dcsimg
Linux Today: Linux News On Internet Time.





More on LinuxToday


Caldera Systems Security Advisory: Two security problems with ghostscript

Nov 24, 2000, 09:26 (0 Talkback[s])

Date: Wed, 22 Nov 2000 13:20:54 -0700
From: Caldera Support Info sup-info@LOCUTUS4.CALDERASYSTEMS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Security update: Two security problems with ghostscript CSSA-2000-041.0


                   Caldera Systems, Inc.  Security Advisory

Subject:                Two security problems with ghostscript
Advisory number:        CSSA-2000-041.0
Issue date:             2000 November, 22
Cross reference:

1. Problem Description

Ghostscript creates temporary files insecurely. In addition, it is linked in a way that makes it pick up shared libraries from the current directory it is in.

Both problems can probably be exploited to gain increased privilege on the system.

2. Vulnerable Versions

   System                       Package

   OpenLinux Desktop 2.3        All packages previous to
                                ghostscript-5.10-16

   OpenLinux eServer 2.3        All packages previous to
   and OpenLinux eBuilder       ghostscript-5.10-16

   OpenLinux eDesktop 2.4       All packages previous to
                                ghostscript-5.10-16
3. Solution

Workaround:

none

The proper solution is to upgrade to the fixed packages

4. OpenLinux Desktop 2.3

4.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS

   4.2 Verification

e3ff617e515cfd03be8854aff089376e RPMS/ghostscript-5.10-16.i386.rpm
f9002fe0592b1d8b88641c10cba2cafe RPMS/ghostscript-doc-5.10-16.i386.rpm
3d2610bbd43160e2cc3b234bc43cea4d RPMS/ghostscript-fonts-5.10-16.i386.rpm
7ca69d444653f0b9e12d69f55873edea SRPMS/ghostscript-5.10-16.src.rpm
4.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fhv ghostscript-*.i386.rpm

5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0

5.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS

5.2 Verification

ba2ee8c950b3b9ce1791554b5d8e759d RPMS/ghostscript-5.10-16.i386.rpm
1645f133c8e557eede173dc6266707fa RPMS/ghostscript-doc-5.10-16.i386.rpm
88143839c0685864f2d671c6aa7c40bb RPMS/ghostscript-fonts-5.10-16.i386.rpm
7ca69d444653f0b9e12d69f55873edea SRPMS/ghostscript-5.10-16.src.rpm
5.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fhv ghostscript-*.i386.rpm

6. OpenLinux eDesktop 2.4

6.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS

6.2 Verification

f327bc2ef65c6d66f99d72317d23789b RPMS/ghostscript-5.10-16.i386.rpm
7202ab90cbd173fd252c624138710abf RPMS/ghostscript-doc-5.10-16.i386.rpm
e1d0ee2161ead248a859d10bcc1dcf6c RPMS/ghostscript-fonts-5.10-16.i386.rpm
7ca69d444653f0b9e12d69f55873edea SRPMS/ghostscript-5.10-16.src.rpm
6.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fhv ghostscript-*.i386.rpm

7. References

This and other Caldera security resources are located at:

http://www.calderasystems.com/support/security/index.html

This security fix closes Caldera's internal Problem Report 8307.

8. Disclaimer

Caldera Systems, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux.

9. Acknowledgements

Caldera Systems wishes to thank Dr. Werner Fink of SuSE, for discovering the bug and notifying us.


×
We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.