Date: Wed, 04 Jan 2012 09:53:31 -0700 From: Kurt Seifried <kseifrie@...hat.com> To: oss-security@...ts.openwall.com CC: Ramon de C Valle <rcvalle@...hat.com>, Vincent Danen <vdanen@...hat.com>, Tomas Hoger <thoger@...hat.com> Subject: Re: CVE request: ghostscript: system initialization file uncontrolled search path element On 01/04/2012 04:56 AM, Ramon de C Valle wrote: > Hi Kurt, > > We identified and are separating the bugs discussed in Bug 599564 in two > different issues. Can you assign a CVE Identifier to the following issue: > > Ghostscript included the current working directory in its library search > path by default. If a user ran Ghostscript without the "-P-" option in an > attacker-controlled directory containing a specially-crafted PostScript > library file, it could cause Ghostscript to execute arbitrary PostScript > code. With this update, Ghostscript no longer searches the current working > directory for library files by default. > >  https://bugzilla.redhat.com/show_bug.cgi?id=599564 > > Thanks, > Assigning a 2010 CVE since this was made public in 2010. Please use CVE-2010-4820 for this issue. -- -- Kurt Seifried / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ