Bug 25697 - ghostscript new security issue CVE-2019-14869
Summary: ghostscript new security issue CVE-2019-14869
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK MGA7-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-11-14 23:36 CET by David Walser
Modified: 2019-11-19 22:19 CET (History)
5 users (show)

See Also:
Source RPM: ghostscript-9.27-1.3.mga7.src.rpm
CVE: CVE-2019-14869
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-11-14 23:36:48 CET 
RedHat has issued an advisory today (November 14):
https://access.redhat.com/errata/RHSA-2019:3888

The issue is fixed upstream in 9.28.
Comment 1 Lewis Smith 2019-11-15 10:11:30 CET 
Assigning this globally as ghostscript hazs no registered maintainer.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2019-11-15 10:19:40 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

-dSAFER escape in .charkeys. (CVE-2019-14869)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14869
https://access.redhat.com/errata/RHSA-2019:3888
https://www.openwall.com/lists/oss-security/2019/11/15/1
========================

Updated packages in core/updates_testing:
========================
ghostscript-9.27-1.4.mga7
ghostscript-dvipdf-9.27-1.4.mga7
ghostscript-common-9.27-1.4.mga7
ghostscript-X-9.27-1.4.mga7
ghostscript-module-X-9.27-1.4.mga7
lib(64)gs9-9.27-1.4.mga7
lib(64)gs-devel-9.27-1.4.mga7
lib(64)ijs1-0.35-147.4.mga7
lib(64)ijs-devel-0.35-147.4.mga7
ghostscript-doc-9.27-1.4.mga7

from SRPMS:
ghostscript-9.27-1.4.mga7.src.rpm

CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
CVE: (none) => CVE-2019-14869
Assignee: pkg-bugs => qa-bugs

Comment 3 David Walser 2019-11-15 13:16:24 CET 
More info about this issue:
https://www.openwall.com/lists/oss-security/2019/11/15/1
Comment 4 Herman Viaene 2019-11-15 17:02:12 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues;
refbug 25379 Comment 4 for tests
$ gs --version
9.27

Downloaded two dvi files from http://ctan.math.illinois.edu/support/hypertex/hypertex/#examples
Opening these with Okular took too long for my patience, so went on:
$ dvipdf thm.dvi thm.pdf
Page 1 may be too complex to print
Page 2 may be too complex to print
Warning:  no %%Page comments generated.
and
$ dvipdf hharvsamp.dvi hharvsamp.pdf
Page 0 may be too complex to print
Page 1 may be too complex to print
Page 2 may be too complex to print
Page 3 may be too complex to print
Page 5 may be too complex to print
Warning:  no %%Page comments generated.
Both produced credible pdf documents
Had also MCC- Hardware Printer detecting my HP Officejet 8100, seems to work OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2019-11-17 16:41:25 CET 
Checked for clean install on my Dell Inspiron 5100 Xfce system, since I had it handy.

The following 4 packages are going to be installed:

- ghostscript-9.27-1.4.mga7.i586
- ghostscript-common-9.27-1.4.mga7.i586
- ghostscript-module-X-9.27-1.4.mga7.i586
- libgs9-9.27-1.4.mga7.i586

All packages installed cleanly. Downloaded a pdf and opened it with atril document viewer, and it looked good. OK for 32-bit.

Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: MGA7-64-OK => MGA7-64-OK MGA7-32-OK
Keywords: (none) => validated_update

Thomas Backlund 2019-11-19 18:02:01 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 6 Mageia Robot 2019-11-19 22:19:18 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0336.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.