安全公告详情

NS-SA-2019-0265

2019-12-31 11:29:41

简介

important: ghostscript/thunderbird security update

严重级别

important

主题

An update for ghostscript/thunderbird is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

ghostscript: This package provides useful conversion utilities based on Ghostscript software, for converting PS, PDF and other document formats between each other. Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript (PS) and Portable Document Format (PDF) page description languages. Its primary purpose includes displaying (rasterization & rendering) and printing of document pages, as well as conversions between different document formats.
thunderbird: Mozilla Thunderbird is a standalone mail and newsgroup client.


Security Fix(es):
ghostscript: A flaw was found in the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges within the Ghostscript and access files outside of restricted areas or execute commands.(CVE-2019-14869)
ghostscript: bugfix
thunderbird: No description is available for this CVE.(CVE-2019-17010)
thunderbird: No description is available for this CVE.(CVE-2019-17011)
thunderbird: No description is available for this CVE.(CVE-2019-17012)
thunderbird: No description is available for this CVE.(CVE-2019-17008)
thunderbird: No description is available for this CVE.(CVE-2019-17005)
thunderbird: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F21.

影响组件

  • ghostscript
  • thunderbird

影响产品

  • CGSL MAIN 5.04
  • CGSL CORE 5.04

更新包

{"fix":[{"product":"CGSL MAIN 5.04","pkgs":[{"binary":["ghostscript-9.25-2.el7_7.3.x86_64.rpm","ghostscript-cups-9.25-2.el7_7.3.x86_64.rpm","ghostscript-debuginfo-9.25-2.el7_7.3.x86_64.rpm","ghostscript-doc-9.25-2.el7_7.3.noarch.rpm","ghostscript-gtk-9.25-2.el7_7.3.x86_64.rpm","libgs-9.25-2.el7_7.3.x86_64.rpm","libgs-devel-9.25-2.el7_7.3.x86_64.rpm"],"source":"ghostscript-9.25-2.el7_7.3.src.rpm"},{"binary":["thunderbird-68.3.0-1.el7.centos.x86_64.rpm","thunderbird-debuginfo-68.3.0-1.el7.centos.x86_64.rpm"],"source":"thunderbird-68.3.0-1.el7.centos.src.rpm"}]},{"product":"CGSL CORE 5.04","pkgs":[{"binary":["ghostscript-9.25-2.el7_7.3.x86_64.rpm","ghostscript-cups-9.25-2.el7_7.3.x86_64.rpm","ghostscript-debuginfo-9.25-2.el7_7.3.x86_64.rpm","ghostscript-doc-9.25-2.el7_7.3.noarch.rpm","ghostscript-gtk-9.25-2.el7_7.3.x86_64.rpm","libgs-9.25-2.el7_7.3.x86_64.rpm","libgs-devel-9.25-2.el7_7.3.x86_64.rpm"],"source":"ghostscript-9.25-2.el7_7.3.src.rpm"},{"binary":["thunderbird-68.3.0-1.el7.centos.x86_64.rpm","thunderbird-debuginfo-68.3.0-1.el7.centos.x86_64.rpm"],"source":"thunderbird-68.3.0-1.el7.centos.src.rpm"}]}]}

CVE

参考