diff options
| author | Stefan Ghinea <stefan.ghinea@windriver.com> | 2019-09-10 09:34:12 +0300 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-09-16 23:02:44 +0100 |
| commit | 7f87451e6ea28cb028598e5358387d2c06e291a9 (patch) | |
| tree | 143eb226c481418dcc1bbb4f4724a8e7249d3712 /scripts/combo-layer-hook-default.sh | |
| parent | 7920994ba885f6ffbf4f152ff6369a714775b9e0 (diff) | |
| download | poky-7f87451e6ea28cb028598e5358387d2c06e291a9.tar.gz | |
ghostscript: CVE-2019-14811, CVE-2019-14817
A flaw was found in, ghostscript versions prior to 9.28,
in the .pdf_hook_DSC_Creator procedure where it did not
properly secure its privileged calls, enabling scripts to
bypass `-dSAFER` restrictions. A specially crafted PostScript
file could disable security protection and then have access
to the file system, or execute arbitrary commands.
A flaw was found in, ghostscript versions prior to 9.28,
in the .pdfexectoken and other procedures where it did not
properly secure its privileged calls, enabling scripts to
bypass `-dSAFER` restrictions. A specially crafted PostScript
file could disable security protection and then have access
to the file system, or execute arbitrary commands.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-14811
https://nvd.nist.gov/vuln/detail/CVE-2019-14817
Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19
(From OE-Core rev: 1533b92848ea73d6fe6ba22d87d7b6749b47842c)
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'scripts/combo-layer-hook-default.sh')
0 files changed, 0 insertions, 0 deletions