Date: Mon, 9 Dec 2019 20:54:17 +0000 (UTC) From: Tijl Coosemans <tijl@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r519632 - head/security/vuxml Message-ID: <201912092054.xB9KsHHT079715@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tijl Date: Mon Dec 9 20:54:17 2019 New Revision: 519632 URL: https://svnweb.freebsd.org/changeset/ports/519632 Log: Document Ghostscript vulnerabilities. Security: CVE-2019-14811, CVE-2019-14812, CVE-2019-14813, CVE-2019-14817 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Mon Dec 9 20:26:00 2019 (r519631) +++ head/security/vuxml/vuln.xml Mon Dec 9 20:54:17 2019 (r519632) @@ -58,6 +58,64 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="22ae307a-1ac4-11ea-b267-001cc0382b2f"> + <topic>Ghostscript -- Security bypass vulnerabilities</topic> + <affects> + <package> + <name>ghostscript9-agpl-base</name> + <name>ghostscript9-agpl-x11</name> + <range><lt>9.50</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Cedric Buissart (Red Hat) reports:</p> + <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14811"> + <p>A flaw was found in, ghostscript versions prior to 9.50, in the + .pdf_hook_DSC_Creator procedure where it did not properly secure + its privileged calls, enabling scripts to bypass `-dSAFER` + restrictions. A specially crafted PostScript file could disable + security protection and then have access to the file system, or + execute arbitrary commands.</p> + </blockquote> + <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14812"> + <p>A flaw was found in all ghostscript versions 9.x before 9.50, in + the .setuserparams2 procedure where it did not properly secure its + privileged calls, enabling scripts to bypass `-dSAFER` + restrictions. A specially crafted PostScript file could disable + security protection and then have access to the file system, or + execute arbitrary commands.</p> + </blockquote> + <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14813"> + <p>A flaw was found in ghostscript, versions 9.x before 9.50, in the + setsystemparams procedure where it did not properly secure its + privileged calls, enabling scripts to bypass `-dSAFER` + restrictions. A specially crafted PostScript file could disable + security protection and then have access to the file system, or + execute arbitrary commands.</p> + </blockquote> + <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14817"> + <p>A flaw was found in, ghostscript versions prior to 9.50, in the + .pdfexectoken and other procedures where it did not properly secure + its privileged calls, enabling scripts to bypass `-dSAFER` + restrictions. A specially crafted PostScript file could disable + security protection and then have access to the file system, or + execute arbitrary commands.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2019-14811</cvename> + <cvename>CVE-2019-14812</cvename> + <cvename>CVE-2019-14813</cvename> + <cvename>CVE-2019-14817</cvename> + </references> + <dates> + <discovery>2019-08-20</discovery> + <entry>2019-12-09</entry> + </dates> + </vuln> + <vuln vid="ca3fe5b3-185e-11ea-9673-4c72b94353b5"> <topic>phpmyadmin -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201912092054.xB9KsHHT079715>