Hi Steve,
I've sent mail to [email protected] to update the information.
Now it was updated in https://nvd.nist.gov/vuln/detail/CVE-2020-36773
Thanks & Regards,
Vijay
On Thu, Feb 8, 2024 at 8:40 PM Steve Sakoman <[email protected]> wrote:
> On Wed, Feb 7, 2024 at 8:42 PM Vijay Anusuri via
> lists.openembedded.org <[email protected]>
> wrote:
> >
> > From: Vijay Anusuri <[email protected]>
> >
> > Artifex Ghostscript before 9.53.0 has an out-of-bounds write and
> use-after-free in devices/vector/gdevtxtw.c (for txtwrite) because a single
> character code in a PDF document can map to more than one Unicode code
> point (e.g., for a ligature).
> >
> > Reference: https://ubuntu.com/security/CVE-2020-36773
> >
> > Signed-off-by: Vijay Anusuri <[email protected]>
> > ---
> > meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
> b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
> > index e0d1e4618f..cc06d092c1 100644
> > --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
> > +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
> > @@ -26,6 +26,10 @@ CVE_CHECK_IGNORE += "CVE-2013-6629"
> > # Issue in the GhostPCL. GhostPCL not part of this GhostScript recipe.
> > CVE_CHECK_IGNORE += "CVE-2023-38560"
> >
> > +# This CVE affects Ghostscript before 9.53.0
> > +# https://ubuntu.com/security/CVE-2020-36773
> > +CVE_CHECK_IGNORE += "CVE-2020-36773"
>
> When there is an error in the upstream database it is preferred that
> you send an email to [email protected] requesting an update
> (giving links that justify the change to make it easy for them to
> research)
>
> They are usually quite responsive, and this is much preferred to
> carrying an IGNORE in our metadata.
>
> Thanks!
>
> Steve
>
> > +
> > def gs_verdir(v):
> > return "".join(v.split("."))
> >
> > --
> > 2.25.1
> >
> >
> >
> >
>
--- Begin Message ---
Good afternoon,
We apologize for the late response as we are currently experiencing a large
volume of CPE related inquiries.
Thank you for bringing this to our attention. We appreciate community input in
order to provide the most accurate and up-to-date information as possible.
After reviewing publicly available information we have made the appropriate
modifications. Please allow up to 24 hours for the changes to be reflected on
the website and in the data feeds.
V/r,
Common Platform Enumeration Team
National Institute of Standards and Technology (NIST)
[email protected]<mailto:[email protected]>
From: Vijay Anusuri <[email protected]>
Sent: Thursday, February 8, 2024 10:52 PM
To: cpe_dictionary <[email protected]>
Subject: CVE-2020-36773 update
Hi Team,
CVE-2020-36773 was fixed in the Ghostscript version 9.53.0 by the below commit
https://git.ghostscript.com/?p=ghostpdl.git;h=8c7bd787defa071c96289b7da9397f673fddb874
This issue introduced in 9.51 as described in the patch.
Affected versions: 9.51 & 9.52
References: https://ghostscript.com/docs/9.53.3/History9.htm
https://ubuntu.com/security/CVE-2020-36773
Could you please update this in upstream database.
Thanks & Regards,
Vijay
--- End Message ---
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196582):
https://lists.openembedded.org/g/openembedded-core/message/196582
Mute This Topic: https://lists.openembedded.org/mt/104234914/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
