Security update for ghostscript-library

Announcement ID: SUSE-SU-2016:2492-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2016-7978 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2016-7979 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • SUSE Linux Enterprise Desktop 12 SP1
  • SUSE Linux Enterprise Server 12
  • SUSE Linux Enterprise Server 12 LTSS 12
  • SUSE Linux Enterprise Server 12 SP1
  • SUSE Linux Enterprise Server for SAP Applications 12
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
  • SUSE Linux Enterprise Software Bootstrap Kit 12 12-SP1
  • SUSE Linux Enterprise Software Development Kit 12 SP1

An update that solves three vulnerabilities can now be installed.

Description:

This update for ghostscript-library fixes the following issues:

  • Multiple security vulnerabilities have been discovered where ghostscript's "-dsafer" flag did not provide sufficient protection against unintended access to the file system. Thus, a machine that would process a specially crafted Postscript file would potentially leak sensitive information to an attacker. (CVE-2013-5653, bsc#1001951)

  • An incorrect reference count was found in .setdevice. This issue lead to a use-after-free scenario, which could have been exploited for denial-of-service or, possibly, arbitrary code execution attacks. (CVE-2016-7978, bsc#1001951)

  • Insufficient validation of the type of input in .initialize_dsc_parser used to allow remote code execution. (CVE-2016-7979, bsc#1001951)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Software Bootstrap Kit 12 12-SP1
    zypper in -t patch SUSE-SLE-BSK-12-SP1-2016-1458=1
  • SUSE Linux Enterprise Desktop 12 SP1
    zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1458=1
  • SUSE Linux Enterprise Server for SAP Applications 12
    zypper in -t patch SUSE-SLE-SAP-12-2016-1458=1
  • SUSE Linux Enterprise Software Development Kit 12 SP1
    zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1458=1
  • SUSE Linux Enterprise Server 12 LTSS 12
    zypper in -t patch SUSE-SLE-SERVER-12-2016-1458=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
    zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1458=1
  • SUSE Linux Enterprise Server 12 SP1
    zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1458=1

Package List:

  • SUSE Linux Enterprise Software Bootstrap Kit 12 12-SP1 (ppc64le s390x x86_64)
    • ghostscript-mini-devel-9.15-11.1
    • ghostscript-mini-9.15-11.1
    • ghostscript-mini-debugsource-9.15-11.1
    • ghostscript-mini-debuginfo-9.15-11.1
  • SUSE Linux Enterprise Desktop 12 SP1 (x86_64)
    • ghostscript-x11-9.15-11.1
    • ghostscript-debuginfo-9.15-11.1
    • ghostscript-x11-debuginfo-9.15-11.1
    • ghostscript-9.15-11.1
    • ghostscript-debugsource-9.15-11.1
  • SUSE Linux Enterprise Server for SAP Applications 12 (x86_64)
    • ghostscript-x11-9.15-11.1
    • ghostscript-debuginfo-9.15-11.1
    • ghostscript-x11-debuginfo-9.15-11.1
    • ghostscript-9.15-11.1
    • ghostscript-debugsource-9.15-11.1
  • SUSE Linux Enterprise Software Development Kit 12 SP1 (ppc64le s390x x86_64)
    • ghostscript-devel-9.15-11.1
    • ghostscript-debuginfo-9.15-11.1
    • ghostscript-debugsource-9.15-11.1
  • SUSE Linux Enterprise Server 12 LTSS 12 (ppc64le s390x x86_64)
    • ghostscript-x11-9.15-11.1
    • ghostscript-debuginfo-9.15-11.1
    • ghostscript-x11-debuginfo-9.15-11.1
    • ghostscript-9.15-11.1
    • ghostscript-debugsource-9.15-11.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1 (ppc64le x86_64)
    • ghostscript-x11-9.15-11.1
    • ghostscript-debuginfo-9.15-11.1
    • ghostscript-x11-debuginfo-9.15-11.1
    • ghostscript-9.15-11.1
    • ghostscript-debugsource-9.15-11.1
  • SUSE Linux Enterprise Server 12 SP1 (ppc64le s390x x86_64)
    • ghostscript-x11-9.15-11.1
    • ghostscript-debuginfo-9.15-11.1
    • ghostscript-x11-debuginfo-9.15-11.1
    • ghostscript-9.15-11.1
    • ghostscript-debugsource-9.15-11.1

References: