Bug 32070

Summary:	ghostscript new security issue CVE-2023-36664
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED DUPLICATE	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	andrewsfarm, herman.viaene, mageia, nicolas.salguero, sysadmin-bugs
Version:	9	Keywords:	validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8TOO MGA8-64-OK MGA9-64-OK
Source RPM:	ghostscript-10.00.0-6.mga9.src.rpm	CVE:
Status comment:
Bug Depends on:	32237
Bug Blocks:

Description David Walser 2023-07-05 22:24:14 CEST

Debian has issued an advisory on July 3:
https://www.debian.org/security/2023/dsa-5446

Mageia 8 is also affected.

David Walser 2023-07-05 22:24:21 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-07-07 20:29:18 CEST

NicolasS has already done the job in Cauldron:
Thu Jul 6 by ns80
- add patches from Debian for CVE-2023-36664 (mga#32070)
so necessarily assigning this to you.

Assignee: bugsquad => nicolas.salguero

Comment 2 David Walser 2023-07-10 22:34:03 CEST

Ubuntu has issued an advisory for this today (July 10):
https://ubuntu.com/security/notices/USN-6213-1

Severity: normal => major

Comment 3 Nicolas Salguero 2023-08-31 14:17:32 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix). (CVE-2023-36664)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36664
https://www.debian.org/security/2023/dsa-5446
https://ubuntu.com/security/notices/USN-6213-1
========================

Updated packages in 8/core/updates_testing:
========================
ghostscript-9.53.3-2.5.mga8
ghostscript-X-9.53.3-2.5.mga8
ghostscript-common-9.53.3-2.5.mga8
ghostscript-doc-9.53.3-2.5.mga8
ghostscript-dvipdf-9.53.3-2.5.mga8
ghostscript-module-X-9.53.3-2.5.mga8
lib(64)gs-devel-9.53.3-2.5.mga8
lib(64)gs9-9.53.3-2.5.mga8
lib(64)ijs-devel-0.35-162.5.mga8
lib(64)ijs1-0.35-162.5.mga8

from SRPM:
ghostscript-9.53.3-2.5.mga8.src.rpm

Updated packages in 9/core/updates_testing:
========================
ghostscript-10.00.0-6.1.mga9
ghostscript-X-10.00.0-6.1.mga9
ghostscript-common-10.00.0-6.1.mga9
ghostscript-doc-10.00.0-6.1.mga9
ghostscript-dvipdf-10.00.0-6.1.mga9
ghostscript-module-X-10.00.0-6.1.mga9
lib(64)gs10-10.00.0-6.1.mga9
lib(64)gs-devel-10.00.0-6.1.mga9
lib(64)ijs1-0.35-173.1.mga9
lib(64)ijs-devel-0.35-173.1.mga9

from SRPM:
ghostscript-10.00.0-6.1.mga9.src.rpm

CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Version: Cauldron => 9
Assignee: nicolas.salguero => qa-bugs

PC LX 2023-08-31 16:47:59 CEST

CC: (none) => mageia

Comment 4 Herman Viaene 2023-09-02 15:15:07 CEST

MGA8-64 Xfce on Acer Aspire 5253
No installation issues.
Ref bug 31758 Comment 5, used okular and the gs command to display some device's pdf manual and all worked OK.

CC: (none) => herman.viaene
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

Comment 5 Thomas Andrews 2023-09-04 02:34:09 CEST

MGA9-64 Plasma, no installation issues. Tested as in comment 4, all looks OK.

OKing for MGA9, and validating. Advisory in comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: (none) => validated_update

Nicolas Salguero 2023-09-05 12:05:05 CEST

Depends on: (none) => 32237

Comment 6 Nicolas Salguero 2023-09-05 12:06:17 CEST

Hi,

That bug is superseded by bug 32237.

Best regards,

Nico.

Resolution: (none) => OLD
Status: ASSIGNED => RESOLVED

Comment 7 David Walser 2023-09-05 13:41:34 CEST

Marking as duplicate to maintain that link.  OLD is for when the bug is only applicable to EOL versions of Mageia.

*** This bug has been marked as a duplicate of bug 32237 ***

Resolution: OLD => DUPLICATE