Bug#839260: ghostscript: various sandbox bypasses

To: Florian Weimer <fw@deneb.enyo.de>, 839260@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Bug#839260: ghostscript: various sandbox bypasses
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 5 Oct 2016 19:19:04 +0200
Message-id: <[🔎] 20161005171904.nyubcxah45rw7bud@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 839260@bugs.debian.org
In-reply-to: <87r381ysrt.fsf@mid.deneb.enyo.de>
References: <87r381ysrt.fsf@mid.deneb.enyo.de>

clone 839260 -1
retitle -1 ghostscript: .libfile doesn't check PermitFileReading array, allowing remote file disclosure
forwarded -1 http://bugs.ghostscript.com/show_bug.cgi?id=697169
retitle 839260 ghostscript: various userparams allow %pipe% in paths, allowing remote shell command execution
forwarded 839260 http://bugs.ghostscript.com/show_bug.cgi?id=697178
thanks

Hi

Hope I will not create a mess here. But on oss-security two distinct
CVE id's were requested for the respecive issues for those two
upstream bugs. So let's try to separate them here as well.

FTR, the CVE request is here:
http://www.openwall.com/lists/oss-security/2016/10/05/7

Regards,
Salvatore

Reply to:

Follow-Ups:
- Processed: Re: Bug#839260: ghostscript: various sandbox bypasses
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Re: hplip 3.16.9+repack0-1 MIGRATED to testing
Next by Date: Processed: Re: Bug#839260: ghostscript: various sandbox bypasses
Previous by thread: foomatic-db_20161005-1_source.changes ACCEPTED into unstable
Next by thread: Processed: Re: Bug#839260: ghostscript: various sandbox bypasses
Index(es):
- Date
- Thread