Vulnerabilities > CVE-2017-8291 - Incorrect Type Conversion or Cast vulnerability in Artifex Ghostscript
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remote command execution via .rsdparams type confusion with a "/OutputFile (%pipe%" substring in a crafted .eps document that is an input to the gs program, as exploited in the wild in April 2017.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
| description | Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit). CVE-2017-8291. Local exploit for Linux platform. Tags: Metasploit Framework, Local |
| file | exploits/linux/local/41955.rb |
| id | EDB-ID:41955 |
| last seen | 2017-05-02 |
| modified | 2017-05-02 |
| platform | linux |
| port | |
| published | 2017-05-02 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/41955/ |
| title | Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit) |
| type | local |
Metasploit
| description | This module exploits a type confusion vulnerability in Ghostscript that can be exploited to obtain arbitrary command execution. This vulnerability affects Ghostscript versions 9.21 and earlier and can be exploited through libraries such as ImageMagick and Pillow. |
| id | MSF:EXPLOIT/UNIX/FILEFORMAT/GHOSTSCRIPT_TYPE_CONFUSION |
| last seen | 2020-06-12 |
| modified | 2019-04-24 |
| published | 2017-04-28 |
| references |
|
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/fileformat/ghostscript_type_confusion.rb |
| title | Ghostscript Type Confusion Arbitrary Command Execution |
Nessus
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-1230.NASL description From Red Hat Security Advisory 2017:1230 : An update for ghostscript is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * It was found that ghostscript did not properly validate the parameters passed to the .rsdparams and .eqproc functions. During its execution, a specially crafted PostScript document could execute code in the context of the ghostscript process, bypassing the -dSAFER protection. (CVE-2017-8291) last seen 2020-06-01 modified 2020-06-02 plugin id 100171 published 2017-05-15 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100171 title Oracle Linux 6 / 7 : ghostscript (ELSA-2017-1230) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2017:1230 and # Oracle Linux Security Advisory ELSA-2017-1230 respectively. # include("compat.inc"); if (description) { script_id(100171); script_version("3.9"); script_cvs_date("Date: 2019/09/27 13:00:37"); script_cve_id("CVE-2017-8291"); script_xref(name:"RHSA", value:"2017:1230"); script_name(english:"Oracle Linux 6 / 7 : ghostscript (ELSA-2017-1230)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2017:1230 : An update for ghostscript is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * It was found that ghostscript did not properly validate the parameters passed to the .rsdparams and .eqproc functions. During its execution, a specially crafted PostScript document could execute code in the context of the ghostscript process, bypassing the -dSAFER protection. (CVE-2017-8291)" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2017-May/006907.html" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2017-May/006908.html" ); script_set_attribute( attribute:"solution", value:"Update the affected ghostscript packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ghostscript"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ghostscript-cups"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ghostscript-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ghostscript-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ghostscript-gtk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/27"); script_set_attribute(attribute:"patch_publication_date", value:"2017/05/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/15"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6 / 7", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL6", reference:"ghostscript-8.70-23.el6_9.2")) flag++; if (rpm_check(release:"EL6", reference:"ghostscript-devel-8.70-23.el6_9.2")) flag++; if (rpm_check(release:"EL6", reference:"ghostscript-doc-8.70-23.el6_9.2")) flag++; if (rpm_check(release:"EL6", reference:"ghostscript-gtk-8.70-23.el6_9.2")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"ghostscript-9.07-20.el7_3.5")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"ghostscript-cups-9.07-20.el7_3.5")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"ghostscript-devel-9.07-20.el7_3.5")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"ghostscript-doc-9.07-20.el7_3.5")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"ghostscript-gtk-9.07-20.el7_3.5")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ghostscript / ghostscript-cups / ghostscript-devel / etc"); }NASL family Virtuozzo Local Security Checks NASL id VIRTUOZZO_VZLSA-2017-1230.NASL description An update for ghostscript is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * It was found that ghostscript did not properly validate the parameters passed to the .rsdparams and .eqproc functions. During its execution, a specially crafted PostScript document could execute code in the context of the ghostscript process, bypassing the -dSAFER protection. (CVE-2017-8291) Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101465 published 2017-07-13 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101465 title Virtuozzo 6 : ghostscript / ghostscript-devel / ghostscript-doc / etc (VZLSA-2017-1230) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-1230.NASL description An update for ghostscript is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * It was found that ghostscript did not properly validate the parameters passed to the .rsdparams and .eqproc functions. During its execution, a specially crafted PostScript document could execute code in the context of the ghostscript process, bypassing the -dSAFER protection. (CVE-2017-8291) last seen 2020-06-01 modified 2020-06-02 plugin id 100172 published 2017-05-15 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100172 title RHEL 6 / 7 : ghostscript (RHSA-2017:1230) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1101.NASL description According to the version of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was found that ghostscript did not properly validate the parameters passed to the .rsdparams and .eqproc functions. During its execution, a specially crafted PostScript document could execute code in the context of the ghostscript process, bypassing the -dSAFER protection. (CVE-2017-8291) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-06-09 plugin id 100694 published 2017-06-09 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100694 title EulerOS 2.0 SP2 : ghostscript (EulerOS-SA-2017-1101) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-932.NASL description A vulnerability was discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may lead to the execution of arbitrary code or denial of service if a specially crafted Postscript file is processed. For Debian 7 last seen 2020-03-17 modified 2017-05-08 plugin id 99998 published 2017-05-08 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99998 title Debian DLA-932-1 : ghostscript security update NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1322-1.NASL description This update for ghostscript fixes the following security vulnerability : - CVE-2017-8291: A remote command execution and a -dSAFER bypass via a crafted .eps document were exploited in the wild. (bsc#1036453) This update is a reissue including the SUSE Linux Enterprise 11 SP3 product. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 100264 published 2017-05-18 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100264 title SUSE SLES11 Security Update : ghostscript-library (SUSE-SU-2017:1322-1) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2017-837.NASL description It was found that ghostscript did not properly validate the parameters passed to the .rsdparams and .eqproc functions. During its execution, a specially crafted PostScript document could execute code in the context of the ghostscript process, bypassing the -dSAFER protection. (CVE-2017-8291) last seen 2020-06-01 modified 2020-06-02 plugin id 100638 published 2017-06-07 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100638 title Amazon Linux AMI : ghostscript (ALAS-2017-837) NASL family Windows NASL id GHOSTSCRIPT_9_21.NASL description The version of Artifex Ghostscript installed on the remote Windows host is 9.21 or earlier. It is, therefore, affected by a type confusion error when handling the last seen 2020-06-01 modified 2020-06-02 plugin id 100356 published 2017-05-23 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100356 title Artifex Ghostscript .rsdparams Operator Handling Type Confusion RCE NASL family Fedora Local Security Checks NASL id FEDORA_2017-FAE1506F94.NASL description Security fixes release for these CVEs : - [CVE-2016-10217](https://access.redhat.com/security/cve/ CVE-2016-10217) *(use-after-free and application crash)* - [CVE-2016-10218](https://access.redhat.com/security/cve/ CVE-2016-10218) *(NULL pointer dereference and application crash)* - [CVE-2016-10219](https://access.redhat.com/security/cve/ CVE-2016-10219) *(divide-by-zero error and application crash)* - [CVE-2016-10220](https://access.redhat.com/security/cve/ CVE-2016-10220) *(NULL pointer dereference and application crash)* - [CVE-2017-5951](https://access.redhat.com/security/cve/C VE-2017-5951) *(NULL pointer dereference and application crash)* - [CVE-2017-7975](https://access.redhat.com/security/cve/C VE-2017-7975) *(application crash or possible execution of arbitrary code)* - [CVE-2017-8291](https://access.redhat.com/security/cve/C VE-2017-8291) *( -dSAFER bypass and remote command execution)* Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-05-16 plugin id 100201 published 2017-05-16 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100201 title Fedora 24 : ghostscript (2017-fae1506f94) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201708-06.NASL description The remote host is affected by the vulnerability described in GLSA-201708-06 (GPL Ghostscript: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in GPL Ghostscript. Please review the CVE identifiers referenced below for additional information. Impact : A context-dependent attacker could entice a user to open a specially crafted PostScript file or PDF document using GPL Ghostscript possibly resulting in the execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 102618 published 2017-08-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102618 title GLSA-201708-06 : GPL Ghostscript: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1138-1.NASL description This update for ghostscript fixes the following security vulnerabilities : - CVE-2017-8291: A remote command execution and a -dSAFER bypass via a crafted .eps document were exploited in the wild. (bsc#1036453) - CVE-2016-9601: An integer overflow in the bundled jbig2dec library could have been misused to cause a Denial-of-Service. (bsc#1018128) - CVE-2016-10220: A NULL pointer dereference in the PDF Transparency module allowed remote attackers to cause a Denial-of-Service. (bsc#1032120) - CVE-2017-5951: A NULL pointer dereference allowed remote attackers to cause a denial of service via a crafted PostScript document. (bsc#1032114) - CVE-2017-7207: A NULL pointer dereference allowed remote attackers to cause a denial of service via a crafted PostScript document. (bsc#1030263) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 99761 published 2017-05-01 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99761 title SUSE SLED12 / SLES12 Security Update : ghostscript (SUSE-SU-2017:1138-1) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0285.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - It was found that the fix for CVE-2018-16509 was not complete, the missing pieces added into ghostscript-CVE-2018-16509.patch - Resolves: #1641124 - CVE-2018-16509 ghostscript: /invalidaccess bypass after failed restore - Added security fix for CVE-2017-8291 (bug #1446063) last seen 2020-06-01 modified 2020-06-02 plugin id 119484 published 2018-12-07 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119484 title OracleVM 3.3 / 3.4 : ghostscript (OVMSA-2018-0285) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1153-1.NASL description This update for ghostscript fixes the following security vulnerability : - CVE-2017-8291: A remote command execution and a -dSAFER bypass via a crafted .eps document were exploited in the wild. (bsc#1036453) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 99979 published 2017-05-04 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99979 title SUSE SLES11 Security Update : ghostscript-library (SUSE-SU-2017:1153-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3272-1.NASL description It was discovered that Ghostscript improperly handled parameters to the rsdparams and eqproc commands. An attacker could use these to craft a malicious document that could disable -dSAFER protections, thereby allowing the execution of arbitrary code, or cause a denial of service (application crash). (CVE-2017-8291) Kamil Frankowicz discovered a use-after-free vulnerability in the color management module of Ghostscript. An attacker could use this to cause a denial of service (application crash). (CVE-2016-10217) Kamil Frankowicz discovered a divide-by-zero error in the scan conversion code in Ghostscript. An attacker could use this to cause a denial of service (application crash). (CVE-2016-10219) Kamil Frankowicz discovered multiple NULL pointer dereference errors in Ghostscript. An attacker could use these to cause a denial of service (application crash). (CVE-2016-10220, CVE-2017-5951, CVE-2017-7207). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 99726 published 2017-04-28 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99726 title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : ghostscript vulnerabilities (USN-3272-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2017-1230.NASL description An update for ghostscript is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * It was found that ghostscript did not properly validate the parameters passed to the .rsdparams and .eqproc functions. During its execution, a specially crafted PostScript document could execute code in the context of the ghostscript process, bypassing the -dSAFER protection. (CVE-2017-8291) last seen 2020-06-01 modified 2020-06-02 plugin id 100175 published 2017-05-16 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100175 title CentOS 6 / 7 : ghostscript (CESA-2017:1230) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0097_GHOSTSCRIPT.NASL description The remote NewStart CGSL host, running version MAIN 4.05, has ghostscript packages installed that are affected by a vulnerability: - It was found that ghostscript did not properly validate the parameters passed to the .rsdparams and .eqproc functions. During its execution, a specially crafted PostScript document could execute code in the context of the ghostscript process, bypassing the -dSAFER protection. (CVE-2017-8291) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127321 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127321 title NewStart CGSL MAIN 4.05 : ghostscript Vulnerability (NS-SA-2019-0097) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1404-1.NASL description This update for ghostscript fixes the following security vulnerabilities : - CVE-2017-8291: A remote command execution and a -dSAFER bypass via a crafted .eps document were exploited in the wild. (bsc#1036453) - CVE-2016-9601: An integer overflow in the bundled jbig2dec library could have been misused to cause a Denial-of-Service. (bsc#1018128) - CVE-2016-10220: A NULL pointer dereference in the PDF Transparency module allowed remote attackers to cause a Denial-of-Service. (bsc#1032120) - CVE-2017-5951: A NULL pointer dereference allowed remote attackers to cause a denial of service via a crafted PostScript document. (bsc#1032114) - CVE-2017-7207: A NULL pointer dereference allowed remote attackers to cause a denial of service via a crafted PostScript document. (bsc#1030263) This is a reissue of the previous update to also include SUSE Linux Enterprise 12 GA LTSS packages. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 100410 published 2017-05-25 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100410 title SUSE SLED12 / SLES12 Security Update : ghostscript (SUSE-SU-2017:1404-1) NASL family Scientific Linux Local Security Checks NASL id SL_20170512_GHOSTSCRIPT_ON_SL6_X.NASL description Security Fix(es) : - It was found that ghostscript did not properly validate the parameters passed to the .rsdparams and .eqproc functions. During its execution, a specially crafted PostScript document could execute code in the context of the ghostscript process, bypassing the -dSAFER protection. (CVE-2017-8291) last seen 2020-03-18 modified 2017-05-15 plugin id 100173 published 2017-05-15 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100173 title Scientific Linux Security Update : ghostscript on SL6.x, SL7.x i386/x86_64 (20170512) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3272-2.NASL description USN-3272-1 fixed vulnerabilities in Ghostscript. This change introduced a regression when the DELAYBIND feature is used with the eqproc command. This update fixes the problem. We apologize for the inconvenience. It was discovered that Ghostscript improperly handled parameters to the rsdparams and eqproc commands. An attacker could use these to craft a malicious document that could disable -dSAFER protections, thereby allowing the execution of arbitrary code, or cause a denial of service (application crash). (CVE-2017-8291) Kamil Frankowicz discovered a use-after-free vulnerability in the color management module of Ghostscript. An attacker could use this to cause a denial of service (application crash). (CVE-2016-10217) Kamil Frankowicz discovered a divide-by-zero error in the scan conversion code in Ghostscript. An attacker could use this to cause a denial of service (application crash). (CVE-2016-10219) Kamil Frankowicz discovered multiple NULL pointer dereference errors in Ghostscript. An attacker could use these to cause a denial of service (application crash). (CVE-2016-10220, CVE-2017-5951, CVE-2017-7207). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 100247 published 2017-05-17 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100247 title Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : ghostscript regression (USN-3272-2) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-558.NASL description This update for ghostscript fixes the following security vulnerabilities : CVE-2017-8291: A remote command execution and a -dSAFER bypass via a crafted .eps document were exploited in the wild. (bsc#1036453) CVE-2016-9601: An integer overflow in the bundled jbig2dec library could have been misused to cause a Denial-of-Service. (bsc#1018128) CVE-2016-10220: A NULL pointer dereference in the PDF Transparency module allowed remote attackers to cause a Denial-of-Service. (bsc#1032120) CVE-2017-5951: A NULL pointer dereference allowed remote attackers to cause a denial of service via a crafted PostScript document. (bsc#1032114) CVE-2017-7207: A NULL pointer dereference allowed remote attackers to cause a denial of service via a crafted PostScript document. (bsc#1030263) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2017-05-09 plugin id 100041 published 2017-05-09 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100041 title openSUSE Security Update : ghostscript (openSUSE-2017-558) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0103.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - Security fix for CVE-2017-8291 updated to address SIGSEGV - Added security fix for CVE-2017-8291 (bug #1446063) - Fix for regression caused by previous CVE fixes (bug #1410260) last seen 2020-06-01 modified 2020-06-02 plugin id 100205 published 2017-05-16 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100205 title OracleVM 3.3 / 3.4 : ghostscript (OVMSA-2017-0103) NASL family Fedora Local Security Checks NASL id FEDORA_2017-C85C0E5637.NASL description Security fixes release for these CVEs : - [CVE-2016-10217](https://access.redhat.com/security/cve/ CVE-2016-10217) *(use-after-free and application crash)* - [CVE-2016-10218](https://access.redhat.com/security/cve/ CVE-2016-10218) *(NULL pointer dereference and application crash)* - [CVE-2016-10219](https://access.redhat.com/security/cve/ CVE-2016-10219) *(divide-by-zero error and application crash)* - [CVE-2016-10220](https://access.redhat.com/security/cve/ CVE-2016-10220) *(NULL pointer dereference and application crash)* - [CVE-2017-5951](https://access.redhat.com/security/cve/C VE-2017-5951) *(NULL pointer dereference and application crash)* - [CVE-2017-7975](https://access.redhat.com/security/cve/C VE-2017-7975) *(application crash or possible execution of arbitrary code)* - [CVE-2017-8291](https://access.redhat.com/security/cve/C VE-2017-8291) *( -dSAFER bypass and remote command execution)* Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-05-08 plugin id 100013 published 2017-05-08 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100013 title Fedora 25 : ghostscript (2017-c85c0e5637) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1100.NASL description According to the version of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was found that ghostscript did not properly validate the parameters passed to the .rsdparams and .eqproc functions. During its execution, a specially crafted PostScript document could execute code in the context of the ghostscript process, bypassing the -dSAFER protection. (CVE-2017-8291) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-06-09 plugin id 100693 published 2017-06-09 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100693 title EulerOS 2.0 SP1 : ghostscript (EulerOS-SA-2017-1100) NASL family Fedora Local Security Checks NASL id FEDORA_2017-A606D224A5.NASL description Security fixes release for these CVEs : - [CVE-2016-10217](https://access.redhat.com/security/cve/ CVE-2016-10217) *(use-after-free and application crash)* - [CVE-2016-10218](https://access.redhat.com/security/cve/ CVE-2016-10218) *(NULL pointer dereference and application crash)* - [CVE-2016-10219](https://access.redhat.com/security/cve/ CVE-2016-10219) *(divide-by-zero error and application crash)* - [CVE-2016-10220](https://access.redhat.com/security/cve/ CVE-2016-10220) *(NULL pointer dereference and application crash)* - [CVE-2017-5951](https://access.redhat.com/security/cve/C VE-2017-5951) *(NULL pointer dereference and application crash)* - [CVE-2017-7975](https://access.redhat.com/security/cve/C VE-2017-7975) *(application crash or possible execution of arbitrary code)* - [CVE-2017-8291](https://access.redhat.com/security/cve/C VE-2017-8291) *( -dSAFER bypass and remote command execution)* Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-07-17 plugin id 101695 published 2017-07-17 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101695 title Fedora 26 : ghostscript (2017-a606d224a5) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3838.NASL description Several vulnerabilities were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may lead to the execution of arbitrary code or denial of service if a specially crafted Postscript file is processed. last seen 2020-06-01 modified 2020-06-02 plugin id 99741 published 2017-05-01 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99741 title Debian DSA-3838-1 : ghostscript - security update
Packetstorm
| data source | https://packetstormsecurity.com/files/download/142363/ghostscript_type_confusion.rb.txt |
| id | PACKETSTORM:142363 |
| last seen | 2017-05-02 |
| published | 2017-05-01 |
| reporter | H D Moore |
| source | https://packetstormsecurity.com/files/142363/Ghostscript-9.21-Type-Confusion-Arbitrary-Command-Execution.html |
| title | Ghostscript 9.21 Type Confusion Arbitrary Command Execution |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | No description provided by source. |
| id | SSV:93067 |
| last seen | 2017-11-19 |
| modified | 2017-04-29 |
| published | 2017-04-29 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-93067 |
| title | Ghostscript remote code execution (CVE-2017-8291) (ghostbutt) |
The Hacker News
| id | THN:6EE883925125E982A6EC7C360E183C43 |
| last seen | 2018-08-22 |
| modified | 2018-08-22 |
| published | 2018-08-22 |
| reporter | The Hacker News |
| source | https://thehackernews.com/2018/08/ghostscript-postscript-vulnerability.html |
| title | Critical Flaws in Ghostscript Could Leave Many Systems at Risk of Hacking |
References
- https://bugs.ghostscript.com/show_bug.cgi?id=697808
- https://bugzilla.suse.com/show_bug.cgi?id=1036453
- https://bugzilla.redhat.com/show_bug.cgi?id=1446063
- http://openwall.com/lists/oss-security/2017/04/28/2
- http://www.securityfocus.com/bid/98476
- https://www.exploit-db.com/exploits/41955/
- https://security.gentoo.org/glsa/201708-06
- http://www.debian.org/security/2017/dsa-3838
- https://access.redhat.com/errata/RHSA-2017:1230
- https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=04b37bbce174eed24edec7ad5b920eb93db4d47d