安全公告详情

NS-SA-2025-0085

2025-05-28 09:42:34

简介

important: ghostscript/libarchive security update

严重级别

important

主题

An update for ghostscript/libarchive is now available for NewStart CGSL MAIN 7.02.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

ghostscript:
libarchive:


Security Fix(es):
ghostscript: A flaw was found in Artifex Ghostscript base/gsdevice.c. This vulnerability allows path truncation, path traversal, and possible code execution via an integer overflow when parsing the filename format string for the output filename.(CVE-2024-46953)
ghostscript: A flaw was found in Ghostscript/base/gp_utf8.c. This vulnerability allows directory traversal via overlong UTF-8 encoding, potentially leading to unauthorized access to filesystem directories.(CVE-2024-46954)
ghostscript: A flaw was found in Artifex Ghostscript's psi/zfile.c component. This vulnerability allows arbitrary code execution via out-of-bounds data access.(CVE-2024-46956)
ghostscript: bugfix
libarchive: A flaw was found in the libarchive library. A heap-based buffer overflow in the execute_filter_e8 function in the libarchive/archive_read_support_format_rar.c file can be triggered when a specially crafted RAR archive is processed, causing a crash to the application linked to the library, and resulting in a denial of service.(CVE-2024-26256)
libarchive: A flaw was found in the libarchive library. An out-of-bounds access in the execute_filter_audio function in the libarchive/archive_read_support_format_rar.c file can be triggered due to a missing validation when a specially crafted RAR archive is processed. This issue may cause the application linked to the library to crash, resulting in denial of service.(CVE-2024-48957)
libarchive: A flaw was found in the libarchive library. An out-of-bounds access in the execute_filter_delta function in the libarchive/archive_read_support_format_rar.c file can be triggered due to a missing validation when a specially crafted RAR archive is processed. This issue may cause the application linked to the library to crash, resulting in denial of service.(CVE-2024-48958)
libarchive: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 7.02.02B7.

影响组件

  • ghostscript
  • libarchive

影响产品

  • CGSL MAIN 7.02

更新包

{"fix":[{"product":"CGSL MAIN 7.02","pkgs":[{"binary":["ghostscript-10.02.1-1.zncgsl7.7.x86_64.rpm","ghostscript-tools-fonts-10.02.1-1.zncgsl7.7.x86_64.rpm","ghostscript-tools-printing-10.02.1-1.zncgsl7.7.x86_64.rpm","libgs-10.02.1-1.zncgsl7.7.x86_64.rpm"],"source":"ghostscript-10.02.1-1.zncgsl7.7.src.rpm"},{"binary":["libarchive-3.7.1-1.zncgsl7.7.x86_64.rpm"],"source":"libarchive-3.7.1-1.zncgsl7.7.src.rpm"}]}]}
CGSL MAIN 7.02
  • ghostscript-10.02.1-1.zncgsl7.7.src.rpm
    • ghostscript-10.02.1-1.zncgsl7.7.x86_64.rpm
    • ghostscript-tools-fonts-10.02.1-1.zncgsl7.7.x86_64.rpm
    • ghostscript-tools-printing-10.02.1-1.zncgsl7.7.x86_64.rpm
    • libgs-10.02.1-1.zncgsl7.7.x86_64.rpm
  • libarchive-3.7.1-1.zncgsl7.7.src.rpm
    • libarchive-3.7.1-1.zncgsl7.7.x86_64.rpm

CVE

参考

© 2004-2023 广东中兴新支点技术有限公司 版权所有 (www.gd-linux.com) 粤ICP备15061780号-2

全国服务热线:400-033-0108