Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2010-2055

Published: 22 July 2010

Ghostscript 8.71 and earlier reads initialization files from the current working directory, which allows local users to execute arbitrary PostScript commands via a Trojan horse file, related to improper support for the -P- option to the gs program, as demonstrated using gs_init.ps, a different vulnerability than CVE-2010-4820.

Notes

AuthorNote
mdeslaur
There are three different issues here:
1- -P is the default, and not -P-
2- -P- doesn't actually work
3- ghostscript's scripts don't use -P-

Fixing this will change the default behaviour, and may introduce
regressions in software in the archive, and custom software.
Since this is primarily a user-assisted attack, the risks of
fixing this outweighs the advantages. Marking as ignored for
affected releases.

Priority

Medium

Status

Package Release Status
ghostscript
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Ignored

jaunty Ignored
(end of life)
karmic Ignored
(end of life)
lucid Ignored

maverick Ignored

natty Not vulnerable
(9.01~dfsg-1ubuntu5)
upstream
Released (9.00)
Patches:
other: http://mentors.debian.net/debian/pool/main/g/ghostscript/
gs-afpl
Launchpad, Ubuntu, Debian
dapper Ignored
(end of life)
hardy Does not exist

jaunty Does not exist

karmic Does not exist

lucid Does not exist

maverick Does not exist

natty Does not exist

upstream Needs triage

gs-esp
Launchpad, Ubuntu, Debian
dapper Ignored
(end of life)
hardy Does not exist

jaunty Does not exist

karmic Does not exist

lucid Does not exist

maverick Does not exist

natty Does not exist

upstream Needs triage

gs-gpl
Launchpad, Ubuntu, Debian
dapper Ignored
(end of life)
hardy Does not exist

jaunty Does not exist

karmic Does not exist

lucid Does not exist

maverick Does not exist

natty Does not exist

upstream Needs triage