An update for ghostscript is now available for openEuler-22.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-2178 Final 1.0 1.0 2024-09-27 Initial 2024-09-27 2024-09-27 openEuler SA Tool V1.0 2024-09-27 ghostscript security update An update for ghostscript is now available for openEuler-22.03-LTS-SP1 Ghostscript is an interpreter for PostScript™ and Portable Document Format (PDF) files. Ghostscript consists of a PostScript interpreter layer, and a graphics library. Security Fix(es): An issue was discovered in Artifex Ghostscript before 10.03.1. psi/zmisc1.c, when SAFER mode is used, allows eexec seeds other than the Type 1 standard.(CVE-2023-52722) An issue was discovered in Artifex Ghostscript before 10.03.1. Path traversal and command execution can occur (via a crafted PostScript document) because of path reduction in base/gpmisc.c. For example, restrictions on use of %pipe% can be bypassed via the aa/../%pipe%command# output filename.(CVE-2024-33869) An issue was discovered in Artifex Ghostscript before 10.03.1. There is path traversal (via a crafted PostScript document) to arbitrary files if the current directory is in the permitted paths. For example, there can be a transformation of ../../foo to ./../../foo and this will grant access if ./ is permitted.(CVE-2024-33870) An update for ghostscript is now available for openEuler-22.03-LTS-SP1. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium ghostscript https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2178 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-52722 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-33869 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-33870 https://nvd.nist.gov/vuln/detail/CVE-2023-52722 https://nvd.nist.gov/vuln/detail/CVE-2024-33869 https://nvd.nist.gov/vuln/detail/CVE-2024-33870 openEuler-22.03-LTS-SP1 ghostscript-9.55.0-10.oe2203sp1.aarch64.rpm ghostscript-debuginfo-9.55.0-10.oe2203sp1.aarch64.rpm ghostscript-debugsource-9.55.0-10.oe2203sp1.aarch64.rpm ghostscript-devel-9.55.0-10.oe2203sp1.aarch64.rpm ghostscript-tools-dvipdf-9.55.0-10.oe2203sp1.aarch64.rpm ghostscript-9.55.0-10.oe2203sp1.src.rpm ghostscript-9.55.0-10.oe2203sp1.x86_64.rpm ghostscript-debuginfo-9.55.0-10.oe2203sp1.x86_64.rpm ghostscript-debugsource-9.55.0-10.oe2203sp1.x86_64.rpm ghostscript-devel-9.55.0-10.oe2203sp1.x86_64.rpm ghostscript-tools-dvipdf-9.55.0-10.oe2203sp1.x86_64.rpm ghostscript-help-9.55.0-10.oe2203sp1.noarch.rpm An issue was discovered in Artifex Ghostscript before 10.03.1. psi/zmisc1.c, when SAFER mode is used, allows eexec seeds other than the Type 1 standard. 2024-09-27 CVE-2023-52722 openEuler-22.03-LTS-SP1 Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N ghostscript security update 2024-09-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2178 An issue was discovered in Artifex Ghostscript before 10.03.1. Path traversal and command execution can occur (via a crafted PostScript document) because of path reduction in base/gpmisc.c. For example, restrictions on use of %pipe% can be bypassed via the aa/../%pipe%command# output filename. 2024-09-27 CVE-2024-33869 openEuler-22.03-LTS-SP1 None 0.0 None ghostscript security update 2024-09-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2178 An issue was discovered in Artifex Ghostscript before 10.03.1. There is path traversal (via a crafted PostScript document) to arbitrary files if the current directory is in the permitted paths. For example, there can be a transformation of ../../foo to ./../../foo and this will grant access if ./ is permitted. 2024-09-27 CVE-2024-33870 openEuler-22.03-LTS-SP1 None 0.0 None ghostscript security update 2024-09-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2178