ID CVE-2018-16585
Summary ** DISPUTED ** An issue was discovered in Artifex Ghostscript before 9.24. The .setdistillerkeys PostScript command is accepted even though it is not intended for use during document processing (e.g., after the startup phase). This leads to memory corruption, allowing remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact. Note: A reputable source believes that the CVE is potentially a duplicate of CVE-2018-15910 as explained in Red Hat bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1626193).
References
Vulnerable Configurations
  • Artifex Ghostscript 8 64
    cpe:2.3:a:artifex:ghostscript:8_64
  • Artifex Ghostscript 9.00
    cpe:2.3:a:artifex:ghostscript:9.00
  • Artifex Ghostscript 9.01
    cpe:2.3:a:artifex:ghostscript:9.01
  • Artifex Ghostscript 9.02
    cpe:2.3:a:artifex:ghostscript:9.02
  • Artifex Ghostscript 9.04
    cpe:2.3:a:artifex:ghostscript:9.04
  • Artifex Ghostscript 9.05
    cpe:2.3:a:artifex:ghostscript:9.05
  • Artifex Ghostscript 9.06
    cpe:2.3:a:artifex:ghostscript:9.06
  • Artifex Ghostscript 9.07
    cpe:2.3:a:artifex:ghostscript:9.07
  • Artifex Ghostscript 9.09
    cpe:2.3:a:artifex:ghostscript:9.09
  • Artifex Ghostscript 9.10
    cpe:2.3:a:artifex:ghostscript:9.10
  • Artifex Ghostscript 9.14
    cpe:2.3:a:artifex:ghostscript:9.14
  • Artifex Ghostscript 9.15
    cpe:2.3:a:artifex:ghostscript:9.15
  • Artifex Ghostscript 9.16
    cpe:2.3:a:artifex:ghostscript:9.16
  • Artifex Ghostscript 9.18
    cpe:2.3:a:artifex:ghostscript:9.18
  • Artifex Ghostscript 9.19
    cpe:2.3:a:artifex:ghostscript:9.19
  • Artifex Ghostscript 9.20
    cpe:2.3:a:artifex:ghostscript:9.20
  • Artifex Ghostscript 9.21
    cpe:2.3:a:artifex:ghostscript:9.21
  • Artifex Ghostscript 9.22
    cpe:2.3:a:artifex:ghostscript:9.22
  • Artifex Ghostscript 9.23
    cpe:2.3:a:artifex:ghostscript:9.23
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • Canonical Ubuntu Linux 18.04 LTS Edition
    cpe:2.3:o:canonical:ubuntu_linux:18.04:-:-:-:lts
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
CVSS
Base: 6.8
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201811-12.NASL
    description The remote host is affected by the vulnerability described in GLSA-201811-12 (GPL Ghostscript: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in GPL Ghostscript. Please review the CVE identifiers referenced below for additional information. Impact : A context-dependent attacker could entice a user to open a specially crafted PostScript file or PDF document using GPL Ghostscript possibly resulting in the execution of arbitrary code with the privileges of the process, a Denial of Service condition, or other unspecified impacts, Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-12-07
    plugin id 119132
    published 2018-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119132
    title GLSA-201811-12 : GPL Ghostscript: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2976-1.NASL
    description This update for ghostscript to version 9.25 fixes the following issues : These security issues were fixed : CVE-2018-17183: Remote attackers were be able to supply crafted PostScript to potentially overwrite or replace error handlers to inject code (bsc#1109105) CVE-2018-15909: Prevent type confusion using the .shfill operator that could have been used by attackers able to supply crafted PostScript files to crash the interpreter or potentially execute code (bsc#1106172). CVE-2018-15908: Prevent attackers that are able to supply malicious PostScript files to bypass .tempfile restrictions and write files (bsc#1106171). CVE-2018-15910: Prevent a type confusion in the LockDistillerParams parameter that could have been used to crash the interpreter or execute code (bsc#1106173). CVE-2018-15911: Prevent use uninitialized memory access in the aesdecode operator that could have been used to crash the interpreter or potentially execute code (bsc#1106195). CVE-2018-16513: Prevent a type confusion in the setcolor function that could have been used to crash the interpreter or possibly have unspecified other impact (bsc#1107412). CVE-2018-16509: Incorrect 'restoration of privilege' checking during handling of /invalidaccess exceptions could be have been used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction (bsc#1107410). CVE-2018-16510: Incorrect exec stack handling in the 'CS' and 'SC' PDF primitives could have been used by remote attackers able to supply crafted PDFs to crash the interpreter or possibly have unspecified other impact (bsc#1107411). CVE-2018-16542: Prevent attackers able to supply crafted PostScript files from using insufficient interpreter stack-size checking during error handling to crash the interpreter (bsc#1107413). CVE-2018-16541: Prevent attackers able to supply crafted PostScript files from using incorrect free logic in pagedevice replacement to crash the interpreter (bsc#1107421). CVE-2018-16540: Prevent use-after-free in copydevice handling that could have been used to crash the interpreter or possibly have unspecified other impact (bsc#1107420). CVE-2018-16539: Prevent attackers able to supply crafted PostScript files from using incorrect access checking in temp file handling to disclose contents of files on the system otherwise not readable (bsc#1107422). CVE-2018-16543: gssetresolution and gsgetresolution allowed attackers to have an unspecified impact (bsc#1107423). CVE-2018-16511: A type confusion in 'ztype' could have been used by remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact (bsc#1107426). CVE-2018-16585: The .setdistillerkeys PostScript command was accepted even though it is not intended for use during document processing (e.g., after the startup phase). This lead to memory corruption, allowing remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact (bsc#1107581). CVE-2018-16802: Incorrect 'restoration of privilege' checking when running out of stack during exception handling could have been used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction. This is due to an incomplete fix for CVE-2018-16509 (bsc#1108027). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 120116
    published 2019-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120116
    title SUSE SLED15 / SLES15 Security Update : ghostscript (SUSE-SU-2018:2976-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2975-2.NASL
    description This update for ghostscript to version 9.25 fixes the following issues : These security issues were fixed : CVE-2018-17183: Remote attackers were be able to supply crafted PostScript to potentially overwrite or replace error handlers to inject code (bsc#1109105) CVE-2018-15909: Prevent type confusion using the .shfill operator that could have been used by attackers able to supply crafted PostScript files to crash the interpreter or potentially execute code (bsc#1106172). CVE-2018-15908: Prevent attackers that are able to supply malicious PostScript files to bypass .tempfile restrictions and write files (bsc#1106171). CVE-2018-15910: Prevent a type confusion in the LockDistillerParams parameter that could have been used to crash the interpreter or execute code (bsc#1106173). CVE-2018-15911: Prevent use uninitialized memory access in the aesdecode operator that could have been used to crash the interpreter or potentially execute code (bsc#1106195). CVE-2018-16513: Prevent a type confusion in the setcolor function that could have been used to crash the interpreter or possibly have unspecified other impact (bsc#1107412). CVE-2018-16509: Incorrect 'restoration of privilege' checking during handling of /invalidaccess exceptions could be have been used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction (bsc#1107410). CVE-2018-16510: Incorrect exec stack handling in the 'CS' and 'SC' PDF primitives could have been used by remote attackers able to supply crafted PDFs to crash the interpreter or possibly have unspecified other impact (bsc#1107411). CVE-2018-16542: Prevent attackers able to supply crafted PostScript files from using insufficient interpreter stack-size checking during error handling to crash the interpreter (bsc#1107413). CVE-2018-16541: Prevent attackers able to supply crafted PostScript files from using incorrect free logic in pagedevice replacement to crash the interpreter (bsc#1107421). CVE-2018-16540: Prevent use-after-free in copydevice handling that could have been used to crash the interpreter or possibly have unspecified other impact (bsc#1107420). CVE-2018-16539: Prevent attackers able to supply crafted PostScript files from using incorrect access checking in temp file handling to disclose contents of files on the system otherwise not readable (bsc#1107422). CVE-2018-16543: gssetresolution and gsgetresolution allowed attackers to have an unspecified impact (bsc#1107423). CVE-2018-16511: A type confusion in 'ztype' could have been used by remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact (bsc#1107426). CVE-2018-16585: The .setdistillerkeys PostScript command was accepted even though it is not intended for use during document processing (e.g., after the startup phase). This lead to memory corruption, allowing remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact (bsc#1107581). CVE-2018-16802: Incorrect 'restoration of privilege' checking when running out of stack during exception handling could have been used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction. This is due to an incomplete fix for CVE-2018-16509 (bsc#1108027). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 118298
    published 2018-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118298
    title SUSE SLES12 Security Update : ghostscript (SUSE-SU-2018:2975-2)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-1123.NASL
    description This update for ghostscript to version 9.25 fixes the following issues : These security issues were fixed : - CVE-2018-17183: Remote attackers were be able to supply crafted PostScript to potentially overwrite or replace error handlers to inject code (bsc#1109105) - CVE-2018-15909: Prevent type confusion using the .shfill operator that could have been used by attackers able to supply crafted PostScript files to crash the interpreter or potentially execute code (bsc#1106172). - CVE-2018-15908: Prevent attackers that are able to supply malicious PostScript files to bypass .tempfile restrictions and write files (bsc#1106171). - CVE-2018-15910: Prevent a type confusion in the LockDistillerParams parameter that could have been used to crash the interpreter or execute code (bsc#1106173). - CVE-2018-15911: Prevent use uninitialized memory access in the aesdecode operator that could have been used to crash the interpreter or potentially execute code (bsc#1106195). - CVE-2018-16513: Prevent a type confusion in the setcolor function that could have been used to crash the interpreter or possibly have unspecified other impact (bsc#1107412). - CVE-2018-16509: Incorrect 'restoration of privilege' checking during handling of /invalidaccess exceptions could be have been used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction (bsc#1107410). - CVE-2018-16510: Incorrect exec stack handling in the 'CS' and 'SC' PDF primitives could have been used by remote attackers able to supply crafted PDFs to crash the interpreter or possibly have unspecified other impact (bsc#1107411). - CVE-2018-16542: Prevent attackers able to supply crafted PostScript files from using insufficient interpreter stack-size checking during error handling to crash the interpreter (bsc#1107413). - CVE-2018-16541: Prevent attackers able to supply crafted PostScript files from using incorrect free logic in pagedevice replacement to crash the interpreter (bsc#1107421). - CVE-2018-16540: Prevent use-after-free in copydevice handling that could have been used to crash the interpreter or possibly have unspecified other impact (bsc#1107420). - CVE-2018-16539: Prevent attackers able to supply crafted PostScript files from using incorrect access checking in temp file handling to disclose contents of files on the system otherwise not readable (bsc#1107422). - CVE-2018-16543: gssetresolution and gsgetresolution allowed attackers to have an unspecified impact (bsc#1107423). - CVE-2018-16511: A type confusion in 'ztype' could have been used by remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact (bsc#1107426). - CVE-2018-16585: The .setdistillerkeys PostScript command was accepted even though it is not intended for use during document processing (e.g., after the startup phase). This lead to memory corruption, allowing remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact (bsc#1107581). - CVE-2018-16802: Incorrect 'restoration of privilege' checking when running out of stack during exception handling could have been used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction. This is due to an incomplete fix for CVE-2018-16509 (bsc#1108027). These non-security issues were fixed : - Fixes problems with argument handling, some unintended results of the security fixes to the SAFER file access restrictions (specifically accessing ICC profile files). - Avoid that ps2epsi fails with 'Error: /undefined in --setpagedevice--' For additional changes please check http://www.ghostscript.com/doc/9.25/News.htm This update was imported from the SUSE:SLE-15:Update update project.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 117980
    published 2018-10-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117980
    title openSUSE Security Update : ghostscript (openSUSE-2018-1123)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3768-1.NASL
    description Tavis Ormandy discovered multiple security issues in Ghostscript. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could possibly use these issues to access arbitrary files, execute arbitrary code, or cause a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 117595
    published 2018-09-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117595
    title Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : ghostscript vulnerabilities (USN-3768-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4288.NASL
    description Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an interpreter for the PostScript language, which could result in denial of service, the creation of files or the execution of arbitrary code if a malformed Postscript file is processed (despite the dSAFER sandbox being enabled).
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 117369
    published 2018-09-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117369
    title Debian DSA-4288-1 : ghostscript - security update
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1504.NASL
    description Tavis Ormandy discovered multiple vulnerabilities in Ghostscript, an interpreter for the PostScript language, which could result in denial of service, the creation of files or the execution of arbitrary code if a malformed Postscript file is processed (despite the dSAFER sandbox being enabled). For Debian 8 'Jessie', these problems have been fixed in version 9.06~dfsg-2+deb8u8. We recommend that you upgrade your ghostscript packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-10-31
    plugin id 117487
    published 2018-09-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117487
    title Debian DLA-1504-1 : ghostscript security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2975-1.NASL
    description This update for ghostscript to version 9.25 fixes the following issues : These security issues were fixed : CVE-2018-17183: Remote attackers were be able to supply crafted PostScript to potentially overwrite or replace error handlers to inject code (bsc#1109105) CVE-2018-15909: Prevent type confusion using the .shfill operator that could have been used by attackers able to supply crafted PostScript files to crash the interpreter or potentially execute code (bsc#1106172). CVE-2018-15908: Prevent attackers that are able to supply malicious PostScript files to bypass .tempfile restrictions and write files (bsc#1106171). CVE-2018-15910: Prevent a type confusion in the LockDistillerParams parameter that could have been used to crash the interpreter or execute code (bsc#1106173). CVE-2018-15911: Prevent use uninitialized memory access in the aesdecode operator that could have been used to crash the interpreter or potentially execute code (bsc#1106195). CVE-2018-16513: Prevent a type confusion in the setcolor function that could have been used to crash the interpreter or possibly have unspecified other impact (bsc#1107412). CVE-2018-16509: Incorrect 'restoration of privilege' checking during handling of /invalidaccess exceptions could be have been used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction (bsc#1107410). CVE-2018-16510: Incorrect exec stack handling in the 'CS' and 'SC' PDF primitives could have been used by remote attackers able to supply crafted PDFs to crash the interpreter or possibly have unspecified other impact (bsc#1107411). CVE-2018-16542: Prevent attackers able to supply crafted PostScript files from using insufficient interpreter stack-size checking during error handling to crash the interpreter (bsc#1107413). CVE-2018-16541: Prevent attackers able to supply crafted PostScript files from using incorrect free logic in pagedevice replacement to crash the interpreter (bsc#1107421). CVE-2018-16540: Prevent use-after-free in copydevice handling that could have been used to crash the interpreter or possibly have unspecified other impact (bsc#1107420). CVE-2018-16539: Prevent attackers able to supply crafted PostScript files from using incorrect access checking in temp file handling to disclose contents of files on the system otherwise not readable (bsc#1107422). CVE-2018-16543: gssetresolution and gsgetresolution allowed attackers to have an unspecified impact (bsc#1107423). CVE-2018-16511: A type confusion in 'ztype' could have been used by remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact (bsc#1107426). CVE-2018-16585: The .setdistillerkeys PostScript command was accepted even though it is not intended for use during document processing (e.g., after the startup phase). This lead to memory corruption, allowing remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact (bsc#1107581). CVE-2018-16802: Incorrect 'restoration of privilege' checking when running out of stack during exception handling could have been used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction. This is due to an incomplete fix for CVE-2018-16509 (bsc#1108027). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 117901
    published 2018-10-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117901
    title SUSE SLED12 / SLES12 Security Update : ghostscript (SUSE-SU-2018:2975-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-1122.NASL
    description This update for ghostscript to version 9.25 fixes the following issues : These security issues were fixed : - CVE-2018-17183: Remote attackers were be able to supply crafted PostScript to potentially overwrite or replace error handlers to inject code (bsc#1109105) - CVE-2018-15909: Prevent type confusion using the .shfill operator that could have been used by attackers able to supply crafted PostScript files to crash the interpreter or potentially execute code (bsc#1106172). - CVE-2018-15908: Prevent attackers that are able to supply malicious PostScript files to bypass .tempfile restrictions and write files (bsc#1106171). - CVE-2018-15910: Prevent a type confusion in the LockDistillerParams parameter that could have been used to crash the interpreter or execute code (bsc#1106173). - CVE-2018-15911: Prevent use uninitialized memory access in the aesdecode operator that could have been used to crash the interpreter or potentially execute code (bsc#1106195). - CVE-2018-16513: Prevent a type confusion in the setcolor function that could have been used to crash the interpreter or possibly have unspecified other impact (bsc#1107412). - CVE-2018-16509: Incorrect 'restoration of privilege' checking during handling of /invalidaccess exceptions could be have been used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction (bsc#1107410). - CVE-2018-16510: Incorrect exec stack handling in the 'CS' and 'SC' PDF primitives could have been used by remote attackers able to supply crafted PDFs to crash the interpreter or possibly have unspecified other impact (bsc#1107411). - CVE-2018-16542: Prevent attackers able to supply crafted PostScript files from using insufficient interpreter stack-size checking during error handling to crash the interpreter (bsc#1107413). - CVE-2018-16541: Prevent attackers able to supply crafted PostScript files from using incorrect free logic in pagedevice replacement to crash the interpreter (bsc#1107421). - CVE-2018-16540: Prevent use-after-free in copydevice handling that could have been used to crash the interpreter or possibly have unspecified other impact (bsc#1107420). - CVE-2018-16539: Prevent attackers able to supply crafted PostScript files from using incorrect access checking in temp file handling to disclose contents of files on the system otherwise not readable (bsc#1107422). - CVE-2018-16543: gssetresolution and gsgetresolution allowed attackers to have an unspecified impact (bsc#1107423). - CVE-2018-16511: A type confusion in 'ztype' could have been used by remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact (bsc#1107426). - CVE-2018-16585: The .setdistillerkeys PostScript command was accepted even though it is not intended for use during document processing (e.g., after the startup phase). This lead to memory corruption, allowing remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact (bsc#1107581). - CVE-2018-16802: Incorrect 'restoration of privilege' checking when running out of stack during exception handling could have been used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction. This is due to an incomplete fix for CVE-2018-16509 (bsc#1108027). These non-security issues were fixed : - Fixes problems with argument handling, some unintended results of the security fixes to the SAFER file access restrictions (specifically accessing ICC profile files). - Avoid that ps2epsi fails with 'Error: /undefined in --setpagedevice--' For additional changes please check http://www.ghostscript.com/doc/9.25/News.htm and the changes file of the package. This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 117979
    published 2018-10-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117979
    title openSUSE Security Update : ghostscript (openSUSE-2018-1122)
  • NASL family Amazon Linux Local Security Checks
    NASL id AL2_ALAS-2018-1088.NASL
    description It was discovered that the ghostscript .shfill operator did not properly validate certain types. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.(CVE-2018-15909) An issue was discovered in Artifex Ghostscript before 9.24. A type confusion in 'ztype' could be used by remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact.(CVE-2018-16511) An issue was discovered in Artifex Ghostscript before 9.24. The .setdistillerkeys PostScript command is accepted even though it is not intended for use during document processing (e.g., after the startup phase). This leads to memory corruption, allowing remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact.(CVE-2018-16585) It was discovered that the ghostscript PDF14 compositor did not properly handle the copying of a device. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.(CVE-2018-16540) It was discovered that the ghostscript device cleanup did not properly handle devices replaced with a null device. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.(CVE-2018-16541) It was discovered that the ghostscript did not properly restrict access to files open prior to enabling the -dSAFER mode. An attacker could possibly exploit this to bypass the -dSAFER protection and disclose the content of affected files via a specially crafted PostScript document.(CVE-2018-16539) An issue was discovered in Artifex Ghostscript before 9.25. Incorrect 'restoration of privilege' checking when running out of stack during exception handling could be used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction. This is due to an incomplete fix for CVE-2018-16509 .(CVE-2018-16802) It was discovered that ghostscript did not properly handle certain stack overflow error conditions. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.(CVE-2018-16542) Ghostscript did not honor the -dSAFER option when executing the 'status' instruction, which can be used to retrieve information such as a file's existence and size. A specially crafted postscript document could use this flow to gain information on the targeted system's filesystem content.(CVE-2018-11645) It was discovered that the ghostscript did not properly validate the operands passed to the setcolor function. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.(CVE-2018-16513) It was discovered that the type of the LockDistillerParams parameter is not properly verified. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.(CVE-2018-15910) It was discovered that the ghostscript /invalidaccess checks fail under certain conditions. An attacker could possibly exploit this to bypass the -dSAFER protection and, for example, execute arbitrary shell commands via a specially crafted PostScript document.(CVE-2018-16509) It was discovered that ghostscript did not properly verify the key used in aesdecode. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.(CVE-2018-15911) It was discovered that the ghostscript .tempfile function did not properly handle file permissions. An attacker could possibly exploit this to exploit this to bypass the -dSAFER protection and delete files or disclose their content via a specially crafted PostScript document.(CVE-2018-15908)
    last seen 2019-02-21
    modified 2018-10-31
    plugin id 118043
    published 2018-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118043
    title Amazon Linux 2 : ghostscript (ALAS-2018-1088)
  • NASL family Windows
    NASL id GHOSTSCRIPT_9_24.NASL
    description The version of Artifex Ghostscript installed on the remote Windows host is prior to 9.24. It is, therefore, affected by multiple vulnerabilities due to improperly handling PostScript data. A context-dependent attacker could cause a buffer overflow, potentially crashing the service.
    last seen 2019-02-21
    modified 2018-09-17
    plugin id 117459
    published 2018-09-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117459
    title Artifex Ghostscript Multiple Vulnerabilities
refmap via4
debian DSA-4288
gentoo GLSA-201811-12
misc
mlist [debian-lts-announce] 20180913 [SECURITY] [DLA 1504-1] ghostscript security update
ubuntu USN-3768-1
Last major update 06-09-2018 - 10:29
Published 06-09-2018 - 10:29
Last modified 09-10-2019 - 17:15
Back to Top