Bug 258424 - print/ghostscript*: potential CVE-2021-3781
Summary: print/ghostscript*: potential CVE-2021-3781
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Hiroki Sato
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-09-11 10:07 UTC by Kurt Jaeger
Modified: 2023-12-31 10:06 UTC (History)
8 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kurt Jaeger freebsd_committer freebsd_triage 2021-09-11 10:07:09 UTC 
See https://therecord.media/ghostscript-zero-day-allows-full-server-compromises/ for more details and

https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a9bd3dec9fde

for a potential fix from upstream. TODO: check if this patch applies and which version of ghostscript it applies to.
Comment 2 Danilo G. Baio freebsd_committer freebsd_triage 2022-01-08 18:32:58 UTC 
Sorry about the delay.

Ghostscript ports are now back to the pool (ports@) and not maintained by doceng@ anymore.
Comment 3 Michael Osipov 2023-01-03 13:41:44 UTC 
Ghostscript is at 9.56.1. Can this be closed?
Comment 4 alexwriter2003 2023-03-23 13:04:41 UTC 
MARKED AS SPAM
Comment 5 George Mitchell 2023-04-21 18:41:27 UTC 
(In reply to Michael Osipov from comment #3)
Since more than one vuln.xml entry claims every version less than 10.01.0 has more than one vulnerability, I suggest that this bug not be closed prior to 10.01.0 appearing in the ports tree.
Comment 6 Michael Osipov freebsd_committer freebsd_triage 2023-12-31 10:06:18 UTC 
print/ghostscript9 has been removed.
print/ghostscript10 has been updated long time ago.