Security Advisory
This page is related to the BSSA-2023-01 Security Advisory.
Overview
Older versions of Ghostscript open a way for script infusion.
Because of bugs in the Ghostscript binary out of the BlueSpice package manager, Hallo Welt! mostly installed manually on Linux systems. These bugs no longer seem to be a problem.
How to update - Linux
- Check the system for manual installation and delete it:If there is a binary called
ls -al /usr/local/bin
gs
delete it:
rm -fr /usr/local/bin/gs
- Check System for Installation out of Packagemanager(Ghostscript comes as an dependency of ImageMagik)for Debian 11 this should look like:
dpkg -l ghostscript
For Debian 12 the Version is "10.0.0~dfsg-11+deb12u1"root@XXXXXXXXXXXX:~# dpkg -l ghostscript Gewünscht=Unbekannt/Installieren/R=Entfernen/P=Vollständig Löschen/Halten | Status=Nicht/Installiert/Config/U=Entpackt/halb konFiguriert/ Halb installiert/Trigger erWartet/Trigger anhängig |/ Fehler?=(kein)/R=Neuinstallation notwendig (Status, Fehler: GROSS=schlecht) ||/ Name Version Architektur Beschreibung +++-==============-=====================-============-=================================================== ii ghostscript 9.53.3~dfsg-7+deb11u5 amd64 interpreter for the PostScript language and for PDF
For Ubuntu 22 the Version is "9.50~dfsg-5ubuntu4.8"
If it does not match the needed Version please do an
apt update
apt upgrade -y
and recheck.
- Change Settings in the codebase
Got to whereever the codebase is saved (check your ApacheConfiguration for DocumentRoot if you are not sure). Normally it should look like this:
root@XXXXX:/var/www/bluespice/w/settings.d# grep -rin PdfProcessor
005-PdfHandler.php:5:$wgPdfProcessor = '/usr/local/bin/gs';
Could be 005-PdfHandler.php or some other configuration-file. Find and change Variable to correct path: For example with this Command:
sed -i 's/local\///g' 005-PdfHandler.php
Doublecheck:
root@XXXXXXXXXXX:/var/www/bluespice/w/settings.d# grep -rin PdfProcessor
005-PdfHandler.php:5:$wgPdfProcessor = '/usr/bin/gs';
Your system is now patched.
How to update - Windows
- Deinstall the package GPL Ghostscript.
- Download the package Ghostscript AGPL Release from https://www.ghostscript.com/releases/gsdnld.html .
- Install the new package.
Your system is now patched.