5769862 2000-11-22 13:20 -0700 /155 rader/ Caldera Support Info <sup-info@LOCUTUS4.CALDERASYSTEMS.COM>
Importerad: 2000-11-23 23:22 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: sup-info@LOCUTUS4.CALDERASYSTEMS.COM
Mottagare: Bugtraq (import) <13847>
Ärende: Security update: Two security problems with ghostscript
------------------------------------------------------------
CSSA-2000-041.0
From: Caldera Support Info <sup-info@LOCUTUS4.CALDERASYSTEMS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20001122132054.A27384@locutus4.calderasystems.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
Caldera Systems, Inc. Security Advisory
Subject: Two security problems with ghostscript
Advisory number: CSSA-2000-041.0
Issue date: 2000 November, 22
Cross reference:
______________________________________________________________________________
1. Problem Description
Ghostscript creates temporary files insecurely. In addition,
it is linked in a way that makes it pick up shared libraries
from the current directory it is in.
Both problems can probably be exploited to gain increased
privilege on the system.
2. Vulnerable Versions
System Package
-----------------------------------------------------------
OpenLinux Desktop 2.3 All packages previous to
ghostscript-5.10-16
OpenLinux eServer 2.3 All packages previous to
and OpenLinux eBuilder ghostscript-5.10-16
OpenLinux eDesktop 2.4 All packages previous to
ghostscript-5.10-16
3. Solution
Workaround:
none
The proper solution is to upgrade to the fixed packages
4. OpenLinux Desktop 2.3
4.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
4.2 Verification
e3ff617e515cfd03be8854aff089376e
RPMS/ghostscript-5.10-16.i386.rpm f9002fe0592b1d8b88641c10cba2cafe
RPMS/ghostscript-doc-5.10-16.i386.rpm
3d2610bbd43160e2cc3b234bc43cea4d
RPMS/ghostscript-fonts-5.10-16.i386.rpm
7ca69d444653f0b9e12d69f55873edea SRPMS/ghostscript-5.10-16.src.rpm
4.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fhv ghostscript-*.i386.rpm
5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
5.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
5.2 Verification
ba2ee8c950b3b9ce1791554b5d8e759d
RPMS/ghostscript-5.10-16.i386.rpm 1645f133c8e557eede173dc6266707fa
RPMS/ghostscript-doc-5.10-16.i386.rpm
88143839c0685864f2d671c6aa7c40bb
RPMS/ghostscript-fonts-5.10-16.i386.rpm
7ca69d444653f0b9e12d69f55873edea SRPMS/ghostscript-5.10-16.src.rpm
5.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fhv ghostscript-*.i386.rpm
6. OpenLinux eDesktop 2.4
6.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
6.2 Verification
f327bc2ef65c6d66f99d72317d23789b
RPMS/ghostscript-5.10-16.i386.rpm 7202ab90cbd173fd252c624138710abf
RPMS/ghostscript-doc-5.10-16.i386.rpm
e1d0ee2161ead248a859d10bcc1dcf6c
RPMS/ghostscript-fonts-5.10-16.i386.rpm
7ca69d444653f0b9e12d69f55873edea SRPMS/ghostscript-5.10-16.src.rpm
6.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fhv ghostscript-*.i386.rpm
7. References
This and other Caldera security resources are located at:
http://www.calderasystems.com/support/security/index.html
This security fix closes Caldera's internal Problem Report 8307.
8. Disclaimer
Caldera Systems, Inc. is not responsible for the misuse of any of
the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera
OpenLinux.
9. Acknowledgements
Caldera Systems wishes to thank Dr. Werner Fink of SuSE,
for discovering the bug and notifying us.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6G+9P18sy83A/qfwRAkS1AJ9il/Q9CTF8cZV/fD1YhCW/stpVhACfbsEo
Tpo6ZRg+ig4sf5k6k+v7fFs=
=YOJJ
-----END PGP SIGNATURE-----
�
(5769862) --------------------------------(Ombruten)