Bug 33597 - ghostscript new security issues CVE-2024-4695[1-6]
Summary: ghostscript new security issues CVE-2024-4695[1-6]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-09-27 16:28 CEST by Nicolas Salguero
Modified: 2024-10-06 00:55 CEST (History)
3 users (show)

See Also:
Source RPM: ghostscript-10.03.1-1.mga10.src.rpm
CVE: CVE-2024-46951, CVE-2024-46952, CVE-2024-46953, CVE-2024-46954, CVE-2024-46955, CVE-2024-46956
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-09-27 16:28:18 CEST 
Upstream has released version 10.04.0 on September 18:
https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/tag/gs10040
Nicolas Salguero 2024-09-27 16:29:14 CEST

Source RPM: (none) => ghostscript-10.03.1-1.mga10.src.rpm
Status comment: (none) => Fixed upstream in 10.04.0
CVE: (none) => CVE-2024-46951, CVE-2024-46952, CVE-2024-46953, CVE-2024-46954, CVE-2024-46955, CVE-2024-46956
Whiteboard: (none) => MGA9TOO

Nicolas Salguero 2024-09-27 16:29:19 CEST

Assignee: bugsquad => nicolas.salguero

Comment 1 Nicolas Salguero 2024-10-01 09:15:26 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities: CVE-2024-46951, CVE-2024-46952, CVE-2024-46953, CVE-2024-46954, CVE-2024-46955, CVE-2024-46956.

References:
https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/tag/gs10040
========================

Updated packages in core/updates_testing:
========================
ghostscript-10.04.0-1.mga9
ghostscript-X-10.04.0-1.mga9
ghostscript-common-10.04.0-1.mga9
ghostscript-doc-10.04.0-1.mga9
ghostscript-dvipdf-10.04.0-1.mga9
ghostscript-module-X-10.04.0-1.mga9
lib(64)gs10-10.04.0-1.mga9
lib(64)gs-devel-10.04.0-1.mga9
lib(64)ijs1-0.35-183.mga9
lib(64)ijs-devel-0.35-183.mga9

from SRPM:
ghostscript-10.04.0-1.mga9.src.rpm

Version: Cauldron => 9
Status comment: Fixed upstream in 10.04.0 => (none)
Whiteboard: MGA9TOO => (none)
Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED

katnatek 2024-10-01 19:51:05 CEST

Keywords: (none) => advisory

Comment 2 katnatek 2024-10-01 20:32:55 CEST 
LC_ALL=C urpmi --auto --auto-update 
adding 10 new rpms not available in existing hdlist
replacing /var/cache/urpmi/partial/synthesis.hdlist.cz with synthesis.hdlist.cz.tmp
updating /var/cache/urpmi/partial/MD5SUM
updated medium "QA Testing (64-bit)"
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Nonfree 32bit Updates (distrib37)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing lib64gs10-10.04.0-1.mga9.x86_64.rpm ghostscript-common-10.04.0-1.mga9.x86_64.rpm ghostscript-10.04.0-1.mga9.x86_64.rpm ghostscript-module-X-10.04.0-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/4: ghostscript-common    ##################################################################################################
      2/4: lib64gs10             ##################################################################################################
      3/4: ghostscript           ##################################################################################################
      4/4: ghostscript-module-X  ##################################################################################################
      1/4: removing ghostscript-10.03.1-1.mga9.x86_64
                                 ##################################################################################################
      2/4: removing ghostscript-module-X-10.03.1-1.mga9.x86_64
                                 ##################################################################################################
      3/4: removing ghostscript-common-10.03.1-1.mga9.x86_64
                                 ##################################################################################################
      4/4: removing lib64gs10-10.03.1-1.mga9.x86_64
                                 ##################################################################################################

open pdf with gs

I still see the repeated image behavior in bug#32619 comment#4

Test if not cause issues with lilypond

LC_ALL=C lilypond TogoHT.ly 
GNU LilyPond 2.24.3 (running Guile 2.2)
Processing `TogoHT.ly'
Parsing...
Interpreting music...[8]
Preprocessing graphical objects...
Finding the ideal number of pages...
Fitting music on 1 page...
Drawing systems...
Converting to `TogoHT.pdf'...
Success: compilation successfully completed

Looks good to me
Comment 3 Morgan Leijström 2024-10-04 14:55:40 CEST 
mga9-64 OK

Clean update of
- ghostscript-10.04.0-1.mga9.x86_64
- ghostscript-common-10.04.0-1.mga9.x86_64
- ghostscript-module-X-10.04.0-1.mga9.x86_64
- lib64gs10-10.04.0-1.mga9.x86_64

gs some.pdf opened it in a window OK.

Normal printing to boomaga and network printer with Bug 33596 - cups

CC: (none) => fri

katnatek 2024-10-04 20:07:24 CEST

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 4 Thomas Andrews 2024-10-05 01:48:11 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2024-10-06 00:55:56 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0326.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.