Bug 258424 - print/ghostscript*: potential CVE-2021-3781
Summary: print/ghostscript*: potential CVE-2021-3781
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Hiroki Sato
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-09-11 10:07 UTC by Kurt Jaeger
Modified: 2023-12-31 10:06 UTC (History)
8 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kurt Jaeger freebsd_committer freebsd_triage 2021-09-11 10:07:09 UTC
See https://therecord.media/ghostscript-zero-day-allows-full-server-compromises/ for more details and

https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a9bd3dec9fde

for a potential fix from upstream. TODO: check if this patch applies and which version of ghostscript it applies to.
Comment 2 Danilo G. Baio freebsd_committer freebsd_triage 2022-01-08 18:32:58 UTC
Sorry about the delay.

Ghostscript ports are now back to the pool (ports@) and not maintained by doceng@ anymore.
Comment 3 Michael Osipov 2023-01-03 13:41:44 UTC
Ghostscript is at 9.56.1. Can this be closed?
Comment 4 alexwriter2003 2023-03-23 13:04:41 UTC
This is concerning news for anyone who relies on Ghostscript for their server. The fact that proof-of-concept code has been published means that the vulnerability is real and can be exploited by malicious actors. It is crucial that server administrators take action to mitigate this risk by ensuring that they are not using vulnerable versions of Ghostscript and applying any available patches as soon as possible. It is also important to monitor for any suspicious activity on servers that use Ghostscript and to have a plan https://essayservice.io/ in place for responding to any potential attacks. Cybersecurity threats like this highlight the need for ongoing vigilance and proactive measures to protect against cyber attacks.
Comment 5 George Mitchell 2023-04-21 18:41:27 UTC
(In reply to Michael Osipov from comment #3)
Since more than one vuln.xml entry claims every version less than 10.01.0 has more than one vulnerability, I suggest that this bug not be closed prior to 10.01.0 appearing in the ports tree.
Comment 6 Michael Osipov freebsd_committer freebsd_triage 2023-12-31 10:06:18 UTC
print/ghostscript9 has been removed.
print/ghostscript10 has been updated long time ago.