Bug#595701: marked as done (ghostscript: CVE-2010-2055 code loaded from current directory)

[Debian Bug Tracking System]

Your message dated Tue, 16 Nov 2010 07:59:40 +0100
with message-id <20101116065940.gf5...@jones.dk>
and subject line Re: Bug#584653: Ghostscript 9.0 does not seem to have the 
problem
has caused the Debian Bug report #584653,
regarding ghostscript: CVE-2010-2055 code loaded from current directory
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
584653: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584653
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: ghostscript
Version: 8.71~dfsg2-6
Severity: serious
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for ghostscript.  There are a bunch of upstream patches for
this [1]. Marking the bug as serious for now since the issue should be
fixed before squeeze's release since it will be very painful to fix
after that.

CVE-2010-2055[0]:
| Ghostscript 8.71 and earlier reads initialization files from the
| current working directory, which allows local users to execute
| arbitrary PostScript commands via a Trojan horse file, related to
| improper support for the -P- option to the gs program.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2055
    http://security-tracker.debian.org/tracker/CVE-2010-2055
[1] http://bugs.ghostscript.com/show_bug.cgi?id=691350

--- End Message ---

--- Begin Message ---

Version: 9.00~dfsg-1

On Mon, Nov 15, 2010 at 11:38:30PM -0500, Asheesh Laroia wrote:

I used the "doh" recipe to reproduce the bug on sid. That works fine.

I just installed ghostscript 9.0 from Jonas's repositories. That recipe no longer reproduces the bug.

This is great news.

Thanks a lot for your help testing this!




 - Jonas

--
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

For completeness sake, could you please tell on which version of Debian (squeeze, sid) you tested this?

signature.asc
Description: Digital signature

--- End Message ---