Bug 33220

Summary: ghostscript new security issues CVE-2024-29510, CVE-2024-33869, CVE-2024-3387[01]
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, fri, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: ghostscript-10.00.0-6.5.mga9.src.rpm CVE: CVE-2024-29510, CVE-2024-33869, CVE-2024-33870, CVE-2024-33871
Status comment:

Description Nicolas Salguero 2024-05-16 15:56:12 CEST 
Debian has issued an advisory on May 15:
https://lwn.net/Articles/973884/

Those problems are fixed in version 10.03.1.

Mageia 9 is also affected.
Nicolas Salguero 2024-05-16 15:57:11 CEST

Source RPM: (none) => ghostscript-10.03.0-4.mga10.src.rpm
Status comment: (none) => Fixed upstream in 10.03.1
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-29510, CVE-2024-33869, CVE-2024-33870, CVE-2024-33871

Comment 1 Lewis Smith 2024-05-16 20:36:57 CEST 
One of those pkgs normally maintained by you, Nicolas.

Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2024-05-21 16:00:29 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities: CVE-2024-29510, CVE-2024-33869, CVE-2024-33870 and CVE-2024-33871.

References:
https://lwn.net/Articles/973884/
========================

Updated packages in core/updates_testing:
========================
ghostscript-10.03.1-1.mga9
ghostscript-X-10.03.1-1.mga9
ghostscript-common-10.03.1-1.mga9
ghostscript-doc-10.03.1-1.mga9
ghostscript-dvipdf-10.03.1-1.mga9
ghostscript-module-X-10.03.1-1.mga9
lib(64)gs10-10.03.1-1.mga9
lib(64)gs-devel-10.03.1-1.mga9
lib(64)ijs1-0.35-182.mga9
lib(64)ijs-devel-0.35-182.mga9

from SRPM:
ghostscript-10.03.1-1.mga9.src.rpm

Status comment: Fixed upstream in 10.03.1 => (none)
Whiteboard: MGA9TOO => (none)
Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED
Version: Cauldron => 9

Nicolas Salguero 2024-05-21 16:00:58 CEST

Source RPM: ghostscript-10.03.0-4.mga10.src.rpm => ghostscript-10.00.0-6.5.mga9.src.rpm

katnatek 2024-05-21 18:38:59 CEST

Keywords: (none) => advisory

Comment 3 katnatek 2024-05-21 18:46:52 CEST 
RH mageia 9 x86_64

Updated without issues

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing ghostscript-module-X-10.03.1-1.mga9.x86_64.rpm ghostscript-10.03.1-1.mga9.x86_64.rpm lib64gs10-10.03.1-1.mga9.x86_64.rpm ghostscript-common-10.03.1-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/4: ghostscript-common    ##################################################################################################
      2/4: lib64gs10             ##################################################################################################
      3/4: ghostscript           ##################################################################################################
      4/4: ghostscript-module-X  ##################################################################################################
      1/4: removing ghostscript-10.00.0-6.5.mga9.x86_64
                                 ##################################################################################################
      2/4: removing ghostscript-module-X-10.00.0-6.5.mga9.x86_64
                                 ##################################################################################################
      3/4: removing ghostscript-common-10.00.0-6.5.mga9.x86_64
                                 ##################################################################################################
      4/4: removing lib64gs10-10.00.0-6.5.mga9.x86_64
                                 ##################################################################################################

I still see the repeated image behavior in bug#32619 comment#4

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 4 Thomas Andrews 2024-05-22 14:29:55 CEST 
No installation issues.

gs -h
GPL Ghostscript 10.03.1 (2024-05-02)
Copyright (C) 2024 Artifex Software, Inc.  All rights reserved.
Usage: gs [switches] [file1.ps file2.ps ...]
Most frequently used switches: (you can use # in place of =)
 -dNOPAUSE           no pause after page   | -q       `quiet', fewer messages
 -g<width>x<height>  page size in pixels   | -r<res>  pixels/inch resolution
 -sDEVICE=<devname>  select device         | -dBATCH  exit after last file
 -sOutputFile=<file> select output file: - for stdout, |command for pipe,
                                         embed %d or %ld for page #
Input formats: PostScript PostScriptLevel1 PostScriptLevel2 PostScriptLevel3 PDF
Default output device: x11alpha
Available devices: a very long list...
Search path:
   /usr/share/ghostscript/10.03.1/Resource/Init :
   /usr/share/ghostscript/10.03.1/lib :
   /usr/share/ghostscript/10.03.1/Resource/Font :
   /usr/share/ghostscript/fonts : /usr/share/fonts/default/ghostscript :
   /usr/share/fonts/default/type1 : /usr/share/ghostscript/fonts :
   /usr/share/ghostscript/10.03.1/Resource :
   /usr/share/ghostscript/Resource : /usr/share/ghostscript/CIDFont :
   /usr/share/fonts/ttf : /usr/share/fonts/type1 :
   /usr/share/fonts/default/Type1
Ghostscript is also using fontconfig to search for font files
For more information, see https://ghostscript.readthedocs.io/en/gs10.03.1/Use.html
Please report bugs to bugs.ghostscript.com.

Viewing a multi-page pdf:

$ gs firehouse_project.pdf
GPL Ghostscript 10.03.1 (2024-05-02)
Copyright (C) 2024 Artifex Software, Inc.  All rights reserved.
This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY:
see the file COPYING for details.
Processing pages 1 through 7.
Page 1
>>showpage, press <return> to continue<<

And on through all seven pages. All pages displayed correctly. Closed with the "quit" command.

Looks OK here, too.
Comment 5 Thomas Andrews 2024-05-22 14:30:23 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Morgan Leijström 2024-05-22 14:43:54 CEST 
mga9-64 OK here
Updated on two systems, printing from various apps to Boomaga and a network printer.  Renders pdfs.

CC: (none) => fri

Comment 7 Mageia Robot 2024-05-23 06:23:21 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0192.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED