Re: CVE request: ghostscript and gv

[Tomas Hoger <thoger () redhat com>]

On Wed, 25 Aug 2010 15:23:34 +0200 Ludwig Nussel wrote:

> > - some ghostscript versions search CWD even when started with -P-
>
> ... as it turned out neither a) nor b) actually solve the problem:
> http://bugs.ghostscript.com/show_bug.cgi?id=691350#c11
>
> So fixing gs must be part of the solution always. That's
> http://svn.ghostscript.com/viewvc?view=rev&revision=11352

Yes, that's what I was referring to.

> Therefore up to three CVE numbers could be assigned
> a) insecure default of gs
> b) applications don't pass -P-
> c) non working -P-/SEARCH_HERE_FIRST
>
> Fixing a) means b) isn't needed but then it's just a compile time
> default that may or may not be changed by distros.
>
> Both a) and b) imply a fix for c) though. No idea if a separate CVE
> is actually useful in that case.

b) is likely to require per-application CVE.  With the changed default,
one won't need to care about them though.  I agree c) should better get
a separate CVE if it's not what CVE-2010-2055 text already tries to
describe, given the "related to improper support for the -P- option"
part.

-- 
Tomas Hoger / Red Hat Security Response Team