Bug 30741

Summary:	ghostscript new security issue CVE-2022-2085
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	Nicolas Salguero <nicolas.salguero>
Status:	RESOLVED INVALID	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	jean-pierre
Version:	8
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:
Source RPM:	ghostscript-9.53.3-2.3.mga8.src.rpm	CVE:
Status comment:

Description David Walser 2022-08-12 18:56:09 CEST

Fedora has issued an advisory on August 10:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ERSZX5LKDWAHZWJYBMP2E2UHOPUCDEGV/

The issue is fixed upstream in 9.56.1.

Comment 1 Jean-Pierre Aubin 2022-08-15 19:45:27 CEST

I'm working on it.

CC: (none) => jean-pierre

Comment 2 Nicolas Salguero 2022-08-16 09:15:07 CEST

Hi,

Please do not update to 9.56.1 because that might cause printing issues, for instance.

The good method is to add or backport the patch(es) solving the CVE.

Best regards.

Comment 3 Jean-Pierre Aubin 2022-08-16 14:15:47 CEST

Hi, 

There is no patch available for our version (9.53.3).
The source code is too different (for me at least) to adapt a patch with the one publishing by the editor.

Comment 4 David Walser 2022-08-16 14:57:24 CEST

It's a one-line change.  Does our version not have something similar? 
https://git.ghostscript.com/?p=ghostpdl.git;a=blobdiff;f=base/gdevmx.c;h=89e9ff774583afaf53f0f80ec75cdca439cb56b6;hp=08b0cbcfe1afc14a6cf34bbc16d71af44cbc0171;hb=ae1061d948d88667bdf51d47d918c4684d0f67df;hpb=b3173bfc5f5d60adcb80c10d7ce4cdd1492dfea9

Comment 5 Jean-Pierre Aubin 2022-08-16 15:14:36 CEST

I didn't found it and the source code is really different (different call structure for mem_device and mem_initialize_device_procs doesn't exist).

Comment 6 David Walser 2022-08-16 15:21:41 CEST

I guess we'll have to see if another distro backports a fix for this (if 9.53 is affected).

Comment 7 Jean-Pierre Aubin 2022-08-16 15:34:23 CEST

Regarding debian, 9.53.3 is vulnerable.
https://security-tracker.debian.org/tracker/CVE-2022-2085

I dug in other distros without no result.

Comment 8 David Walser 2022-09-28 19:48:50 CEST

Ubuntu has issued an advisory for this on September 27:
https://ubuntu.com/security/notices/USN-5643-1

Comment 9 Nicolas Salguero 2022-09-29 13:40:58 CEST

Hi,

Debian (https://security-tracker.debian.org/tracker/CVE-2022-2085) now says:
"""
Introduced by: https://git.ghostscript.com/?p=ghostpdl.git;h=6f332dd0baee0135ebff0bf25c56e9adff0f944a (ghostpdl-9.55.0rc1)
"""

So I think the version of ghostscript in Mageia 8 is not affected.

Best regards,

Comment 10 David Walser 2022-09-29 14:40:32 CEST

Thanks.

Resolution: (none) => INVALID
Status: NEW => RESOLVED