SUSE has released an advisory on May 9: https://lwn.net/Articles/973065/ The fix is: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=afd7188f74918cb51b5fb89f52b54eb16e8acfd1
CVE: (none) => CVE-2023-52722Source RPM: (none) => ghostscript-10.00.0-6.4.mga9.src.rpmStatus comment: (none) => Patch available from upstream
No registered maintainer, assigning to all
Assignee: bugsquad => pkg-bugsCC: (none) => fri
I see yourself Nicholas did last update and some earlier, as well as Giuseppe.
CC: (none) => ghibomgx, nicolas.salguero
Suggested advisory: ======================== The updated packages fix a security vulnerability: An issue was discovered in Artifex Ghostscript through 10.01.0. psi/zmisc1.c, when SAFER mode is used, allows eexec seeds other than the Type 1 standard. (CVE-2023-52722) References: https://lwn.net/Articles/973065/ https://lists.suse.com/pipermail/sle-security-updates/2024-May/018501.html ======================== Updated packages in core/updates_testing: ======================== ghostscript-10.00.0-6.5.mga9 ghostscript-X-10.00.0-6.5.mga9 ghostscript-common-10.00.0-6.5.mga9 ghostscript-doc-10.00.0-6.5.mga9.noarch.rpm ghostscript-dvipdf-10.00.0-6.5.mga9 ghostscript-module-X-10.00.0-6.5.mga9 lib(64)gs10-10.00.0-6.5.mga9 lib(64)gs-devel-10.00.0-6.5.mga9 lib(64)ijs1-0.35-173.5.mga9 lib(64)ijs-devel-0.35-173.5.mga9 from SRPM: ghostscript-10.00.0-6.5.mga9.src.rpm
Status: NEW => ASSIGNEDStatus comment: Patch available from upstream => (none)Assignee: pkg-bugs => qa-bugs
(In reply to Morgan Leijström from comment #2) > I see yourself Nicholas did last update and some earlier, as well as > Giuseppe. For next round I'd suggest to go straight with ghostscript-10.03 for mga9, it fixes also other bugs. I was using 10.02 already on mga9 for over a month without any problems.
Keywords: (none) => advisory
Strange, on my thinkpad T510 I already have a higher version of lib64gs10. Changelog as seen in drakrpm: * tor jul 06 2023 ns80 <ns80> 10.00.0-7.mga9 + Revision: 1963636 - add patches from Debian for CVE-2023-36664 (mga#32070) Probably some leftover since prerelease/cauldron testing days of mga9, but strange the ghostscript rpms are not same version as this. Maybe we want to make sure that patch is still with us. Or maybe simply as Giuseppe suggest right away update to 10.03 to be really sure and also fix other bugs. [ettan@localhost ~]$ rpm -qa|grep lib64gs10 lib64gs10-10.00.0-7.mga9 [ettan@localhost ~]$ rpm -qa|grep ghostscr ghostscript-fonts-8.11-24.mga9 ghostscript-common-10.00.0-6.5.mga9 ghostscript-module-X-10.00.0-6.5.mga9 ghostscript-10.00.0-6.5.mga9
It is clearly a mix between old Cauldron and real Mageia 9 because, for Mageia 9, it was 10.00.0-6.1.mga9 that included the patches from Debian for CVE-2023-36664.
Good you checked. I will perfrom distro sync on that system...
RH mageia 9 x86_64 Updated without issues rpm -qa|grep ghostscript ghostscript-fonts-8.11-24.mga9 ghostscript-common-10.00.0-6.5.mga9 ghostscript-10.00.0-6.5.mga9 ghostscript-module-X-10.00.0-6.5.mga9 rpm -q lib64gs10 lib64gs10-10.00.0-6.5.mga9 I still see the repeated image behavior in bug#32619 comment#4
Whiteboard: (none) => MGA9-64-OKCC: (none) => andrewsfarm
(In reply to Giuseppe Ghibò from comment #4) > (In reply to Morgan Leijström from comment #2) > > > I see yourself Nicholas did last update and some earlier, as well as > > Giuseppe. > > For next round I'd suggest to go straight with ghostscript-10.03 for mga9, > it fixes also other bugs. I was using 10.02 already on mga9 for over a month > without any problems. Sounds like a plan to me. But, once again we have an update ready for validation that addresses a security issue, so it needs to go out. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0180.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
Working for me too, printing. mga9-64