Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix). References https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d https://bugs.ghostscript.com/show_bug.cgi?id=706761 https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=505eab7782b429017eb434b2b95120855f2b0e3c
Created ghostscript tracking bugs for this issue: Affects: fedora-37 [bug 2217805] Affects: fedora-38 [bug 2217806]
(In reply to Sandipan Roy from comment #0) > Artifex Ghostscript through 10.01.2 mishandles permission validation for > pipe devices (with the %pipe% prefix or the | pipe character prefix). > > References > https://git.ghostscript.com/?p=ghostpdl.git;a=commit; > h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d > https://bugs.ghostscript.com/show_bug.cgi?id=706761 > https://git.ghostscript.com/?p=ghostpdl.git;a=commit; > h=505eab7782b429017eb434b2b95120855f2b0e3c Are you sure "through 10.01.2" is correct? https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb342fdb60391073a69147cb71af1ac416a81099 seem to be the corresponding commits in the 10.01.2 release.
FYI: If someone cares to give karma on the F37 update then that one will go stable, too. F39/F38 are already. All the others bugs are locked. Good luck :)
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:4324 https://access.redhat.com/errata/RHSA-2023:4324
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-36664
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:5459 https://access.redhat.com/errata/RHSA-2023:5459
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days