CERT RENATER
Nous contacter
- Mail : cert@support.renater.fr
- Web : Pages du CERT
- Tél : 01.53.94.20.44
- Fax : 01.53.94.20.31
==================================================================== CERT-Renater Note d'Information No. 2009/VULN271 _____________________________________________________________________ DATE : 01/07/2009 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Solaris, OpenSolaris running Ghostscript. ====================================================================== http://sunsolve.sun.com/search/document.do?assetkey=1-66-262288-1 ______________________________________________________________________ Solution Type Sun Alert Solution 262288 : Multiple Security Vulnerabilities in Solaris Ghostscript (GS(1)) May lead to Denial of Service (DoS) or Execution of Arbitrary Code Bug ID: 6830965, 6837966, 6837974, 6841014 Product: Solaris 9 Operating System Solaris 10 Operating System OpenSolaris Date of Workaround Release: 24-Jun-2009 SA Document Body Multiple Security Vulnerabilities in Solaris Ghostscript (GS(1)) May lead to Denial of Service (DoS) or Execution of Arbitrary Code 1. Impact Multiple security vulnerabilities exist in Ghostscript(GS(1)), an interpreter for the PostScript and PDF language. Ghostscript is bundled in Solaris 9 and 10. These issues may allow local or remote unprivileged users to supply specially crafted PostScript or PDF files, thereby causing a Denial of Service (DoS) condition to applications using the Ghostscript interpreter, or lead to execution of arbitrary code with the privileges of the user running Ghostscript. Additional information regarding these issues is available at: CVE-2007-6725 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6725 CVE-2008-6679 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6679 CVE-2009-0196 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0196 CVE-2009-0583 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0583 CVE-2009-0584 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0584 CVE-2009-0792 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0792 2. Contributing Factors These issues can occur in the following releases: SPARC Platform * Solaris 9 * Solaris 10 without patch 122259-02 * OpenSolaris based upon builds snv_01 through snv_114 x86 Platform * Solaris 9 * Solaris 10 without patch 122260-02 * OpenSolaris based upon builds snv_01 through snv_114 Note: Solaris 8 does not include support for Ghostscript and therefore is not impacted by these issues. OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived. The base build can be derived as follows: $ uname -v snv_86 3. Symptoms There are no predictable symptoms that would indicate these issues have been exploited. 4. Workaround Until patches are available, users should avoid processing PostScript and PDF files from untrusted sources. 5. Resolution These issues are addressed in the following releases: SPARC Platform * Solaris 10 with patch 122259-02 or later * OpenSolaris based upon builds snv_115 or later x86 Platform * Solaris 10 with patch 122260-02 or later * OpenSolaris based upon builds snv_115 or later A final resolution is pending completion for Solaris 9. For more information on Security Sun Alerts, see Technical Instruction ID 213557. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================