommunications companies.
FASTCash Linux Malware: A New Cybercrime Menace Targeting Payment Switch Systems
3 - 5 min read
As malware threats evolve to increasingly target Linux systems, admins and organizations must stay up-to-date on the latest Linux malware variants
Optimizing CWPP on Linux Servers: Best Practices and Configurations
3 - 6 min read
Cloud Workload Protection Platforms are now essential for securing virtual environments. These provide a robust security layer vital for addressing
The Infiltration of Supply Chain Attacks in Open-Source Software Management
3 - 6 min read
Open-source projects are renowned for their collaborative nature and widespread adoption, yet more sophisticated supply chain attacks target them
Strengthen Your Linux Software Development Pipeline with Code Security Scanners
3 - 6 min read
Developers recognize the critical nature of protecting software systems as cyberattacks grow more sophisticated, thus necessitating robust security
Everything You Need to Know About Cloud Security Posture Management
3 - 5 min read
Many companies are transitioning from physical servers to cloud operations, but this transformation brings new challenges. Cloud Security Posture
Understanding the Critical Oath-Toolkit Vulnerability and Its Implications for Admins
3 - 5 min read
As Linux security threats advance and evolve, vulnerabilities often surface unexpectedly, exposing systems to potential exploitation. SUSE

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved