ALT-BU-2024-13489-3
Branch sisyphus update bulletin.
Closed vulnerabilities
Modified: 2025-03-17
CVE-2024-8925
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.
Modified: 2024-10-16
CVE-2024-8926
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
Modified: 2025-03-18
CVE-2024-8927
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.
Modified: 2024-10-16
CVE-2024-9026
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.
Package appstream-data-generator updated to version 20241002-alt1 for branch sisyphus in task 355580.
Closed bugs
Не исключаются языки в appstream-data-appdata-converter
Не исключаются языки в appstream-data-generator
Package ghostscript updated to version 10.04.0-alt1 for branch sisyphus in task 358837.
Closed vulnerabilities
BDU:2023-03466
Уязвимость набора программного обеспечения для обработки, преобразования и генерации документов Ghostscript, существующая из-за непринятия мер по нейтрализации специальных элементов, используемых в команде операционной системы, позволяющая нарушителю выполнить произвольный код
BDU:2023-06329
Уязвимость компонента gdevijs.c набора программного обеспечения обработки документов Ghostscript, позволяющая нарушителю выполнить произвольный код
BDU:2023-07662
Уязвимость функции devn_pcx_write_rle() компонента base/gdevdevn.c набора программного обеспечения обработки документов Ghostscript, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2024-00187
Уязвимость функции gdev_prn_open_printer_seekable() интерпретатора набора программного обеспечения для обработки, преобразования и генерации документов Ghostscript, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2024-05062
Уязвимость интерпретатора набора программного обеспечения для обработки, преобразования и генерации документов Ghostscript, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю выполнить выход из изолированной программной среды
BDU:2024-05063
Уязвимость интерпретатора набора программного обеспечения для обработки, преобразования и генерации документов Ghostscript, связанная с ошибками в обработке относительного пути к каталогу, позволяющая нарушителю выполнить произвольный код
BDU:2024-05064
Уязвимость компонента contrib/opvp/gdevopvp.c интерпретатора набора программного обеспечения для обработки, преобразования и генерации документов Ghostscript, позволяющая нарушителю выполнить произвольный код
BDU:2024-05557
Уязвимость набора программного обеспечения для обработки, преобразования и генерации документов Ghostscript, связанная с переполнением буфера, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2024-05558
Уязвимость функции pdfi_apply_filter() набора программного обеспечения для обработки, преобразования и генерации документов Ghostscript, позволяющая нарушителю выполнить произвольный код, вызвать отказ в обслуживании или получить полный контроль над приложением
BDU:2024-05559
Уязвимость функции pdf_base_font_alloc() набора программного обеспечения для обработки, преобразования и генерации документов Ghostscript, позволяющая нарушителю выполнить произвольный код или вызвать отказ в обслуживании
BDU:2024-07479
Уязвимость файла afqkf psi/zmisc1.c набора программного обеспечения для обработки, преобразования и генерации документов Ghostscript, связанная с неправильной проверкой входных данных, позволяющая нарушителю выполнить произвольный код в системе
BDU:2024-07480
Уязвимость файла base/gpmisc.c набора программного обеспечения для обработки, преобразования и генерации документов Ghostscript, связанная с неправильной проверкой входных данных, позволяющая нарушителю выполнить произвольный код в системе
Modified: 2024-12-05
CVE-2023-36664
Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).
- https://bugs.ghostscript.com/show_bug.cgi?id=706761
- https://bugs.ghostscript.com/show_bug.cgi?id=706761
- https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d
- https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d
- https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=505eab7782b429017eb434b2b95120855f2b0e3c
- https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=505eab7782b429017eb434b2b95120855f2b0e3c
- FEDORA-2023-83c805b441
- FEDORA-2023-83c805b441
- FEDORA-2023-d8a1c3e5e2
- FEDORA-2023-d8a1c3e5e2
- GLSA-202309-03
- GLSA-202309-03
- DSA-5446
- DSA-5446
Modified: 2024-11-21
CVE-2023-38559
A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This issue may allow a local attacker to cause a denial of service via outputting a crafted PDF file for a DEVN device with gs.
- RHSA-2023:6544
- RHSA-2023:6544
- RHSA-2023:7053
- RHSA-2023:7053
- https://access.redhat.com/security/cve/CVE-2023-38559
- https://access.redhat.com/security/cve/CVE-2023-38559
- https://bugs.ghostscript.com/show_bug.cgi?id=706897
- https://bugs.ghostscript.com/show_bug.cgi?id=706897
- RHBZ#2224367
- RHBZ#2224367
- https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1
- https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1
- https://lists.debian.org/debian-lts-announce/2023/08/msg00006.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GBV6BTUREXM6DB3OGHGLMWGAZ3I45TXE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QH7ERAYSSXEYDWWY7LOV7CA5MIDZN3Z6/
Modified: 2024-11-21
CVE-2023-43115
In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. NOTE: it is a documented risk that the IJS server can be specified on a gs command line (the IJS device inherently must execute a command to start the IJS server).
- https://bugs.ghostscript.com/show_bug.cgi?id=707051
- https://bugs.ghostscript.com/show_bug.cgi?id=707051
- https://ghostscript.com/
- https://ghostscript.com/
- https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=e59216049cac290fb437a04c4f41ea46826cfba5
- https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=e59216049cac290fb437a04c4f41ea46826cfba5
- FEDORA-2023-66d60c3df7
- FEDORA-2023-66d60c3df7
- FEDORA-2023-c2665a9ff3
- FEDORA-2023-c2665a9ff3
Modified: 2024-11-21
CVE-2023-46751
An issue was discovered in the function gdev_prn_open_printer_seekable() in Artifex Ghostscript through 10.02.0 allows remote attackers to crash the application via a dangling pointer.
- https://bugs.ghostscript.com/show_bug.cgi?id=707264
- https://bugs.ghostscript.com/show_bug.cgi?id=707264
- https://ghostscript.com/
- https://ghostscript.com/
- https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=dcdbc595c13c9d11d235702dff46bb74c80f7698
- https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=dcdbc595c13c9d11d235702dff46bb74c80f7698
- DSA-5578
- DSA-5578
Modified: 2024-12-05
CVE-2023-52722
An issue was discovered in Artifex Ghostscript before 10.03.1. psi/zmisc1.c, when SAFER mode is used, allows eexec seeds other than the Type 1 standard.
- [oss-security] 20240628 Ghostscript 10.03.1 (2024-05-02) fixed 5 CVEs including CVE-2024-33871 arbitrary code execution
- [oss-security] 20240628 Ghostscript 10.03.1 (2024-05-02) fixed 5 CVEs including CVE-2024-33871 arbitrary code execution
- https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=afd7188f74918cb51b5fb89f52b54eb16e8acfd1
- https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=afd7188f74918cb51b5fb89f52b54eb16e8acfd1
Modified: 2024-11-21
CVE-2024-29506
Artifex Ghostscript before 10.03.0 has a stack-based buffer overflow in the pdfi_apply_filter() function via a long PDF filter name.
- https://bugs.ghostscript.com/show_bug.cgi?id=707510
- https://bugs.ghostscript.com/show_bug.cgi?id=707510
- https://git.ghostscript.com/?p=ghostpdl.git%3Bh=77dc7f699beba606937b7ea23b50cf5974fa64b1
- https://git.ghostscript.com/?p=ghostpdl.git%3Bh=77dc7f699beba606937b7ea23b50cf5974fa64b1
- https://www.openwall.com/lists/oss-security/2024/07/03/7
- https://www.openwall.com/lists/oss-security/2024/07/03/7
Modified: 2025-03-17
CVE-2024-29508
Artifex Ghostscript before 10.03.0 has a heap-based pointer disclosure (observable in a constructed BaseFont name) in the function pdf_base_font_alloc.
- https://bugs.ghostscript.com/show_bug.cgi?id=707510
- https://bugs.ghostscript.com/show_bug.cgi?id=707510
- https://git.ghostscript.com/?p=ghostpdl.git%3Bh=ff1013a0ab485b66783b70145e342a82c670906a
- https://git.ghostscript.com/?p=ghostpdl.git%3Bh=ff1013a0ab485b66783b70145e342a82c670906a
- https://lists.debian.org/debian-lts-announce/2024/10/msg00022.html
- https://www.openwall.com/lists/oss-security/2024/07/03/7
- https://www.openwall.com/lists/oss-security/2024/07/03/7
Modified: 2025-03-20
CVE-2024-29509
Artifex Ghostscript before 10.03.0 has a heap-based overflow when PDFPassword (e.g., for runpdf) has a \000 byte in the middle.
- https://bugs.ghostscript.com/show_bug.cgi?id=707510
- https://bugs.ghostscript.com/show_bug.cgi?id=707510
- https://git.ghostscript.com/?p=ghostpdl.git%3Bh=917b3a71fb20748965254631199ad98210d6c2fb
- https://git.ghostscript.com/?p=ghostpdl.git%3Bh=917b3a71fb20748965254631199ad98210d6c2fb
- https://www.openwall.com/lists/oss-security/2024/07/03/7
- https://www.openwall.com/lists/oss-security/2024/07/03/7
Modified: 2024-11-21
CVE-2024-29510
Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device.
- https://bugs.ghostscript.com/show_bug.cgi?id=707662
- https://bugs.ghostscript.com/show_bug.cgi?id=707662
- https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/
- https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/
- https://www.openwall.com/lists/oss-security/2024/07/03/7
- https://www.openwall.com/lists/oss-security/2024/07/03/7
- https://www.vicarius.io/vsociety/posts/critical-vulnerability-in-ghostscript-cve-2024-29510
Modified: 2024-11-21
CVE-2024-33869
An issue was discovered in Artifex Ghostscript before 10.03.1. Path traversal and command execution can occur (via a crafted PostScript document) because of path reduction in base/gpmisc.c. For example, restrictions on use of %pipe% can be bypassed via the aa/../%pipe%command# output filename.
Modified: 2024-11-21
CVE-2024-33870
An issue was discovered in Artifex Ghostscript before 10.03.1. There is path traversal (via a crafted PostScript document) to arbitrary files if the current directory is in the permitted paths. For example, there can be a transformation of ../../foo to ./../../foo and this will grant access if ./ is permitted.
Modified: 2024-11-21
CVE-2024-33871
An issue was discovered in Artifex Ghostscript before 10.03.1. contrib/opvp/gdevopvp.c allows arbitrary code execution via a custom Driver library, exploitable via a crafted PostScript document. This occurs because the Driver parameter for opvp (and oprp) devices can have an arbitrary name for a dynamic library; this library is then loaded.
- https://bugs.ghostscript.com/show_bug.cgi?id=707754
- https://bugs.ghostscript.com/show_bug.cgi?id=707754
- https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=7145885041bb52cc23964f0aa2aec1b1c82b5908
- https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=7145885041bb52cc23964f0aa2aec1b1c82b5908
- https://www.openwall.com/lists/oss-security/2024/06/28/2
- https://www.openwall.com/lists/oss-security/2024/06/28/2
Closed bugs
Необходимо обновить ghostscript до версии 10.01.2, чтобы закрыть CVE-2023-36664
Closed bugs
Steam зависит от xorg-dri-vmwgfx
Closed bugs
Steam зависит от xorg-dri-vmwgfx