Advisories » MGASA-2019-0236

Updated ghostscript packages fix security vulnerability

Publication date: 31 Aug 2019
Modification date: 31 Aug 2019
Type: security
Affected Mageia releases : 6 , 7
CVE: CVE-2019-10216

Description

Updated ghostscript packages fix security vulnerability:

It was found that the .buildfont1 procedure did not properly secure its
privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An
attacker could abuse this flaw by creating a specially crafted PostScript
file that could escalate privileges and access files outside of restricted
areas (CVE-2019-10216).

Also, the Mageia 7 update fixes a bounding box issue that affects
klatexformula (mga#24866).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=25294
• https://bugs.mageia.org/show_bug.cgi?id=24866
• https://www.openwall.com/lists/oss-security/2019/08/12/4
• https://access.redhat.com/errata/RHSA-2019:2462
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10216

SRPMS

6/core

• ghostscript-9.26-1.5.mga6

7/core

• ghostscript-9.27-1.2.mga7