Your submission was sent successfully! Close

CVE-2010-2055

Published: 22 July 2010

Ghostscript 8.71 and earlier reads initialization files from the current working directory, which allows local users to execute arbitrary PostScript commands via a Trojan horse file, related to improper support for the -P- option to the gs program, as demonstrated using gs_init.ps, a different vulnerability than CVE-2010-4820.

Priority

Medium

Status

Package Release Status
ghostscript
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Ignored

jaunty Ignored
(reached end-of-life)
karmic Ignored
(reached end-of-life)
lucid Ignored

maverick Ignored

natty Not vulnerable
(9.01~dfsg-1ubuntu5)
oneiric Not vulnerable
(9.02~dfsg-2ubuntu1)
upstream
Released (9.00)
gs-afpl
Launchpad, Ubuntu, Debian
dapper Ignored
(reached end-of-life)
hardy Does not exist

jaunty Does not exist

karmic Does not exist

lucid Does not exist

maverick Does not exist

natty Does not exist

oneiric Does not exist

upstream Needs triage

gs-esp
Launchpad, Ubuntu, Debian
dapper Ignored
(reached end-of-life)
hardy Does not exist

jaunty Does not exist

karmic Does not exist

lucid Does not exist

maverick Does not exist

natty Does not exist

oneiric Does not exist

upstream Needs triage

gs-gpl
Launchpad, Ubuntu, Debian
dapper Ignored
(reached end-of-life)
hardy Does not exist

jaunty Does not exist

karmic Does not exist

lucid Does not exist

maverick Does not exist

natty Does not exist

oneiric Does not exist

upstream Needs triage

Notes

AuthorNote
mdeslaur
There are three different issues here:
1- -P is the default, and not -P-
2- -P- doesn't actually work
3- ghostscript's scripts don't use -P-

Fixing this will change the default behaviour, and may introduce
regressions in software in the archive, and custom software.
Since this is primarily a user-assisted attack, the risks of
fixing this outweighs the advantages. Marking as ignored for
affected releases.

References

Bugs