[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request: ghostscript and gv
From: Tomas Hoger <thoger () redhat ! com>
Date: 2010-08-26 8:29:25
Message-ID: 20100826102925.76628c88 () redhat ! com
[Download RAW message or body]
On Wed, 25 Aug 2010 15:23:34 +0200 Ludwig Nussel wrote:
> > - some ghostscript versions search CWD even when started with -P-
>
> ... as it turned out neither a) nor b) actually solve the problem:
> http://bugs.ghostscript.com/show_bug.cgi?id=691350#c11
>
> So fixing gs must be part of the solution always. That's
> http://svn.ghostscript.com/viewvc?view=rev&revision=11352
Yes, that's what I was referring to.
> Therefore up to three CVE numbers could be assigned
> a) insecure default of gs
> b) applications don't pass -P-
> c) non working -P-/SEARCH_HERE_FIRST
>
> Fixing a) means b) isn't needed but then it's just a compile time
> default that may or may not be changed by distros.
>
> Both a) and b) imply a fix for c) though. No idea if a separate CVE
> is actually useful in that case.
b) is likely to require per-application CVE. With the changed default,
one won't need to care about them though. I agree c) should better get
a separate CVE if it's not what CVE-2010-2055 text already tries to
describe, given the "related to improper support for the -P- option"
part.
--
Tomas Hoger / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic