oss-sec mailing list archives
Re: CVE request: ghostscript and gv
From: Florian Weimer <fw () deneb enyo de>
Date: Sun, 30 May 2010 21:52:56 +0200
* Bernhard R. Link:
* Ludwig Nussel <ludwig.nussel () suse de> [100528 12:05]:Upstream suggested to use -P- in addition to -dSAFER.Either I mix something up or that option does not even help: With the Debian lenny version I get: $ touch gs_init.ps $ /usr/bin/gs -P- notneeded.ps GPL Ghostscript 8.62: Initialization file gs_init.ps does not begin with an integer.
"gs -P- -DSAFER gs_init.ps" works, too, so you can inject the payload with file-name-preserving user agents. 8-( Is the general consensus that we should patch this in viewers/Ghostscript wrappers, and not Ghostscript itself?
Current thread:
- CVE request: ghostscript and gv Ludwig Nussel (May 28)
- Re: CVE request: ghostscript and gv Bernhard R. Link (May 29)
- Re: CVE request: ghostscript and gv Florian Weimer (May 30)
- Re: CVE request: ghostscript and gv Bernhard R. Link (May 30)
- Re: CVE request: ghostscript and gv Florian Weimer (May 30)
- Re: CVE request: ghostscript and gv Josh Bressers (Jun 01)
- Re: CVE request: ghostscript and gv Michael Gilbert (Jun 01)
- Re: CVE request: ghostscript and gv Josh Bressers (Jun 01)
- Re: CVE request: ghostscript and gv Michael Gilbert (Jun 01)
- Re: CVE request: ghostscript and gv Bernhard R. Link (May 29)