Bug 32070 - ghostscript new security issue CVE-2023-36664
Summary: ghostscript new security issue CVE-2023-36664
Status: RESOLVED DUPLICATE of bug 32237
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: validated_update
Depends on: 32237
Blocks:
  Show dependency treegraph
 
Reported: 2023-07-05 22:24 CEST by David Walser
Modified: 2023-09-05 13:41 CEST (History)
5 users (show)

See Also:
Source RPM: ghostscript-10.00.0-6.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-07-05 22:24:14 CEST 
Debian has issued an advisory on July 3:
https://www.debian.org/security/2023/dsa-5446

Mageia 8 is also affected.
David Walser 2023-07-05 22:24:21 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-07-07 20:29:18 CEST 
NicolasS has already done the job in Cauldron:
Thu Jul 6 by ns80
- add patches from Debian for CVE-2023-36664 (mga#32070)
so necessarily assigning this to you.

Assignee: bugsquad => nicolas.salguero

Comment 2 David Walser 2023-07-10 22:34:03 CEST 
Ubuntu has issued an advisory for this today (July 10):
https://ubuntu.com/security/notices/USN-6213-1

Severity: normal => major

Comment 3 Nicolas Salguero 2023-08-31 14:17:32 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix). (CVE-2023-36664)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36664
https://www.debian.org/security/2023/dsa-5446
https://ubuntu.com/security/notices/USN-6213-1
========================

Updated packages in 8/core/updates_testing:
========================
ghostscript-9.53.3-2.5.mga8
ghostscript-X-9.53.3-2.5.mga8
ghostscript-common-9.53.3-2.5.mga8
ghostscript-doc-9.53.3-2.5.mga8
ghostscript-dvipdf-9.53.3-2.5.mga8
ghostscript-module-X-9.53.3-2.5.mga8
lib(64)gs-devel-9.53.3-2.5.mga8
lib(64)gs9-9.53.3-2.5.mga8
lib(64)ijs-devel-0.35-162.5.mga8
lib(64)ijs1-0.35-162.5.mga8

from SRPM:
ghostscript-9.53.3-2.5.mga8.src.rpm

Updated packages in 9/core/updates_testing:
========================
ghostscript-10.00.0-6.1.mga9
ghostscript-X-10.00.0-6.1.mga9
ghostscript-common-10.00.0-6.1.mga9
ghostscript-doc-10.00.0-6.1.mga9
ghostscript-dvipdf-10.00.0-6.1.mga9
ghostscript-module-X-10.00.0-6.1.mga9
lib(64)gs10-10.00.0-6.1.mga9
lib(64)gs-devel-10.00.0-6.1.mga9
lib(64)ijs1-0.35-173.1.mga9
lib(64)ijs-devel-0.35-173.1.mga9

from SRPM:
ghostscript-10.00.0-6.1.mga9.src.rpm

CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Version: Cauldron => 9
Assignee: nicolas.salguero => qa-bugs

PC LX 2023-08-31 16:47:59 CEST

CC: (none) => mageia

Comment 4 Herman Viaene 2023-09-02 15:15:07 CEST 
MGA8-64 Xfce on Acer Aspire 5253
No installation issues.
Ref bug 31758 Comment 5, used okular and the gs command to display some device's pdf manual and all worked OK.

CC: (none) => herman.viaene
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

Comment 5 Thomas Andrews 2023-09-04 02:34:09 CEST 
MGA9-64 Plasma, no installation issues. Tested as in comment 4, all looks OK.

OKing for MGA9, and validating. Advisory in comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: (none) => validated_update

Nicolas Salguero 2023-09-05 12:05:05 CEST

Depends on: (none) => 32237

Comment 6 Nicolas Salguero 2023-09-05 12:06:17 CEST 
Hi,

That bug is superseded by bug 32237.

Best regards,

Nico.

Resolution: (none) => OLD
Status: ASSIGNED => RESOLVED

Comment 7 David Walser 2023-09-05 13:41:34 CEST 
Marking as duplicate to maintain that link.  OLD is for when the bug is only applicable to EOL versions of Mageia.

*** This bug has been marked as a duplicate of bug 32237 ***

Resolution: OLD => DUPLICATE
Note You need to log in before you can comment on or make changes to this bug.