Security update for ghostscript SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:2139-1 Final 1 1 2019-09-16T04:17:00Z current 2019-09-16T04:17:00Z 2019-09-16T04:17:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ghostscript This update for ghostscript fixes the following issues: Security issue fixed: - CVE-2019-10216: Fix privilege escalation via specially crafted PostScript file (bsc#1144621). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-2139 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FW24DFNY77J4KEU5ORI5WO22DIZS5RJA/#FW24DFNY77J4KEU5ORI5WO22DIZS5RJA E-Mail link for openSUSE-SU-2019:2139-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1144621 SUSE Bug 1144621 https://www.suse.com/security/cve/CVE-2019-10216/ SUSE CVE CVE-2019-10216 page openSUSE Leap 15.1 ghostscript-9.26a-lp151.3.3.1 ghostscript-devel-9.26a-lp151.3.3.1 ghostscript-mini-9.26a-lp151.3.3.1 ghostscript-mini-devel-9.26a-lp151.3.3.1 ghostscript-x11-9.26a-lp151.3.3.1 ghostscript-9.26a-lp151.3.3.1 as a component of openSUSE Leap 15.1 ghostscript-devel-9.26a-lp151.3.3.1 as a component of openSUSE Leap 15.1 ghostscript-mini-9.26a-lp151.3.3.1 as a component of openSUSE Leap 15.1 ghostscript-mini-devel-9.26a-lp151.3.3.1 as a component of openSUSE Leap 15.1 ghostscript-x11-9.26a-lp151.3.3.1 as a component of openSUSE Leap 15.1 In ghostscript before version 9.50, the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges and access files outside of restricted areas. CVE-2019-10216 openSUSE Leap 15.1:ghostscript-9.26a-lp151.3.3.1 openSUSE Leap 15.1:ghostscript-devel-9.26a-lp151.3.3.1 openSUSE Leap 15.1:ghostscript-mini-9.26a-lp151.3.3.1 openSUSE Leap 15.1:ghostscript-mini-devel-9.26a-lp151.3.3.1 openSUSE Leap 15.1:ghostscript-x11-9.26a-lp151.3.3.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FW24DFNY77J4KEU5ORI5WO22DIZS5RJA/#FW24DFNY77J4KEU5ORI5WO22DIZS5RJA https://www.suse.com/security/cve/CVE-2019-10216.html CVE-2019-10216 https://bugzilla.suse.com/1144621 SUSE Bug 1144621 https://bugzilla.suse.com/1146882 SUSE Bug 1146882 https://bugzilla.suse.com/1146884 SUSE Bug 1146884