Automatic update for ghostscript-10.05.1-2.fc43.
* Tue May 27 2025 Zdenek Dohnal <zdohnal@redhat.com> - 10.05.1-2
- CVE-2025-48708 ghostscript: Ghostscript Argument Sanitization Vulnerability (fedora#2368149, fedora#2368134)
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2025-c3e110251cPlease log in to add feedback.
This update was automatically created
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'passed'.
This update has been submitted for stable by bodhi
Looking from build log, the patch did not get applied.
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/log/?h=ghostpdl-10.05.1
Looking from upstream, 10.05.1 already contains fix for CVE-2025-48708. And the patch even did not get applied during build.
Thanks @fundawang!
Funny coincidence - I have introduced Fedora-only pdf2dsc in the next version, which made me to apply only a specific patch number and breaks automatic patch application by autopatch (person has to call patch and apply patches one by one), but I forgot about it. Next the CVE commit is dated May 20th - https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=b587663c623b4462f9e78686a31fd880207303ee , where version 10.05.1 was released at April 29th based on release notes https://ghostscript.readthedocs.io/en/gs10.05.1/News.html?utm_source=ghostscript&utm_medium=website&utm_content=inline-link , so I thought the CVE is not present in the code without checking it.
So with all the coincidences, it happened this :) .
New builds are on the way.