Bug 771853 (CVE-2010-4820)

Summary: CVE-2010-4820 ghostscript: CWD included in the default library search path
Product: [Other] Security Response Reporter: Ramon de C Valle <rcvalle>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bressers, rcvalle, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-14 13:55:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 755923, 755924, 755925, 755926, 755928    
Bug Blocks: 733386    

Description Ramon de C Valle 2012-01-05 09:08:30 UTC 
Ghostscript included the current working directory in its library search path by default. If a user ran Ghostscript without the "-P-" option in an attacker-controlled directory containing a specially-crafted PostScript library file, it could cause Ghostscript to execute arbitrary PostScript code. With this update, Ghostscript no longer searches the current working directory for library files by default. (CVE-2010-4820)

Note: The fix for CVE-2010-4820 could possibly break existing configurations. To use the previous, vulnerable behavior, run Ghostscript with the "-P" option (to always search the current working directory first).
Comment 1 Tomas Hoger 2012-01-08 13:24:21 UTC 
This issue was originally tracked with CVE-2010-2055 via bug #599564.  It got a separate CVE id, as it is separate issue, see e.g.:
  http://thread.gmane.org/gmane.comp.security.oss.general/2973/focus=3354

Issue was tracked upstream in:
  http://bugs.ghostscript.com/show_bug.cgi?id=691339

Following upstream commit changes ghostscript's default to not include CWD in the library search path by default (SEARCH_HERE_FIRST=0 if the default now):
  http://svn.ghostscript.com/viewvc?view=rev&revision=11494

Flaw type:
  CWE-427: Uncontrolled Search Path Element
  http://cwe.mitre.org/data/definitions/427.html
Comment 2 errata-xmlrpc 2012-02-02 22:33:22 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2012:0096 https://rhn.redhat.com/errata/RHSA-2012-0096.html
Comment 3 errata-xmlrpc 2012-02-02 22:46:00 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:0095 https://rhn.redhat.com/errata/RHSA-2012-0095.html