| Message ID | 20240208064030.118190-1-vanusuri@mvista.com |
|---|---|
| State | Changes Requested |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [kirkstone] ghostscript: ignore CVE-2020-36773 | expand |
On Wed, Feb 7, 2024 at 8:42 PM Vijay Anusuri via lists.openembedded.org <vanusuri=mvista.com@lists.openembedded.org> wrote: > > From: Vijay Anusuri <vanusuri@mvista.com> > > Artifex Ghostscript before 9.53.0 has an out-of-bounds write and use-after-free in devices/vector/gdevtxtw.c (for txtwrite) because a single character code in a PDF document can map to more than one Unicode code point (e.g., for a ligature). > > Reference: https://ubuntu.com/security/CVE-2020-36773 > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > --- > meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb > index e0d1e4618f..cc06d092c1 100644 > --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb > +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb > @@ -26,6 +26,10 @@ CVE_CHECK_IGNORE += "CVE-2013-6629" > # Issue in the GhostPCL. GhostPCL not part of this GhostScript recipe. > CVE_CHECK_IGNORE += "CVE-2023-38560" > > +# This CVE affects Ghostscript before 9.53.0 > +# https://ubuntu.com/security/CVE-2020-36773 > +CVE_CHECK_IGNORE += "CVE-2020-36773" When there is an error in the upstream database it is preferred that you send an email to cpe_dictionary@nist.gov requesting an update (giving links that justify the change to make it easy for them to research) They are usually quite responsive, and this is much preferred to carrying an IGNORE in our metadata. Thanks! Steve > + > def gs_verdir(v): > return "".join(v.split(".")) > > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#195101): https://lists.openembedded.org/g/openembedded-core/message/195101 > Mute This Topic: https://lists.openembedded.org/mt/104234914/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hi Steve, I've sent mail to cpe_dictionary@nist.gov to update the information. Now it was updated in https://nvd.nist.gov/vuln/detail/CVE-2020-36773 Thanks & Regards, Vijay On Thu, Feb 8, 2024 at 8:40 PM Steve Sakoman <steve@sakoman.com> wrote: > On Wed, Feb 7, 2024 at 8:42 PM Vijay Anusuri via > lists.openembedded.org <vanusuri=mvista.com@lists.openembedded.org> > wrote: > > > > From: Vijay Anusuri <vanusuri@mvista.com> > > > > Artifex Ghostscript before 9.53.0 has an out-of-bounds write and > use-after-free in devices/vector/gdevtxtw.c (for txtwrite) because a single > character code in a PDF document can map to more than one Unicode code > point (e.g., for a ligature). > > > > Reference: https://ubuntu.com/security/CVE-2020-36773 > > > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > --- > > meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb > b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb > > index e0d1e4618f..cc06d092c1 100644 > > --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb > > +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb > > @@ -26,6 +26,10 @@ CVE_CHECK_IGNORE += "CVE-2013-6629" > > # Issue in the GhostPCL. GhostPCL not part of this GhostScript recipe. > > CVE_CHECK_IGNORE += "CVE-2023-38560" > > > > +# This CVE affects Ghostscript before 9.53.0 > > +# https://ubuntu.com/security/CVE-2020-36773 > > +CVE_CHECK_IGNORE += "CVE-2020-36773" > > When there is an error in the upstream database it is preferred that > you send an email to cpe_dictionary@nist.gov requesting an update > (giving links that justify the change to make it easy for them to > research) > > They are usually quite responsive, and this is much preferred to > carrying an IGNORE in our metadata. > > Thanks! > > Steve > > > + > > def gs_verdir(v): > > return "".join(v.split(".")) > > > > -- > > 2.25.1 > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#195101): > https://lists.openembedded.org/g/openembedded-core/message/195101 > > Mute This Topic: https://lists.openembedded.org/mt/104234914/3620601 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > steve@sakoman.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > > Good afternoon, We apologize for the late response as we are currently experiencing a large volume of CPE related inquiries. Thank you for bringing this to our attention. We appreciate community input in order to provide the most accurate and up-to-date information as possible. After reviewing publicly available information we have made the appropriate modifications. Please allow up to 24 hours for the changes to be reflected on the website and in the data feeds. V/r, Common Platform Enumeration Team National Institute of Standards and Technology (NIST) cpe_dictionary@nist.gov<mailto:cpe_dictionary@nist.gov> From: Vijay Anusuri <vanusuri@mvista.com> Sent: Thursday, February 8, 2024 10:52 PM To: cpe_dictionary <cpe_dictionary@nist.gov> Subject: CVE-2020-36773 update Hi Team, CVE-2020-36773 was fixed in the Ghostscript version 9.53.0 by the below commit https://git.ghostscript.com/?p=ghostpdl.git;h=8c7bd787defa071c96289b7da9397f673fddb874 This issue introduced in 9.51 as described in the patch. Affected versions: 9.51 & 9.52 References: https://ghostscript.com/docs/9.53.3/History9.htm https://ubuntu.com/security/CVE-2020-36773 Could you please update this in upstream database. Thanks & Regards, Vijay
On Sun, Mar 3, 2024 at 3:50 PM Vijay Anusuri <vanusuri@mvista.com> wrote: > > Hi Steve, > > I've sent mail to cpe_dictionary@nist.gov to update the information. > > Now it was updated in https://nvd.nist.gov/vuln/detail/CVE-2020-36773 Thanks! Steve > On Thu, Feb 8, 2024 at 8:40 PM Steve Sakoman <steve@sakoman.com> wrote: >> >> On Wed, Feb 7, 2024 at 8:42 PM Vijay Anusuri via >> lists.openembedded.org <vanusuri=mvista.com@lists.openembedded.org> >> wrote: >> > >> > From: Vijay Anusuri <vanusuri@mvista.com> >> > >> > Artifex Ghostscript before 9.53.0 has an out-of-bounds write and use-after-free in devices/vector/gdevtxtw.c (for txtwrite) because a single character code in a PDF document can map to more than one Unicode code point (e.g., for a ligature). >> > >> > Reference: https://ubuntu.com/security/CVE-2020-36773 >> > >> > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> >> > --- >> > meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb | 4 ++++ >> > 1 file changed, 4 insertions(+) >> > >> > diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb >> > index e0d1e4618f..cc06d092c1 100644 >> > --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb >> > +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb >> > @@ -26,6 +26,10 @@ CVE_CHECK_IGNORE += "CVE-2013-6629" >> > # Issue in the GhostPCL. GhostPCL not part of this GhostScript recipe. >> > CVE_CHECK_IGNORE += "CVE-2023-38560" >> > >> > +# This CVE affects Ghostscript before 9.53.0 >> > +# https://ubuntu.com/security/CVE-2020-36773 >> > +CVE_CHECK_IGNORE += "CVE-2020-36773" >> >> When there is an error in the upstream database it is preferred that >> you send an email to cpe_dictionary@nist.gov requesting an update >> (giving links that justify the change to make it easy for them to >> research) >> >> They are usually quite responsive, and this is much preferred to >> carrying an IGNORE in our metadata. >> >> Thanks! >> >> Steve >> >> > + >> > def gs_verdir(v): >> > return "".join(v.split(".")) >> > >> > -- >> > 2.25.1 >> > >> > >> > -=-=-=-=-=-=-=-=-=-=-=- >> > Links: You receive all messages sent to this group. >> > View/Reply Online (#195101): https://lists.openembedded.org/g/openembedded-core/message/195101 >> > Mute This Topic: https://lists.openembedded.org/mt/104234914/3620601 >> > Group Owner: openembedded-core+owner@lists.openembedded.org >> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] >> > -=-=-=-=-=-=-=-=-=-=-=- >> >
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index e0d1e4618f..cc06d092c1 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb @@ -26,6 +26,10 @@ CVE_CHECK_IGNORE += "CVE-2013-6629" # Issue in the GhostPCL. GhostPCL not part of this GhostScript recipe. CVE_CHECK_IGNORE += "CVE-2023-38560" +# This CVE affects Ghostscript before 9.53.0 +# https://ubuntu.com/security/CVE-2020-36773 +CVE_CHECK_IGNORE += "CVE-2020-36773" + def gs_verdir(v): return "".join(v.split("."))