Avis du CERT RENATER

Par défaut, cette page vous affichera les derniers messages envoyés par le CERT RENATER à la communauté. Vous pouvez affiner par année ou par type de message. Si aucun critère n'est précisé, seuls les derniers messages sont affichés
Date : Wed, 01 Jul 2009 12:00:06 +0200
Type : VULN
Sujet : CERT-Renater : 2009/VULN271 (Sun: Multiple Security Vulnerabilities in Solaris Ghostscript)
====================================================================                                   CERT-Renater

                        Note d'Information No. 2009/VULN271
_____________________________________________________________________

DATE                      : 01/07/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Solaris, OpenSolaris running Ghostscript.

======================================================================
http://sunsolve.sun.com/search/document.do?assetkey=1-66-262288-1
______________________________________________________________________

Solution Type Sun Alert

Solution  262288 :   Multiple Security Vulnerabilities in Solaris
                     Ghostscript (GS(1)) May lead to Denial of Service
                     (DoS) or Execution of Arbitrary Code
Bug ID:              6830965, 6837966, 6837974, 6841014
Product:             Solaris 9 Operating System
                     Solaris 10 Operating System
                     OpenSolaris
Date of Workaround Release: 24-Jun-2009

SA Document Body

Multiple Security Vulnerabilities in Solaris Ghostscript (GS(1)) May lead
to Denial of Service (DoS) or Execution of Arbitrary Code


1. Impact

Multiple security vulnerabilities exist in Ghostscript(GS(1)), an
interpreter for the PostScript and PDF language. Ghostscript is bundled in
Solaris 9 and 10.

These issues may allow local or remote unprivileged users to supply
specially crafted PostScript or PDF files, thereby causing a Denial of
Service (DoS) condition to applications using the Ghostscript interpreter,
or lead to execution of arbitrary code with the privileges of the user
running Ghostscript.

Additional information regarding these issues is available at:

CVE-2007-6725 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6725
CVE-2008-6679 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6679
CVE-2009-0196 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0196
CVE-2009-0583 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0583
CVE-2009-0584 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0584
CVE-2009-0792 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0792

2. Contributing Factors

These issues can occur in the following releases:

SPARC Platform

    * Solaris 9
    * Solaris 10 without patch 122259-02
    * OpenSolaris based upon builds snv_01 through snv_114

x86 Platform

    * Solaris 9
    * Solaris 10 without patch 122260-02
    * OpenSolaris based upon builds snv_01 through snv_114

Note: Solaris 8 does not include support for Ghostscript and therefore is
      not impacted by these issues.

OpenSolaris distributions may include additional bug fixes above and beyond
the build from which it was derived. The base build can be derived as
follows:

$ uname -v
snv_86

3. Symptoms

There are no predictable symptoms that would indicate these issues have
been exploited.

4. Workaround

Until patches are available, users should avoid processing PostScript and
PDF files from untrusted sources.

5. Resolution

These issues are addressed in the following releases:

SPARC Platform

    * Solaris 10 with patch 122259-02 or later
    * OpenSolaris based upon builds snv_115 or later

x86 Platform

    * Solaris 10 with patch 122260-02 or later
    * OpenSolaris based upon builds snv_115 or later

A final resolution is pending completion for Solaris 9.

For more information on Security Sun Alerts, see Technical Instruction
ID 213557.
======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================