Home page logo
/

bugtraq logo Bugtraq mailing list archives

Security update: Two security problems with ghostscript CSSA-2000-041.0
From: Caldera Support Info <sup-info () LOCUTUS4 CALDERASYSTEMS COM>
Date: Wed, 22 Nov 2000 13:20:54 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
                   Caldera Systems, Inc.  Security Advisory

Subject:                Two security problems with ghostscript
Advisory number:        CSSA-2000-041.0
Issue date:             2000 November, 22
Cross reference:
______________________________________________________________________________


1. Problem Description

   Ghostscript creates temporary files insecurely. In addition,
   it is linked in a way that makes it pick up shared libraries
   from the current directory it is in.

   Both problems can probably be exploited to gain increased
   privilege on the system.

2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux Desktop 2.3        All packages previous to
                                ghostscript-5.10-16

   OpenLinux eServer 2.3        All packages previous to
   and OpenLinux eBuilder       ghostscript-5.10-16

   OpenLinux eDesktop 2.4       All packages previous to
                                ghostscript-5.10-16

3. Solution

   Workaround:

     none

   The proper solution is to upgrade to the fixed packages

4. OpenLinux Desktop 2.3

   4.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS

   4.2 Verification

   e3ff617e515cfd03be8854aff089376e  RPMS/ghostscript-5.10-16.i386.rpm
   f9002fe0592b1d8b88641c10cba2cafe  RPMS/ghostscript-doc-5.10-16.i386.rpm
   3d2610bbd43160e2cc3b234bc43cea4d  RPMS/ghostscript-fonts-5.10-16.i386.rpm
   7ca69d444653f0b9e12d69f55873edea  SRPMS/ghostscript-5.10-16.src.rpm  

   4.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

          rpm -Fhv ghostscript-*.i386.rpm

5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0

   5.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS

   5.2 Verification

   ba2ee8c950b3b9ce1791554b5d8e759d  RPMS/ghostscript-5.10-16.i386.rpm
   1645f133c8e557eede173dc6266707fa  RPMS/ghostscript-doc-5.10-16.i386.rpm
   88143839c0685864f2d671c6aa7c40bb  RPMS/ghostscript-fonts-5.10-16.i386.rpm
   7ca69d444653f0b9e12d69f55873edea  SRPMS/ghostscript-5.10-16.src.rpm 

   5.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

          rpm -Fhv ghostscript-*.i386.rpm

6. OpenLinux eDesktop 2.4

   6.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS

   6.2 Verification

   f327bc2ef65c6d66f99d72317d23789b  RPMS/ghostscript-5.10-16.i386.rpm
   7202ab90cbd173fd252c624138710abf  RPMS/ghostscript-doc-5.10-16.i386.rpm
   e1d0ee2161ead248a859d10bcc1dcf6c  RPMS/ghostscript-fonts-5.10-16.i386.rpm
   7ca69d444653f0b9e12d69f55873edea  SRPMS/ghostscript-5.10-16.src.rpm 

   6.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

          rpm -Fhv ghostscript-*.i386.rpm

7. References

   This and other Caldera security resources are located at:

   http://www.calderasystems.com/support/security/index.html

   This security fix closes Caldera's internal Problem Report 8307.

8. Disclaimer

   Caldera Systems, Inc. is not responsible for the misuse of any of the
   information we provide on this website and/or through our security
   advisories. Our advisories are a service to our customers intended to
   promote secure installation and use of Caldera OpenLinux.

9. Acknowledgements

   Caldera Systems wishes to thank Dr. Werner Fink of SuSE,
   for discovering the bug and notifying us.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6G+9P18sy83A/qfwRAkS1AJ9il/Q9CTF8cZV/fD1YhCW/stpVhACfbsEo
Tpo6ZRg+ig4sf5k6k+v7fFs=
=YOJJ
-----END PGP SIGNATURE-----



  By Date           By Thread  

Current thread:
  • Security update: Two security problems with ghostscript CSSA-2000-041.0 Caldera Support Info (Nov 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]