FS#62102 - [ghostscript] CVE-2019-3835, CVE-2019-3838
Attached to Project:
Arch Linux
Opened by Pascal Ernster (hardfalcon) - Thursday, 21 March 2019, 16:04 GMT
Last edited by Andreas Radke (AndyRTR) - Thursday, 04 April 2019, 19:34 GMT
Opened by Pascal Ernster (hardfalcon) - Thursday, 21 March 2019, 16:04 GMT
Last edited by Andreas Radke (AndyRTR) - Thursday, 04 April 2019, 19:34 GMT
|
Details
There's 2 new CVEs in ghostscript, breaking (again)
-dSAFER:
https://www.openwall.com/lists/oss-security/2019/03/21/1 Upstream has already merged the corresponding fixes in its git master branch: Upstream fixes for CVE-2019-3835: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e6 Upstream fixes for CVE-2019-3838: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd95bb01 https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e8f95a |
This task depends upon
Closed by Andreas Radke (AndyRTR)
Thursday, 04 April 2019, 19:34 GMT
Reason for closing: Fixed
Additional comments about closing: 9.27-1
Thursday, 04 April 2019, 19:34 GMT
Reason for closing: Fixed
Additional comments about closing: 9.27-1
Also it may be worth to build ImageMagick with `--without-gslib'. It will allow replacing https://git.archlinux.org/svntogit/packages.git/tree/trunk/IM7-GS-policy.patch?h=packages/imagemagick with <policy domain="delegate" rights="none" pattern="gs" /> as a more bearable workaround for users.