Bug 33196

Summary:	ghostscript new security issue CVE-2023-52722
Product:	Mageia	Reporter:	Nicolas Salguero <nicolas.salguero>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, fri, ghibomgx, nicolas.salguero, sysadmin-bugs
Version:	9	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA9-64-OK
Source RPM:	ghostscript-10.00.0-6.4.mga9.src.rpm	CVE:	CVE-2023-52722
Status comment:

Description Nicolas Salguero 2024-05-13 13:52:27 CEST

SUSE has released an advisory on May 9:
https://lwn.net/Articles/973065/

The fix is: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=afd7188f74918cb51b5fb89f52b54eb16e8acfd1

Nicolas Salguero 2024-05-13 13:53:44 CEST

CVE: (none) => CVE-2023-52722
Source RPM: (none) => ghostscript-10.00.0-6.4.mga9.src.rpm
Status comment: (none) => Patch available from upstream

Comment 1 Morgan Leijström 2024-05-13 14:10:53 CEST

No registered maintainer, assigning to all

Assignee: bugsquad => pkg-bugs
CC: (none) => fri

Comment 2 Morgan Leijström 2024-05-13 14:17:12 CEST

I see yourself Nicholas did last update and some earlier, as well as Giuseppe.

CC: (none) => ghibomgx, nicolas.salguero

Comment 3 Nicolas Salguero 2024-05-13 14:33:04 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

An issue was discovered in Artifex Ghostscript through 10.01.0. psi/zmisc1.c, when SAFER mode is used, allows eexec seeds other than the Type 1 standard. (CVE-2023-52722)

References:
https://lwn.net/Articles/973065/
https://lists.suse.com/pipermail/sle-security-updates/2024-May/018501.html
========================

Updated packages in core/updates_testing:
========================
ghostscript-10.00.0-6.5.mga9
ghostscript-X-10.00.0-6.5.mga9
ghostscript-common-10.00.0-6.5.mga9
ghostscript-doc-10.00.0-6.5.mga9.noarch.rpm
ghostscript-dvipdf-10.00.0-6.5.mga9
ghostscript-module-X-10.00.0-6.5.mga9
lib(64)gs10-10.00.0-6.5.mga9
lib(64)gs-devel-10.00.0-6.5.mga9
lib(64)ijs1-0.35-173.5.mga9
lib(64)ijs-devel-0.35-173.5.mga9

from SRPM:
ghostscript-10.00.0-6.5.mga9.src.rpm

Nicolas Salguero 2024-05-13 14:33:21 CEST

Status: NEW => ASSIGNED
Status comment: Patch available from upstream => (none)
Assignee: pkg-bugs => qa-bugs

Comment 4 Giuseppe Ghibò 2024-05-13 19:08:59 CEST

(In reply to Morgan Leijström from comment #2)

> I see yourself Nicholas did last update and some earlier, as well as
> Giuseppe.

For next round I'd suggest to go straight with ghostscript-10.03 for mga9, it fixes also other bugs. I was using 10.02 already on mga9 for over a month without any problems.

katnatek 2024-05-14 04:12:14 CEST

Keywords: (none) => advisory

Comment 5 Morgan Leijström 2024-05-14 10:06:53 CEST

Strange, on my thinkpad T510 I already have a higher version of lib64gs10.
Changelog as seen in drakrpm:

        * tor jul 06 2023 ns80 <ns80> 10.00.0-7.mga9
        + Revision: 1963636
        - add patches from Debian for CVE-2023-36664 (mga#32070)

Probably some leftover since prerelease/cauldron testing days of mga9, but strange the ghostscript rpms are not same version as this.

Maybe we want to make sure that patch is still with us.

Or maybe simply as Giuseppe suggest right away update to 10.03 to be really sure and also fix other bugs.

[ettan@localhost ~]$ rpm -qa|grep lib64gs10
lib64gs10-10.00.0-7.mga9
[ettan@localhost ~]$ rpm -qa|grep ghostscr
ghostscript-fonts-8.11-24.mga9
ghostscript-common-10.00.0-6.5.mga9
ghostscript-module-X-10.00.0-6.5.mga9
ghostscript-10.00.0-6.5.mga9

Comment 6 Nicolas Salguero 2024-05-14 10:29:40 CEST

It is clearly a mix between old Cauldron and real Mageia 9 because, for Mageia 9, it was 10.00.0-6.1.mga9 that included the patches from Debian for CVE-2023-36664.

Comment 7 Morgan Leijström 2024-05-14 10:37:17 CEST

Good you checked.
I will perfrom distro sync on that system...

Comment 8 katnatek 2024-05-16 04:10:53 CEST

RH mageia 9 x86_64

Updated without issues

rpm -qa|grep ghostscript
ghostscript-fonts-8.11-24.mga9
ghostscript-common-10.00.0-6.5.mga9
ghostscript-10.00.0-6.5.mga9
ghostscript-module-X-10.00.0-6.5.mga9

rpm -q lib64gs10
lib64gs10-10.00.0-6.5.mga9


I still see the repeated image behavior in bug#32619 comment#4

katnatek 2024-05-16 04:11:32 CEST

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 9 Thomas Andrews 2024-05-16 16:47:29 CEST

(In reply to Giuseppe Ghibò from comment #4)
> (In reply to Morgan Leijström from comment #2)
> 
> > I see yourself Nicholas did last update and some earlier, as well as
> > Giuseppe.
> 
> For next round I'd suggest to go straight with ghostscript-10.03 for mga9,
> it fixes also other bugs. I was using 10.02 already on mga9 for over a month
> without any problems.

Sounds like a plan to me. But, once again we have an update ready for validation that addresses a security issue, so it needs to go out.

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2024-05-16 19:30:26 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0180.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 11 Morgan Leijström 2024-05-16 19:37:05 CEST

Working for me too, printing. mga9-64