oss-sec mailing list archives
Re: CVE request: ghostscript and gv
From: Tomas Hoger <thoger () redhat com>
Date: Thu, 26 Aug 2010 10:29:25 +0200
On Wed, 25 Aug 2010 15:23:34 +0200 Ludwig Nussel wrote:
- some ghostscript versions search CWD even when started with -P-... as it turned out neither a) nor b) actually solve the problem: http://bugs.ghostscript.com/show_bug.cgi?id=691350#c11 So fixing gs must be part of the solution always. That's http://svn.ghostscript.com/viewvc?view=rev&revision=11352
Yes, that's what I was referring to.
Therefore up to three CVE numbers could be assigned a) insecure default of gs b) applications don't pass -P- c) non working -P-/SEARCH_HERE_FIRST Fixing a) means b) isn't needed but then it's just a compile time default that may or may not be changed by distros. Both a) and b) imply a fix for c) though. No idea if a separate CVE is actually useful in that case.
b) is likely to require per-application CVE. With the changed default, one won't need to care about them though. I agree c) should better get a separate CVE if it's not what CVE-2010-2055 text already tries to describe, given the "related to improper support for the -P- option" part. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- Re: CVE request: ghostscript and gv Tomas Hoger (Jul 19)
- <Possible follow-ups>
- Re: CVE request: ghostscript and gv Tomas Hoger (Aug 25)
- Re: CVE request: ghostscript and gv Ludwig Nussel (Aug 25)
- Re: CVE request: ghostscript and gv Tomas Hoger (Aug 26)
- Re: CVE request: ghostscript and gv Ludwig Nussel (Aug 25)