Security update for ghostscript SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:2095-1 Final 1 1 2020-07-30T15:10:49Z current 2020-07-30T15:10:49Z 2020-07-30T15:10:49Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ghostscript This update for ghostscript fixes the following issues: - fixed CVE-2020-15900 Memory Corruption (SAFER Sandbox Breakout) cf. https://bugs.ghostscript.com/show_bug.cgi?id=702582 (bsc#1174415) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2020-2095,SUSE-SLE-Module-Basesystem-15-SP1-2020-2095,SUSE-SLE-Module-Basesystem-15-SP2-2020-2095,SUSE-SLE-Product-HPC-15-2020-2095,SUSE-SLE-Product-SLES-15-2020-2095,SUSE-SLE-Product-SLES_SAP-15-2020-2095 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20202095-1/ Link for SUSE-SU-2020:2095-1 https://lists.suse.com/pipermail/sle-security-updates/2020-July/007203.html E-Mail link for SUSE-SU-2020:2095-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1174415 SUSE Bug 1174415 https://www.suse.com/security/cve/CVE-2020-15900/ SUSE CVE CVE-2020-15900 page SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise Module for Basesystem 15 SP1 SUSE Linux Enterprise Module for Basesystem 15 SP2 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Server for SAP Applications 15 ghostscript-9.52-3.32.1 ghostscript-devel-9.52-3.32.1 ghostscript-mini-9.52-3.32.1 ghostscript-mini-devel-9.52-3.32.1 ghostscript-x11-9.52-3.32.1 ghostscript-9.52-3.32.1 as a component of SUSE Linux Enterprise High Performance Computing 15-ESPOS ghostscript-devel-9.52-3.32.1 as a component of SUSE Linux Enterprise High Performance Computing 15-ESPOS ghostscript-x11-9.52-3.32.1 as a component of SUSE Linux Enterprise High Performance Computing 15-ESPOS ghostscript-9.52-3.32.1 as a component of SUSE Linux Enterprise High Performance Computing 15-LTSS ghostscript-devel-9.52-3.32.1 as a component of SUSE Linux Enterprise High Performance Computing 15-LTSS ghostscript-x11-9.52-3.32.1 as a component of SUSE Linux Enterprise High Performance Computing 15-LTSS ghostscript-9.52-3.32.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP1 ghostscript-devel-9.52-3.32.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP1 ghostscript-x11-9.52-3.32.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP1 ghostscript-9.52-3.32.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 ghostscript-devel-9.52-3.32.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 ghostscript-x11-9.52-3.32.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 ghostscript-9.52-3.32.1 as a component of SUSE Linux Enterprise Server 15-LTSS ghostscript-devel-9.52-3.32.1 as a component of SUSE Linux Enterprise Server 15-LTSS ghostscript-x11-9.52-3.32.1 as a component of SUSE Linux Enterprise Server 15-LTSS ghostscript-9.52-3.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 ghostscript-devel-9.52-3.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 ghostscript-x11-9.52-3.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator can allow overriding of file access controls. The 'rsearch' calculation for the 'post' size resulted in a size that was too large, and could underflow to max uint32_t. This was fixed in commit 5d499272b95a6b890a1397e11d20937de000d31b. CVE-2020-15900 SUSE Linux Enterprise High Performance Computing 15-ESPOS:ghostscript-9.52-3.32.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:ghostscript-devel-9.52-3.32.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:ghostscript-x11-9.52-3.32.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:ghostscript-9.52-3.32.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:ghostscript-devel-9.52-3.32.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:ghostscript-x11-9.52-3.32.1 SUSE Linux Enterprise Module for Basesystem 15 SP1:ghostscript-9.52-3.32.1 SUSE Linux Enterprise Module for Basesystem 15 SP1:ghostscript-devel-9.52-3.32.1 SUSE Linux Enterprise Module for Basesystem 15 SP1:ghostscript-x11-9.52-3.32.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:ghostscript-9.52-3.32.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:ghostscript-devel-9.52-3.32.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:ghostscript-x11-9.52-3.32.1 SUSE Linux Enterprise Server 15-LTSS:ghostscript-9.52-3.32.1 SUSE Linux Enterprise Server 15-LTSS:ghostscript-devel-9.52-3.32.1 SUSE Linux Enterprise Server 15-LTSS:ghostscript-x11-9.52-3.32.1 SUSE Linux Enterprise Server for SAP Applications 15:ghostscript-9.52-3.32.1 SUSE Linux Enterprise Server for SAP Applications 15:ghostscript-devel-9.52-3.32.1 SUSE Linux Enterprise Server for SAP Applications 15:ghostscript-x11-9.52-3.32.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20202095-1/ https://www.suse.com/security/cve/CVE-2020-15900.html CVE-2020-15900 https://bugzilla.suse.com/1174415 SUSE Bug 1174415