From martin.pitt@canonical.com Wed Oct 27 03:06:35 2004 From: Martin Pitt To: ubuntu-security-announce@lists.ubuntu.com Cc: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com Date: Wed, 27 Oct 2004 02:42:05 +0200 Subject: [Full-Disclosure] [USN-3-1] GhostScript utility script vulnerabilities =========================================================== Ubuntu Security Notice USN-3-1 October 27, 2004 GhostScript utility script vulnerabilities CAN-2004-0967 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: gs-common The problem can be corrected by upgrading the affected package to version 0.3.6ubuntu1.1. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Recently, Trustix Secure Linux discovered some vulnerabilities in the gs-common package. The utilities "pv.sh" and "ps2epsi" created temporary files in an insecure way, which allowed a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program. Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gs-common/gs-common_0.3.6ubuntu1.1.dsc Size/MD5: 589 3506426ff7ecd78fea5e254dbf694b35 http://security.ubuntu.com/ubuntu/pool/main/g/gs-common/gs-common_0.3.6ubuntu1.1.tar.gz Size/MD5: 31596 060a50ce728aedeb61d6b17be30d2e5d Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/g/gs-common/gs-common_0.3.6ubuntu1.1_all.deb Size/MD5: 45434 8ca2afdfe91cd67777f44f767489a705 [ Part 2, "Digital signature" Application/PGP-SIGNATURE 196bytes. ] [ Unable to print this part. ]