diff options
| author |   Stefan Ghinea <stefan.ghinea@windriver.com> | 2019-09-10 09:34:12 +0300 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-09-16 23:02:44 +0100 |
| commit | 7f87451e6ea28cb028598e5358387d2c06e291a9 (patch) | |
| tree | 143eb226c481418dcc1bbb4f4724a8e7249d3712 /meta/recipes-extended/ghostscript/ghostscript_9.27.bb | |
| parent | 7920994ba885f6ffbf4f152ff6369a714775b9e0 (diff) | |
| download | openembedded-core-contrib-7f87451e6ea28cb028598e5358387d2c06e291a9.tar.gz | |
ghostscript: CVE-2019-14811, CVE-2019-14817
A flaw was found in, ghostscript versions prior to 9.28,
in the .pdf_hook_DSC_Creator procedure where it did not
properly secure its privileged calls, enabling scripts to
bypass `-dSAFER` restrictions. A specially crafted PostScript
file could disable security protection and then have access
to the file system, or execute arbitrary commands.
A flaw was found in, ghostscript versions prior to 9.28,
in the .pdfexectoken and other procedures where it did not
properly secure its privileged calls, enabling scripts to
bypass `-dSAFER` restrictions. A specially crafted PostScript
file could disable security protection and then have access
to the file system, or execute arbitrary commands.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-14811
https://nvd.nist.gov/vuln/detail/CVE-2019-14817
Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19
(From OE-Core rev: 1533b92848ea73d6fe6ba22d87d7b6749b47842c)
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/ghostscript/ghostscript_9.27.bb')
| -rw-r--r-- | meta/recipes-extended/ghostscript/ghostscript_9.27.bb | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.27.bb b/meta/recipes-extended/ghostscript/ghostscript_9.27.bb index fcc9e0099e..349c0c2e8b 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.27.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.27.bb @@ -25,6 +25,9 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://do-not-check-local-libpng-source.patch \ file://avoid-host-contamination.patch \ file://mkdir-p.patch \ + file://CVE-2019-14811-0001.patch \ + file://CVE-2019-14817-0001.patch \ + file://CVE-2019-14817-0002.patch \ " SRC_URI = "${SRC_URI_BASE} \ |