Pronađen je i ispravljen sigurnosni nedostatak paketa ghostscript koji je zlonamjernom korisniku omogućavao proizvoljno izvođenje koda ili uskraćivanje usluge.
Paket:
ghostscript 8.x
Operacijski sustavi:
Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6
Problem nastaje zbog pogreške u icclib (eng. International Color Consortium Format) biblioteci.
Posljedica:
Zlonamjerni korisnik mogao je podmetnuti posebno oblikovanu PDF ili PostScript datoteku te dovesti do proizvoljnog izvođenja programskog koda ili do uskraćivanja usluge.
Rješenje:
Za rješavanje problema, savjetuje se nadogradnja sustava izdanim osvježenim paketima.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: ghostscript security update
Advisory ID: RHSA-2012:1256-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1256.html
Issue date: 2012-09-11
CVE Names: CVE-2012-4405
=====================================================================
1. Summary:
Updated ghostscript packages that fix one security issue are now available
for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
2. Relevant releases/architectures:
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
3. Description:
Ghostscript is a set of software that provides a PostScript interpreter, a
set of C procedures (the Ghostscript library, which implements the graphics
capabilities in the PostScript language) and an interpreter for Portable
Document Format (PDF) files.
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in Ghostscript's International Color Consortium Format library
(icclib). An attacker could create a specially-crafted PostScript or PDF
file with embedded images that would cause Ghostscript to crash or,
potentially, execute arbitrary code with the privileges of the user running
Ghostscript. (CVE-2012-4405)
Red Hat would like to thank Marc SchÄ
Posljednje sigurnosne preporuke