secu...

Thomas Lotterer Tue, 03 Jun 2003 22:18:22 -0700

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________


  Server: cvs.openpkg.org                  Name:   Thomas Lotterer
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-web                      Date:   03-Jun-2003 14:11:25
  Branch: HEAD                             Handle: 2003060313112401

  Added files:
    openpkg-web/security    OpenPKG-SA-2003.030-ghostscript.txt
  Modified files:
    openpkg-web             security.txt security.wml

  Log:
    SA-2003.030-ghostscript; CAN-2003-0354; execute arbitrary commands

  Summary:
    Revision    Changes     Path
    1.36        +1  -0      openpkg-web/security.txt
    1.52        +1  -0      openpkg-web/security.wml
    1.1         +99 -0      openpkg-web/security/OpenPKG-SA-2003.030-ghostscript.txt
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-web/security.txt
  ============================================================================
  $ cvs diff -u -r1.35 -r1.36 security.txt
  --- openpkg-web/security.txt  16 May 2003 09:39:04 -0000      1.35
  +++ openpkg-web/security.txt  3 Jun 2003 12:11:24 -0000       1.36
  @@ -1,3 +1,4 @@
  +03-Jun-2003: Security Advisory: S<OpenPKG-SA-2003.030-ghostscript>
   16-May-2003: Security Advisory: S<OpenPKG-SA-2003.029-gnupg>
   07-Apr-2003: Security Advisory: S<OpenPKG-SA-2003.028-samba>
   30-Mar-2003: Security Advisory: S<OpenPKG-SA-2003.027-sendmail>
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-web/security.wml
  ============================================================================
  $ cvs diff -u -r1.51 -r1.52 security.wml
  --- openpkg-web/security.wml  16 May 2003 09:39:04 -0000      1.51
  +++ openpkg-web/security.wml  3 Jun 2003 12:11:24 -0000       1.52
  @@ -78,6 +78,7 @@
   </define-tag>
   <box bdwidth=1 bdcolor="#a5a095" bdspace=10 bgcolor="#e5e0d5">
   <table cellspacing=0 cellpadding=0 border=0>
  +  <sa 2003.030 ghostscript>
     <sa 2003.029 gnupg>
     <sa 2003.028 samba>
     <sa 2003.027 sendmail>
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-web/security/OpenPKG-SA-2003.030-ghostscript.txt
  ============================================================================
  $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.030-ghostscript.txt
  --- /dev/null 2003-06-03 14:11:25.000000000 +0200
  +++ OpenPKG-SA-2003.030-ghostscript.txt       2003-06-03 14:11:25.000000000 +0200
  @@ -0,0 +1,99 @@
  +________________________________________________________________________
  +
  +OpenPKG Security Advisory                            The OpenPKG Project
  +http://www.openpkg.org/security.html              http://www.openpkg.org
  [EMAIL PROTECTED]                         [EMAIL PROTECTED]
  +OpenPKG-SA-2003.030                                          03-Jun-2003
  +________________________________________________________________________
  +
  +Package:             ghostscript
  +Vulnerability:       execute arbitrary commands
  +OpenPKG Specific:    no
  +
  +Affected Releases:   Affected Packages:          Corrected Packages:
  +OpenPKG CURRENT      none                        N.A.
  +OpenPKG 1.2          none                        N.A.
  +OpenPKG 1.1          <= ghostscript-7.04-1.1.0   >= ghostscript-7.04-1.1.1 
  +
  +Dependent Packages:  none FIXME
  +
  +Affected Releases:   Dependent Packages: FIXME
  +OpenPKG CURRENT      bar quux
  +OpenPKG 1.2          bar quux
  +OpenPKG 1.1          bar 
  +
  +FIXME
  +    gv.spec         BuildPreReq: X11, xaw3d, ghostscript
  +    gv.spec         PreReq:      X11, xaw3d, ghostscript
  +    latex2html.spec BuildPreReq: perl, ghostscript, tetex, png, netpbm
  +    latex2html.spec PreReq:      perl, ghostscript, tetex, png, netpbm
  +    libwmf.spec     BuildPreReq: X11, libxml, freetype, zlib, png, jpeg, gd, 
ghostscript = %{V_ghostscript}
  +    libwmf.spec     PreReq:      X11, libxml, freetype, zlib, png, jpeg, gd, 
ghostscript = %{V_ghostscript}
  +    lyx.spec        PreReq:      gv, ghostscript, ghostscript::with_x11 = yes
  +    mgv.spec        PreReq:      X11, ghostscript
  +    pstoedit.spec   BuildPreReq: ghostscript, gcc, png, zlib
  +    pstoedit.spec   PreReq:      ghostscript
  +    sam2p.spec      BuildPreReq: ghostscript, jpeg, gzip, infozip, make, gcc, perl, 
bash
  +    sam2p.spec      PreReq:      ghostscript, jpeg, gzip, infozip
  +    scribus.spec    BuildPreReq: qt, freetype, ghostscript, png, jpeg, tiff, zlib
  +    scribus.spec    PreReq:      qt, freetype, ghostscript, png, jpeg, tiff, zlib
  +    tex4ht.spec     PreReq:      tetex, ghostscript, imagemagick
  +
  +Description:
  +  According to a RedHat security advisory [1] a flaw in unpatched
  +  versions of Ghostscript before 7.07 allows malicious postscript files
  +  to execute arbitrary commands even with -dSAFER enabled.  The Common
  +  Vulnerabilities and Exposures (CVE) project assigned the id
  +  CAN-2003-0354 [2] to the problem.
  +
  +  Please check whether you are affected by running "<prefix>/bin/rpm -q
  +  ghostscript". If you have the "ghostscript" package installed and its
  +  version is affected (see above), we recommend that you immediately
  +  upgrade it (see Solution) and it's dependent packages (see above), if
  +  any, too. [3][4]
  +
  +Solution:
  +  First, please avoid applying an obsolete security update by ensuring
  +  that a more recent one doesn't exist. Also, ensure that this advisory
  +  has not been revoked by visiting the OpenPKG security page [5].
  +
  +  Select the updated source RPM appropriate for your OpenPKG release
  +  [6], fetch it from the OpenPKG FTP service [7] or a mirror
  +  location, verify its integrity [8], build a corresponding binary RPM
  +  from it [3] and update your OpenPKG installation by applying the binary
  +  RPM [4]. For the affected release OpenPKG 1.1, perform the following
  +  operations to permanently fix the security problem (for other releases
  +  adjust accordingly).
  +
  +  $ ftp ftp.openpkg.org
  +  ftp> bin
  +  ftp> cd release/1.1/UPD
  +  ftp> get ghostscript-7.04-1.1.1.src.rpm
  +  ftp> bye
  +  $ <prefix>/bin/rpm -v --checksig ghostscript-7.04-1.1.1.src.rpm
  +  $ <prefix>/bin/rpm --rebuild ghostscript-7.04-1.1.1.src.rpm
  +  $ su -
  +  # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/ghostscript-7.04-1.1.1.*.rpm
  +
  +  Additionally, we recommend that you rebuild and reinstall
  +  all dependent packages (see above), if any, too. [3][4]
  +________________________________________________________________________
  +
  +References:
  +  [1]  http://rhn.redhat.com/errata/RHSA-2003-181.html
  +  [2]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0354
  +  [3]  http://www.openpkg.org/tutorial.html#regular-source
  +  [4]  http://www.openpkg.org/tutorial.html#regular-binary
  +  [5]  http://www.openpkg.org/security.html#revoked
  +  [6]  ftp://ftp.openpkg.org/release/1.1/UPD/ghostscript-7.04-1.1.1.src.rpm
  +  [7]  ftp://ftp.openpkg.org/release/1.1/UPD/
  +  [8]  http://www.openpkg.org/security.html#signature
  +________________________________________________________________________
  +
  +For security reasons, this advisory was digitally signed with the
  +OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the
  +OpenPKG project which you can retrieve from http://pgp.openpkg.org and
  +hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
  +for details on how to verify the integrity of this advisory.
  +________________________________________________________________________
  +
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]

[CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...

Reply via email to