oss-sec mailing list archives
Re: CVE request: ghostscript and gv
From: Tomas Hoger <thoger () redhat com>
Date: Wed, 25 Aug 2010 11:50:48 +0200
On Sun, 30 May 2010 22:08:12 +0200 Bernhard R. Link wrote:
Gs's -P- not working (at least for gs_init.ps), is definitly a bug that needs to be fixed.
I believe we should try to clarify what CVE-2010-2055 got actually assigned to, as it seems to be used for more than one thing: - ghostscript uses CWD to search for initialization files - gv did not pass -P- to gs, leading to problems related to the default mentioned above - some ghostscript versions search CWD even when started with -P-
I personally would also suggest fixing gs to not look in the current directory by default (looking for important stuff in the current directory is really always a bad idea). I guess the problem is how to fix it.
As previously mentioned, upstream changed SEARCH_HERE_FIRST default to address this. I believe SuSE updates did the same change already too. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- Re: CVE request: ghostscript and gv Tomas Hoger (Jul 19)
- <Possible follow-ups>
- Re: CVE request: ghostscript and gv Tomas Hoger (Aug 25)
- Re: CVE request: ghostscript and gv Ludwig Nussel (Aug 25)
- Re: CVE request: ghostscript and gv Tomas Hoger (Aug 26)
- Re: CVE request: ghostscript and gv Ludwig Nussel (Aug 25)