[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: ghostscript and gv
From:       Tomas Hoger <thoger () redhat ! com>
Date:       2010-08-26 8:29:25
Message-ID: 20100826102925.76628c88 () redhat ! com
[Download RAW message or body]

On Wed, 25 Aug 2010 15:23:34 +0200 Ludwig Nussel wrote:

> > - some ghostscript versions search CWD even when started with -P-
> 
> ... as it turned out neither a) nor b) actually solve the problem:
> http://bugs.ghostscript.com/show_bug.cgi?id=691350#c11
> 
> So fixing gs must be part of the solution always. That's
> http://svn.ghostscript.com/viewvc?view=rev&revision=11352

Yes, that's what I was referring to.

> Therefore up to three CVE numbers could be assigned
> a) insecure default of gs
> b) applications don't pass -P-
> c) non working -P-/SEARCH_HERE_FIRST
> 
> Fixing a) means b) isn't needed but then it's just a compile time
> default that may or may not be changed by distros.
> 
> Both a) and b) imply a fix for c) though. No idea if a separate CVE
> is actually useful in that case.

b) is likely to require per-application CVE.  With the changed default,
one won't need to care about them though.  I agree c) should better get
a separate CVE if it's not what CVE-2010-2055 text already tries to
describe, given the "related to improper support for the -P- option"
part.

-- 
Tomas Hoger / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]