oss-sec mailing list archives
Re: CVE request: ghostscript: system initialization file uncontrolled search path element
From: Kurt Seifried <kseifrie () redhat com>
Date: Wed, 04 Jan 2012 09:53:31 -0700
On 01/04/2012 04:56 AM, Ramon de C Valle wrote:
Hi Kurt, We identified and are separating the bugs discussed in Bug 599564[1] in two different issues. Can you assign a CVE Identifier to the following issue: Ghostscript included the current working directory in its library search path by default. If a user ran Ghostscript without the "-P-" option in an attacker-controlled directory containing a specially-crafted PostScript library file, it could cause Ghostscript to execute arbitrary PostScript code. With this update, Ghostscript no longer searches the current working directory for library files by default.[1] [1] https://bugzilla.redhat.com/show_bug.cgi?id=599564 Thanks,
Assigning a 2010 CVE since this was made public in 2010. Please use CVE-2010-4820 for this issue. -- -- Kurt Seifried / Red Hat Security Response Team
Current thread:
- CVE request: ghostscript: system initialization file uncontrolled search path element Ramon de C Valle (Jan 04)
- Re: CVE request: ghostscript: system initialization file uncontrolled search path element Kurt Seifried (Jan 04)