advisories/24548.adv

type: security
subject: Updated ghostscript packages fix security vulnerability
CVE:
 - CVE-2019-3835
 - CVE-2019-3838
src:
  6:
   core:
     - ghostscript-9.26-1.3.mga6
description: |
  It was found that the superexec operator was available in the internal
  dictionary.  A specially crafted PostScript file could use this flaw in
  order to, for example, have access to the file system outside of the
  constrains imposed by -dSAFER. (CVE-2019-3835)

  It was found that the forceput operator could be extracted from the
  DefineResource method using methods similar to the ones described in
  CVE-2019-6116. A specially crafted PostScript file could use this flaw in
  order to, for example, have access to the file system outside of the
  constraints imposed by -dSAFER. (CVE-2019-3838)
references:
 - https://bugs.mageia.org/show_bug.cgi?id=24548
 - https://www.openwall.com/lists/oss-security/2019/03/21/1
 - https://access.redhat.com/errata/RHSA-2019:0633
ID: MGASA-2019-0130
1	type: security
2	subject: Updated ghostscript packages fix security vulnerability
3	CVE:
4	- CVE-2019-3835
5	- CVE-2019-3838
6	src:
7	6:
8	core:
9	- ghostscript-9.26-1.3.mga6
10	description: \|
11	It was found that the superexec operator was available in the internal
12	dictionary. A specially crafted PostScript file could use this flaw in
13	order to, for example, have access to the file system outside of the
14	constrains imposed by -dSAFER. (CVE-2019-3835)
15
16	It was found that the forceput operator could be extracted from the
17	DefineResource method using methods similar to the ones described in
18	CVE-2019-6116. A specially crafted PostScript file could use this flaw in
19	order to, for example, have access to the file system outside of the
20	constraints imposed by -dSAFER. (CVE-2019-3838)
21	references:
22	- https://bugs.mageia.org/show_bug.cgi?id=24548
23	- https://www.openwall.com/lists/oss-security/2019/03/21/1
24	- https://access.redhat.com/errata/RHSA-2019:0633
25	ID: MGASA-2019-0130