-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: ghostscript security update Advisory ID: RHSA-2017:0014-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0014.html Issue date: 2017-01-04 CVE Names: CVE-2013-5653 CVE-2016-7977 CVE-2016-7979 CVE-2016-8602 =====================================================================
1. Summary:
An update for ghostscript is now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
3. Description:
The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed.
Security Fix(es):
* It was found that the ghostscript functions getenv, filenameforall and .libfile did not honor the -dSAFER option, usually used when processing untrusted documents, leading to information disclosure. A specially crafted postscript document could read environment variable, list directory and retrieve file content respectively, from the target. (CVE-2013-5653, CVE-2016-7977)
* It was found that the ghostscript function .initialize_dsc_parser did not validate its parameter before using it, allowing a type confusion flaw. A specially crafted postscript document could cause a crash code execution in the context of the gs process. (CVE-2016-7979)
* It was found that ghostscript did not sufficiently check the validity of parameters given to the .sethalftone5 function. A specially crafted postscript document could cause a crash, or execute arbitrary code in the context of the gs process. (CVE-2016-8602)
4. Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1380327 - CVE-2013-5653 ghostscript: getenv and filenameforall ignore -dSAFER 1380415 - CVE-2016-7977 ghostscript: .libfile does not honor -dSAFER 1382305 - CVE-2016-7979 ghostscript: Type confusion in .initialize_dsc_parser allows remote code execution 1383940 - CVE-2016-8602 ghostscript: check for sufficient params in .sethalftone5
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source: ghostscript-8.70-21.el6_8.1.src.rpm
i386: ghostscript-8.70-21.el6_8.1.i686.rpm ghostscript-debuginfo-8.70-21.el6_8.1.i686.rpm
x86_64: ghostscript-8.70-21.el6_8.1.i686.rpm ghostscript-8.70-21.el6_8.1.x86_64.rpm ghostscript-debuginfo-8.70-21.el6_8.1.i686.rpm ghostscript-debuginfo-8.70-21.el6_8.1.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386: ghostscript-debuginfo-8.70-21.el6_8.1.i686.rpm ghostscript-devel-8.70-21.el6_8.1.i686.rpm ghostscript-doc-8.70-21.el6_8.1.i686.rpm ghostscript-gtk-8.70-21.el6_8.1.i686.rpm
x86_64: ghostscript-debuginfo-8.70-21.el6_8.1.i686.rpm ghostscript-debuginfo-8.70-21.el6_8.1.x86_64.rpm ghostscript-devel-8.70-21.el6_8.1.i686.rpm ghostscript-devel-8.70-21.el6_8.1.x86_64.rpm ghostscript-doc-8.70-21.el6_8.1.x86_64.rpm ghostscript-gtk-8.70-21.el6_8.1.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source: ghostscript-8.70-21.el6_8.1.src.rpm
x86_64: ghostscript-8.70-21.el6_8.1.i686.rpm ghostscript-8.70-21.el6_8.1.x86_64.rpm ghostscript-debuginfo-8.70-21.el6_8.1.i686.rpm ghostscript-debuginfo-8.70-21.el6_8.1.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
x86_64: ghostscript-debuginfo-8.70-21.el6_8.1.i686.rpm ghostscript-debuginfo-8.70-21.el6_8.1.x86_64.rpm ghostscript-devel-8.70-21.el6_8.1.i686.rpm ghostscript-devel-8.70-21.el6_8.1.x86_64.rpm ghostscript-doc-8.70-21.el6_8.1.x86_64.rpm ghostscript-gtk-8.70-21.el6_8.1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source: ghostscript-8.70-21.el6_8.1.src.rpm
i386: ghostscript-8.70-21.el6_8.1.i686.rpm ghostscript-debuginfo-8.70-21.el6_8.1.i686.rpm
ppc64: ghostscript-8.70-21.el6_8.1.ppc.rpm ghostscript-8.70-21.el6_8.1.ppc64.rpm ghostscript-debuginfo-8.70-21.el6_8.1.ppc.rpm ghostscript-debuginfo-8.70-21.el6_8.1.ppc64.rpm
s390x: ghostscript-8.70-21.el6_8.1.s390.rpm ghostscript-8.70-21.el6_8.1.s390x.rpm ghostscript-debuginfo-8.70-21.el6_8.1.s390.rpm ghostscript-debuginfo-8.70-21.el6_8.1.s390x.rpm
x86_64: ghostscript-8.70-21.el6_8.1.i686.rpm ghostscript-8.70-21.el6_8.1.x86_64.rpm ghostscript-debuginfo-8.70-21.el6_8.1.i686.rpm ghostscript-debuginfo-8.70-21.el6_8.1.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386: ghostscript-debuginfo-8.70-21.el6_8.1.i686.rpm ghostscript-devel-8.70-21.el6_8.1.i686.rpm ghostscript-doc-8.70-21.el6_8.1.i686.rpm ghostscript-gtk-8.70-21.el6_8.1.i686.rpm
ppc64: ghostscript-debuginfo-8.70-21.el6_8.1.ppc.rpm ghostscript-debuginfo-8.70-21.el6_8.1.ppc64.rpm ghostscript-devel-8.70-21.el6_8.1.ppc.rpm ghostscript-devel-8.70-21.el6_8.1.ppc64.rpm ghostscript-doc-8.70-21.el6_8.1.ppc64.rpm ghostscript-gtk-8.70-21.el6_8.1.ppc64.rpm
s390x: ghostscript-debuginfo-8.70-21.el6_8.1.s390.rpm ghostscript-debuginfo-8.70-21.el6_8.1.s390x.rpm ghostscript-devel-8.70-21.el6_8.1.s390.rpm ghostscript-devel-8.70-21.el6_8.1.s390x.rpm ghostscript-doc-8.70-21.el6_8.1.s390x.rpm ghostscript-gtk-8.70-21.el6_8.1.s390x.rpm
x86_64: ghostscript-debuginfo-8.70-21.el6_8.1.i686.rpm ghostscript-debuginfo-8.70-21.el6_8.1.x86_64.rpm ghostscript-devel-8.70-21.el6_8.1.i686.rpm ghostscript-devel-8.70-21.el6_8.1.x86_64.rpm ghostscript-doc-8.70-21.el6_8.1.x86_64.rpm ghostscript-gtk-8.70-21.el6_8.1.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source: ghostscript-8.70-21.el6_8.1.src.rpm
i386: ghostscript-8.70-21.el6_8.1.i686.rpm ghostscript-debuginfo-8.70-21.el6_8.1.i686.rpm
x86_64: ghostscript-8.70-21.el6_8.1.i686.rpm ghostscript-8.70-21.el6_8.1.x86_64.rpm ghostscript-debuginfo-8.70-21.el6_8.1.i686.rpm ghostscript-debuginfo-8.70-21.el6_8.1.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386: ghostscript-debuginfo-8.70-21.el6_8.1.i686.rpm ghostscript-devel-8.70-21.el6_8.1.i686.rpm ghostscript-doc-8.70-21.el6_8.1.i686.rpm ghostscript-gtk-8.70-21.el6_8.1.i686.rpm
x86_64: ghostscript-debuginfo-8.70-21.el6_8.1.i686.rpm ghostscript-debuginfo-8.70-21.el6_8.1.x86_64.rpm ghostscript-devel-8.70-21.el6_8.1.i686.rpm ghostscript-devel-8.70-21.el6_8.1.x86_64.rpm ghostscript-doc-8.70-21.el6_8.1.x86_64.rpm ghostscript-gtk-8.70-21.el6_8.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2013-5653 https://access.redhat.com/security/cve/CVE-2016-7977 https://access.redhat.com/security/cve/CVE-2016-7979 https://access.redhat.com/security/cve/CVE-2016-8602 https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iD8DBQFYbM3PXlSAg2UNWIIRAharAJ44dE6FFxiWylajqH0xfPqHekm1MwCgo3WY 0yV/E9/ZYnMXGl9IPglVQW4= =B7Qa -----END PGP SIGNATURE-----
-- Enterprise-watch-list mailing list Enterprise-watch-list@redhat.com https://www.redhat.com/mailman/listinfo/enterprise-watch-list
|