Date: Sun, 17 Jan 2021 22:23:34 +0000 (UTC) From: Mateusz Piotrowski <0mp@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r561880 - head/security/vuxml Message-ID: <202101172223.10HMNY8G069430@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: 0mp Date: Sun Jan 17 22:23:34 2021 New Revision: 561880 URL: https://svnweb.freebsd.org/changeset/ports/561880 Log: Document ghostscript9-agpl-base vulnerability committed in r544907 PR: 248580 Requested by: joneum (ports-secteam) Reported by: VVD <vvd@unislabs.com> MFH: 2021Q1 Security: CVE-2020-15900 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sun Jan 17 22:22:19 2021 (r561879) +++ head/security/vuxml/vuln.xml Sun Jan 17 22:23:34 2021 (r561880) @@ -58,6 +58,37 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="62642942-590f-11eb-a0dc-8c164582fbac"> + <topic>Ghostscript -- SAFER Sandbox Breakout</topic> + <affects> + <package> + <name>ghostscript9-agpl-base</name> + <range><ge>9.50</ge><lt>9.52_8</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>SO-AND-SO reports:</p> + <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2020-15900">; + <p>A memory corruption issue was found in Artifex + Ghostscript 9.50 and 9.52. Use of a non-standard + PostScript operator can allow overriding of file access + controls. The 'rsearch' calculation for the 'post' size + resulted in a size that was too large, and could underflow + to max uint32_t. This was fixed in commit + 5d499272b95a6b890a1397e11d20937de000d31b.</p> + </blockquote> + </body> + </description> + <references> + <url>https://nvd.nist.gov/vuln/detail/CVE-2020-15900</url>; + </references> + <dates> + <discovery>2020-07-28</discovery> + <entry>2021-01-17</entry> + </dates> + </vuln> + <vuln vid="08b553ed-537a-11eb-be6e-0022489ad614"> <topic>Node.js -- January 2021 Security Releases</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202101172223.10HMNY8G069430>