Security update for ghostscript SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1121-1 Final 1 1 2019-04-02T11:06:03Z current 2019-04-02T11:06:03Z 2019-04-02T11:06:03Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ghostscript This update for ghostscript fixes the following issue: Security issue fixed: - CVE-2019-3838: Fixed a vulnerability which made forceput operator in DefineResource to be still accessible which could allow access to file system outside of the constraints of -dSAFER (bsc#1129186). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-1121 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VNMB7SY4NA6CB3TLYX3CCJWSCLZI2SXL/#VNMB7SY4NA6CB3TLYX3CCJWSCLZI2SXL E-Mail link for openSUSE-SU-2019:1121-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1129186 SUSE Bug 1129186 https://www.suse.com/security/cve/CVE-2019-3838/ SUSE CVE CVE-2019-3838 page openSUSE Leap 15.0 ghostscript-9.26a-lp150.2.17.2 ghostscript-devel-9.26a-lp150.2.17.2 ghostscript-mini-9.26a-lp150.2.17.2 ghostscript-mini-devel-9.26a-lp150.2.17.2 ghostscript-x11-9.26a-lp150.2.17.2 ghostscript-9.26a-lp150.2.17.2 as a component of openSUSE Leap 15.0 ghostscript-devel-9.26a-lp150.2.17.2 as a component of openSUSE Leap 15.0 ghostscript-mini-9.26a-lp150.2.17.2 as a component of openSUSE Leap 15.0 ghostscript-mini-devel-9.26a-lp150.2.17.2 as a component of openSUSE Leap 15.0 ghostscript-x11-9.26a-lp150.2.17.2 as a component of openSUSE Leap 15.0 It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. CVE-2019-3838 openSUSE Leap 15.0:ghostscript-9.26a-lp150.2.17.2 openSUSE Leap 15.0:ghostscript-devel-9.26a-lp150.2.17.2 openSUSE Leap 15.0:ghostscript-mini-9.26a-lp150.2.17.2 openSUSE Leap 15.0:ghostscript-mini-devel-9.26a-lp150.2.17.2 openSUSE Leap 15.0:ghostscript-x11-9.26a-lp150.2.17.2 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VNMB7SY4NA6CB3TLYX3CCJWSCLZI2SXL/#VNMB7SY4NA6CB3TLYX3CCJWSCLZI2SXL https://www.suse.com/security/cve/CVE-2019-3838.html CVE-2019-3838 https://bugzilla.suse.com/1018128 SUSE Bug 1018128 https://bugzilla.suse.com/1030263 SUSE Bug 1030263 https://bugzilla.suse.com/1032135 SUSE Bug 1032135 https://bugzilla.suse.com/1038835 SUSE Bug 1038835 https://bugzilla.suse.com/1050888 SUSE Bug 1050888 https://bugzilla.suse.com/1050889 SUSE Bug 1050889 https://bugzilla.suse.com/1106171 SUSE Bug 1106171 https://bugzilla.suse.com/1106172 SUSE Bug 1106172 https://bugzilla.suse.com/1106173 SUSE Bug 1106173 https://bugzilla.suse.com/1107422 SUSE Bug 1107422 https://bugzilla.suse.com/1107423 SUSE Bug 1107423 https://bugzilla.suse.com/1107581 SUSE Bug 1107581 https://bugzilla.suse.com/1111479 SUSE Bug 1111479 https://bugzilla.suse.com/1112229 SUSE Bug 1112229 https://bugzilla.suse.com/1114495 SUSE Bug 1114495 https://bugzilla.suse.com/1117022 SUSE Bug 1117022 https://bugzilla.suse.com/1117327 SUSE Bug 1117327 https://bugzilla.suse.com/1118318 SUSE Bug 1118318 https://bugzilla.suse.com/1129180 SUSE Bug 1129180 https://bugzilla.suse.com/1129186 SUSE Bug 1129186 https://bugzilla.suse.com/1136756 SUSE Bug 1136756