Debian-LTS has issued an advisory today (April 4): https://www.debian.org/lts/security/2023/dla-3381 Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: In Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode, TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte less than full, and one then tries to write an escaped character, two bytes are written. (CVE-2023-28879) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28879 https://www.debian.org/lts/security/2023/dla-3381 ======================== Updated packages in core/updates_testing: ======================== ghostscript-9.53.3-2.4.mga8 ghostscript-X-9.53.3-2.4.mga8 ghostscript-common-9.53.3-2.4.mga8 ghostscript-dvipdf-9.53.3-2.4.mga8 ghostscript-doc-9.53.3-2.4.mga8 ghostscript-module-X-9.53.3-2.4.mga8 lib(64)gs9-9.53.3-2.4.mga8 lib(64)gs-devel-9.53.3-2.4.mga8 lib(64)ijs1-0.35-162.4.mga8 lib(64)ijs-devel-0.35-162.4.mga8 from SRPM: ghostscript-9.53.3-2.4.mga8.src.rpm
CC: (none) => nicolas.salgueroCVE: (none) => CVE-2023-28879Version: Cauldron => 8Source RPM: ghostscript-10.00.0-5.mga9.src.rpm => ghostscript-9.53.3-2.3.mga8.src.rpmWhiteboard: MGA8TOO => (none)Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugs
Debian has issued an advisory for this on April 5: https://www.debian.org/security/2023/dsa-5383
mga8-64 OK simple test Clean update of the packages this system had installed, to - ghostscript-9.53.3-2.4.mga8.x86_64 - ghostscript-common-9.53.3-2.4.mga8.x86_64 - ghostscript-module-X-9.53.3-2.4.mga8.x86_64 - lib64gs9-9.53.3-2.4.mga8.x86_64 rebooted Printing works $ gs some.pdf opens that pdf in a window.
CC: (none) => fri
CC: (none) => mageia
An additional test using VirtualBox: No installation issues in the MGA8-64 guest. It was determined in Bug 22590 that Okular uses ghostscript libraries to render .ps files, so I loaded a simple .ps file from a shared folder on the host machine, which rendered correctly. I then saved a copy in the guest's home directory as a .ps file, closed Okular, and displayed the file using ghostscript-x's gs command. Looked good. Giving this an OK, and validating. Advisory in comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA8-64-OK
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0134.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
More details about this were posted on oss-security yesterday: https://www.openwall.com/lists/oss-security/2023/04/12/4