OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 03-Jun-2003 15:44:02
Branch: HEAD Handle: 2003060314440100
Modified files:
openpkg-web/security OpenPKG-SA-2003.030-ghostscript.txt page.pl
Log:
final polishing and signing
Summary:
Revision Changes Path
1.2 +37 -57 openpkg-web/security/OpenPKG-SA-2003.030-ghostscript.txt
1.16 +1 -1 openpkg-web/security/page.pl
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.030-ghostscript.txt
============================================================================
$ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2003.030-ghostscript.txt
--- openpkg-web/security/OpenPKG-SA-2003.030-ghostscript.txt 3 Jun 2003 12:11:25
-0000 1.1
+++ openpkg-web/security/OpenPKG-SA-2003.030-ghostscript.txt 3 Jun 2003 13:44:01
-0000 1.2
@@ -1,3 +1,6 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
@@ -6,64 +9,37 @@
OpenPKG-SA-2003.030 03-Jun-2003
________________________________________________________________________
-Package: ghostscript
-Vulnerability: execute arbitrary commands
-OpenPKG Specific: no
-
-Affected Releases: Affected Packages: Corrected Packages:
-OpenPKG CURRENT none N.A.
-OpenPKG 1.2 none N.A.
-OpenPKG 1.1 <= ghostscript-7.04-1.1.0 >= ghostscript-7.04-1.1.1
-
-Dependent Packages: none FIXME
-
-Affected Releases: Dependent Packages: FIXME
-OpenPKG CURRENT bar quux
-OpenPKG 1.2 bar quux
-OpenPKG 1.1 bar
-
-FIXME
- gv.spec BuildPreReq: X11, xaw3d, ghostscript
- gv.spec PreReq: X11, xaw3d, ghostscript
- latex2html.spec BuildPreReq: perl, ghostscript, tetex, png, netpbm
- latex2html.spec PreReq: perl, ghostscript, tetex, png, netpbm
- libwmf.spec BuildPreReq: X11, libxml, freetype, zlib, png, jpeg, gd,
ghostscript = %{V_ghostscript}
- libwmf.spec PreReq: X11, libxml, freetype, zlib, png, jpeg, gd,
ghostscript = %{V_ghostscript}
- lyx.spec PreReq: gv, ghostscript, ghostscript::with_x11 = yes
- mgv.spec PreReq: X11, ghostscript
- pstoedit.spec BuildPreReq: ghostscript, gcc, png, zlib
- pstoedit.spec PreReq: ghostscript
- sam2p.spec BuildPreReq: ghostscript, jpeg, gzip, infozip, make, gcc, perl,
bash
- sam2p.spec PreReq: ghostscript, jpeg, gzip, infozip
- scribus.spec BuildPreReq: qt, freetype, ghostscript, png, jpeg, tiff, zlib
- scribus.spec PreReq: qt, freetype, ghostscript, png, jpeg, tiff, zlib
- tex4ht.spec PreReq: tetex, ghostscript, imagemagick
+Package: ghostscript
+Vulnerability: execute arbitrary commands
+OpenPKG Specific: no
+
+Affected Releases: Affected Packages: Corrected Packages:
+OpenPKG CURRENT <= ghostscript-7.04-20021013 >= ghostscript-8.00-20021122
+OpenPKG 1.2 none N.A.
+OpenPKG 1.1 <= ghostscript-7.04-1.1.0 >= ghostscript-7.04-1.1.1
+
+Dependent Packages: none
Description:
- According to a RedHat security advisory [1] a flaw in unpatched
- versions of Ghostscript before 7.07 allows malicious postscript files
- to execute arbitrary commands even with -dSAFER enabled. The Common
- Vulnerabilities and Exposures (CVE) project assigned the id
- CAN-2003-0354 [2] to the problem.
+ According to a Red Hat security advisory [0], a flaw in versions of
+ Ghostscript [1] before 7.07 allows malicious Postscript files to
+ execute arbitrary commands even with command line option -dSAFER
+ enabled. The Common Vulnerabilities and Exposures (CVE) project
+ assigned the id CAN-2003-0354 [2] to the problem.
Please check whether you are affected by running "<prefix>/bin/rpm -q
ghostscript". If you have the "ghostscript" package installed and its
version is affected (see above), we recommend that you immediately
- upgrade it (see Solution) and it's dependent packages (see above), if
- any, too. [3][4]
+ upgrade it (see Solution) [3][4]
Solution:
- First, please avoid applying an obsolete security update by ensuring
- that a more recent one doesn't exist. Also, ensure that this advisory
- has not been revoked by visiting the OpenPKG security page [5].
-
Select the updated source RPM appropriate for your OpenPKG release
- [6], fetch it from the OpenPKG FTP service [7] or a mirror
- location, verify its integrity [8], build a corresponding binary RPM
- from it [3] and update your OpenPKG installation by applying the binary
- RPM [4]. For the affected release OpenPKG 1.1, perform the following
- operations to permanently fix the security problem (for other releases
- adjust accordingly).
+ [5], fetch it from the OpenPKG FTP service [6] or a mirror location,
+ verify its integrity [7], build a corresponding binary RPM from it [3]
+ and update your OpenPKG installation by applying the binary RPM [4].
+ For the affected release OpenPKG 1.1, perform the following operations
+ to permanently fix the security problem (for other releases adjust
+ accordingly).
$ ftp ftp.openpkg.org
ftp> bin
@@ -74,20 +50,17 @@
$ <prefix>/bin/rpm --rebuild ghostscript-7.04-1.1.1.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/ghostscript-7.04-1.1.1.*.rpm
-
- Additionally, we recommend that you rebuild and reinstall
- all dependent packages (see above), if any, too. [3][4]
________________________________________________________________________
References:
- [1] http://rhn.redhat.com/errata/RHSA-2003-181.html
+ [0] http://rhn.redhat.com/errata/RHSA-2003-181.html
+ [1] http://www.ghostscript.com/
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0354
[3] http://www.openpkg.org/tutorial.html#regular-source
[4] http://www.openpkg.org/tutorial.html#regular-binary
- [5] http://www.openpkg.org/security.html#revoked
- [6] ftp://ftp.openpkg.org/release/1.1/UPD/ghostscript-7.04-1.1.1.src.rpm
- [7] ftp://ftp.openpkg.org/release/1.1/UPD/
- [8] http://www.openpkg.org/security.html#signature
+ [5] ftp://ftp.openpkg.org/release/1.1/UPD/ghostscript-7.04-1.1.1.src.rpm
+ [6] ftp://ftp.openpkg.org/release/1.1/UPD/
+ [7] http://www.openpkg.org/security.html#signature
________________________________________________________________________
For security reasons, this advisory was digitally signed with the
@@ -97,3 +70,10 @@
for details on how to verify the integrity of this advisory.
________________________________________________________________________
+-----BEGIN PGP SIGNATURE-----
+Comment: OpenPKG <[EMAIL PROTECTED]>
+
+iD8DBQE+3KXxgHWT4GPEy58RArfyAKCKyv2LwPP8USQ0cJ3pWrMim6YsjwCg9WVC
+xg22arGdd28YhSOM8TRoHNE=
+=sLls
+-----END PGP SIGNATURE-----
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/page.pl
============================================================================
$ cvs diff -u -r1.15 -r1.16 page.pl
--- openpkg-web/security/page.pl 16 May 2003 09:38:50 -0000 1.15
+++ openpkg-web/security/page.pl 3 Jun 2003 13:44:01 -0000 1.16
@@ -13,7 +13,7 @@
foreach my $sa (reverse sort @SA) {
my ($base, $name, $year) = ($sa =~ m|^(OpenPKG-SA-((\d+)\..+))\.txt$|);
next if ($name =~ m|^0000|);
- next if ($name =~ m|^2003\.03[0-9]|);
+ next if ($name =~ m|^2003\.03[1-9]|);
if ($this_year ne $year) {
$sidebar .= "<br>\n";
$this_year = $year;
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
