Vulnerabilities > CVE-2017-8291 - Type Confusion vulnerability in multiple products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
artifex
debian
redhat
CWE-843
nessus
exploit available
metasploit

Summary

Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remote command execution via .rsdparams type confusion with a "/OutputFile (%pipe%" substring in a crafted .eps document that is an input to the gs program, as exploited in the wild in April 2017.

Vulnerable Configurations

Part Description Count
Application
Artifex
244
OS
Debian
1
OS
Redhat
18

Exploit-Db

descriptionGhostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit). CVE-2017-8291. Local exploit for Linux platform. Tags: Metasploit Framework, Local
fileexploits/linux/local/41955.rb
idEDB-ID:41955
last seen2017-05-02
modified2017-05-02
platformlinux
port
published2017-05-02
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/41955/
titleGhostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit)
typelocal

Metasploit

descriptionThis module exploits a type confusion vulnerability in Ghostscript that can be exploited to obtain arbitrary command execution. This vulnerability affects Ghostscript versions 9.21 and earlier and can be exploited through libraries such as ImageMagick and Pillow.
idMSF:EXPLOIT/UNIX/FILEFORMAT/GHOSTSCRIPT_TYPE_CONFUSION
last seen2020-06-12
modified2019-04-24
published2017-04-28
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/fileformat/ghostscript_type_confusion.rb
titleGhostscript Type Confusion Arbitrary Command Execution

Nessus

  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-1230.NASL
    descriptionFrom Red Hat Security Advisory 2017:1230 : An update for ghostscript is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * It was found that ghostscript did not properly validate the parameters passed to the .rsdparams and .eqproc functions. During its execution, a specially crafted PostScript document could execute code in the context of the ghostscript process, bypassing the -dSAFER protection. (CVE-2017-8291)
    last seen2020-06-01
    modified2020-06-02
    plugin id100171
    published2017-05-15
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100171
    titleOracle Linux 6 / 7 : ghostscript (ELSA-2017-1230)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2017:1230 and 
    # Oracle Linux Security Advisory ELSA-2017-1230 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(100171);
      script_version("3.9");
      script_cvs_date("Date: 2019/09/27 13:00:37");
    
      script_cve_id("CVE-2017-8291");
      script_xref(name:"RHSA", value:"2017:1230");
    
      script_name(english:"Oracle Linux 6 / 7 : ghostscript (ELSA-2017-1230)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2017:1230 :
    
    An update for ghostscript is now available for Red Hat Enterprise
    Linux 6 and Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The Ghostscript suite contains utilities for rendering PostScript and
    PDF documents. Ghostscript translates PostScript code to common bitmap
    formats so that the code can be displayed or printed.
    
    Security Fix(es) :
    
    * It was found that ghostscript did not properly validate the
    parameters passed to the .rsdparams and .eqproc functions. During its
    execution, a specially crafted PostScript document could execute code
    in the context of the ghostscript process, bypassing the -dSAFER
    protection. (CVE-2017-8291)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2017-May/006907.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2017-May/006908.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected ghostscript packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ghostscript");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ghostscript-cups");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ghostscript-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ghostscript-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ghostscript-gtk");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/05/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/15");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6 / 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL6", reference:"ghostscript-8.70-23.el6_9.2")) flag++;
    if (rpm_check(release:"EL6", reference:"ghostscript-devel-8.70-23.el6_9.2")) flag++;
    if (rpm_check(release:"EL6", reference:"ghostscript-doc-8.70-23.el6_9.2")) flag++;
    if (rpm_check(release:"EL6", reference:"ghostscript-gtk-8.70-23.el6_9.2")) flag++;
    
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"ghostscript-9.07-20.el7_3.5")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"ghostscript-cups-9.07-20.el7_3.5")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"ghostscript-devel-9.07-20.el7_3.5")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"ghostscript-doc-9.07-20.el7_3.5")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"ghostscript-gtk-9.07-20.el7_3.5")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ghostscript / ghostscript-cups / ghostscript-devel / etc");
    }
    
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZLSA-2017-1230.NASL
    descriptionAn update for ghostscript is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * It was found that ghostscript did not properly validate the parameters passed to the .rsdparams and .eqproc functions. During its execution, a specially crafted PostScript document could execute code in the context of the ghostscript process, bypassing the -dSAFER protection. (CVE-2017-8291) Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id101465
    published2017-07-13
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101465
    titleVirtuozzo 6 : ghostscript / ghostscript-devel / ghostscript-doc / etc (VZLSA-2017-1230)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-1230.NASL
    descriptionAn update for ghostscript is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * It was found that ghostscript did not properly validate the parameters passed to the .rsdparams and .eqproc functions. During its execution, a specially crafted PostScript document could execute code in the context of the ghostscript process, bypassing the -dSAFER protection. (CVE-2017-8291)
    last seen2020-06-01
    modified2020-06-02
    plugin id100172
    published2017-05-15
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100172
    titleRHEL 6 / 7 : ghostscript (RHSA-2017:1230)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1101.NASL
    descriptionAccording to the version of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was found that ghostscript did not properly validate the parameters passed to the .rsdparams and .eqproc functions. During its execution, a specially crafted PostScript document could execute code in the context of the ghostscript process, bypassing the -dSAFER protection. (CVE-2017-8291) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-06-09
    plugin id100694
    published2017-06-09
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100694
    titleEulerOS 2.0 SP2 : ghostscript (EulerOS-SA-2017-1101)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-932.NASL
    descriptionA vulnerability was discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may lead to the execution of arbitrary code or denial of service if a specially crafted Postscript file is processed. For Debian 7
    last seen2020-03-17
    modified2017-05-08
    plugin id99998
    published2017-05-08
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99998
    titleDebian DLA-932-1 : ghostscript security update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1322-1.NASL
    descriptionThis update for ghostscript fixes the following security vulnerability : - CVE-2017-8291: A remote command execution and a -dSAFER bypass via a crafted .eps document were exploited in the wild. (bsc#1036453) This update is a reissue including the SUSE Linux Enterprise 11 SP3 product. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id100264
    published2017-05-18
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100264
    titleSUSE SLES11 Security Update : ghostscript-library (SUSE-SU-2017:1322-1)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2017-837.NASL
    descriptionIt was found that ghostscript did not properly validate the parameters passed to the .rsdparams and .eqproc functions. During its execution, a specially crafted PostScript document could execute code in the context of the ghostscript process, bypassing the -dSAFER protection. (CVE-2017-8291)
    last seen2020-06-01
    modified2020-06-02
    plugin id100638
    published2017-06-07
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100638
    titleAmazon Linux AMI : ghostscript (ALAS-2017-837)
  • NASL familyWindows
    NASL idGHOSTSCRIPT_9_21.NASL
    descriptionThe version of Artifex Ghostscript installed on the remote Windows host is 9.21 or earlier. It is, therefore, affected by a type confusion error when handling the
    last seen2020-06-01
    modified2020-06-02
    plugin id100356
    published2017-05-23
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100356
    titleArtifex Ghostscript .rsdparams Operator Handling Type Confusion RCE
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-FAE1506F94.NASL
    descriptionSecurity fixes release for these CVEs : - [CVE-2016-10217](https://access.redhat.com/security/cve/ CVE-2016-10217) *(use-after-free and application crash)* - [CVE-2016-10218](https://access.redhat.com/security/cve/ CVE-2016-10218) *(NULL pointer dereference and application crash)* - [CVE-2016-10219](https://access.redhat.com/security/cve/ CVE-2016-10219) *(divide-by-zero error and application crash)* - [CVE-2016-10220](https://access.redhat.com/security/cve/ CVE-2016-10220) *(NULL pointer dereference and application crash)* - [CVE-2017-5951](https://access.redhat.com/security/cve/C VE-2017-5951) *(NULL pointer dereference and application crash)* - [CVE-2017-7975](https://access.redhat.com/security/cve/C VE-2017-7975) *(application crash or possible execution of arbitrary code)* - [CVE-2017-8291](https://access.redhat.com/security/cve/C VE-2017-8291) *( -dSAFER bypass and remote command execution)* Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-05-16
    plugin id100201
    published2017-05-16
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100201
    titleFedora 24 : ghostscript (2017-fae1506f94)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201708-06.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201708-06 (GPL Ghostscript: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in GPL Ghostscript. Please review the CVE identifiers referenced below for additional information. Impact : A context-dependent attacker could entice a user to open a specially crafted PostScript file or PDF document using GPL Ghostscript possibly resulting in the execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id102618
    published2017-08-21
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102618
    titleGLSA-201708-06 : GPL Ghostscript: Multiple vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1138-1.NASL
    descriptionThis update for ghostscript fixes the following security vulnerabilities : - CVE-2017-8291: A remote command execution and a -dSAFER bypass via a crafted .eps document were exploited in the wild. (bsc#1036453) - CVE-2016-9601: An integer overflow in the bundled jbig2dec library could have been misused to cause a Denial-of-Service. (bsc#1018128) - CVE-2016-10220: A NULL pointer dereference in the PDF Transparency module allowed remote attackers to cause a Denial-of-Service. (bsc#1032120) - CVE-2017-5951: A NULL pointer dereference allowed remote attackers to cause a denial of service via a crafted PostScript document. (bsc#1032114) - CVE-2017-7207: A NULL pointer dereference allowed remote attackers to cause a denial of service via a crafted PostScript document. (bsc#1030263) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id99761
    published2017-05-01
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99761
    titleSUSE SLED12 / SLES12 Security Update : ghostscript (SUSE-SU-2017:1138-1)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2018-0285.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - It was found that the fix for CVE-2018-16509 was not complete, the missing pieces added into ghostscript-CVE-2018-16509.patch - Resolves: #1641124 - CVE-2018-16509 ghostscript: /invalidaccess bypass after failed restore - Added security fix for CVE-2017-8291 (bug #1446063)
    last seen2020-06-01
    modified2020-06-02
    plugin id119484
    published2018-12-07
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119484
    titleOracleVM 3.3 / 3.4 : ghostscript (OVMSA-2018-0285)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1153-1.NASL
    descriptionThis update for ghostscript fixes the following security vulnerability : - CVE-2017-8291: A remote command execution and a -dSAFER bypass via a crafted .eps document were exploited in the wild. (bsc#1036453) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id99979
    published2017-05-04
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99979
    titleSUSE SLES11 Security Update : ghostscript-library (SUSE-SU-2017:1153-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3272-1.NASL
    descriptionIt was discovered that Ghostscript improperly handled parameters to the rsdparams and eqproc commands. An attacker could use these to craft a malicious document that could disable -dSAFER protections, thereby allowing the execution of arbitrary code, or cause a denial of service (application crash). (CVE-2017-8291) Kamil Frankowicz discovered a use-after-free vulnerability in the color management module of Ghostscript. An attacker could use this to cause a denial of service (application crash). (CVE-2016-10217) Kamil Frankowicz discovered a divide-by-zero error in the scan conversion code in Ghostscript. An attacker could use this to cause a denial of service (application crash). (CVE-2016-10219) Kamil Frankowicz discovered multiple NULL pointer dereference errors in Ghostscript. An attacker could use these to cause a denial of service (application crash). (CVE-2016-10220, CVE-2017-5951, CVE-2017-7207). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id99726
    published2017-04-28
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99726
    titleUbuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : ghostscript vulnerabilities (USN-3272-1)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-1230.NASL
    descriptionAn update for ghostscript is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * It was found that ghostscript did not properly validate the parameters passed to the .rsdparams and .eqproc functions. During its execution, a specially crafted PostScript document could execute code in the context of the ghostscript process, bypassing the -dSAFER protection. (CVE-2017-8291)
    last seen2020-06-01
    modified2020-06-02
    plugin id100175
    published2017-05-16
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100175
    titleCentOS 6 / 7 : ghostscript (CESA-2017:1230)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0097_GHOSTSCRIPT.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has ghostscript packages installed that are affected by a vulnerability: - It was found that ghostscript did not properly validate the parameters passed to the .rsdparams and .eqproc functions. During its execution, a specially crafted PostScript document could execute code in the context of the ghostscript process, bypassing the -dSAFER protection. (CVE-2017-8291) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127321
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127321
    titleNewStart CGSL MAIN 4.05 : ghostscript Vulnerability (NS-SA-2019-0097)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1404-1.NASL
    descriptionThis update for ghostscript fixes the following security vulnerabilities : - CVE-2017-8291: A remote command execution and a -dSAFER bypass via a crafted .eps document were exploited in the wild. (bsc#1036453) - CVE-2016-9601: An integer overflow in the bundled jbig2dec library could have been misused to cause a Denial-of-Service. (bsc#1018128) - CVE-2016-10220: A NULL pointer dereference in the PDF Transparency module allowed remote attackers to cause a Denial-of-Service. (bsc#1032120) - CVE-2017-5951: A NULL pointer dereference allowed remote attackers to cause a denial of service via a crafted PostScript document. (bsc#1032114) - CVE-2017-7207: A NULL pointer dereference allowed remote attackers to cause a denial of service via a crafted PostScript document. (bsc#1030263) This is a reissue of the previous update to also include SUSE Linux Enterprise 12 GA LTSS packages. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id100410
    published2017-05-25
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100410
    titleSUSE SLED12 / SLES12 Security Update : ghostscript (SUSE-SU-2017:1404-1)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20170512_GHOSTSCRIPT_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - It was found that ghostscript did not properly validate the parameters passed to the .rsdparams and .eqproc functions. During its execution, a specially crafted PostScript document could execute code in the context of the ghostscript process, bypassing the -dSAFER protection. (CVE-2017-8291)
    last seen2020-03-18
    modified2017-05-15
    plugin id100173
    published2017-05-15
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100173
    titleScientific Linux Security Update : ghostscript on SL6.x, SL7.x i386/x86_64 (20170512)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3272-2.NASL
    descriptionUSN-3272-1 fixed vulnerabilities in Ghostscript. This change introduced a regression when the DELAYBIND feature is used with the eqproc command. This update fixes the problem. We apologize for the inconvenience. It was discovered that Ghostscript improperly handled parameters to the rsdparams and eqproc commands. An attacker could use these to craft a malicious document that could disable -dSAFER protections, thereby allowing the execution of arbitrary code, or cause a denial of service (application crash). (CVE-2017-8291) Kamil Frankowicz discovered a use-after-free vulnerability in the color management module of Ghostscript. An attacker could use this to cause a denial of service (application crash). (CVE-2016-10217) Kamil Frankowicz discovered a divide-by-zero error in the scan conversion code in Ghostscript. An attacker could use this to cause a denial of service (application crash). (CVE-2016-10219) Kamil Frankowicz discovered multiple NULL pointer dereference errors in Ghostscript. An attacker could use these to cause a denial of service (application crash). (CVE-2016-10220, CVE-2017-5951, CVE-2017-7207). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id100247
    published2017-05-17
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100247
    titleUbuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : ghostscript regression (USN-3272-2)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-558.NASL
    descriptionThis update for ghostscript fixes the following security vulnerabilities : CVE-2017-8291: A remote command execution and a -dSAFER bypass via a crafted .eps document were exploited in the wild. (bsc#1036453) CVE-2016-9601: An integer overflow in the bundled jbig2dec library could have been misused to cause a Denial-of-Service. (bsc#1018128) CVE-2016-10220: A NULL pointer dereference in the PDF Transparency module allowed remote attackers to cause a Denial-of-Service. (bsc#1032120) CVE-2017-5951: A NULL pointer dereference allowed remote attackers to cause a denial of service via a crafted PostScript document. (bsc#1032114) CVE-2017-7207: A NULL pointer dereference allowed remote attackers to cause a denial of service via a crafted PostScript document. (bsc#1030263) This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-05
    modified2017-05-09
    plugin id100041
    published2017-05-09
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100041
    titleopenSUSE Security Update : ghostscript (openSUSE-2017-558)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0103.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Security fix for CVE-2017-8291 updated to address SIGSEGV - Added security fix for CVE-2017-8291 (bug #1446063) - Fix for regression caused by previous CVE fixes (bug #1410260)
    last seen2020-06-01
    modified2020-06-02
    plugin id100205
    published2017-05-16
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100205
    titleOracleVM 3.3 / 3.4 : ghostscript (OVMSA-2017-0103)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-C85C0E5637.NASL
    descriptionSecurity fixes release for these CVEs : - [CVE-2016-10217](https://access.redhat.com/security/cve/ CVE-2016-10217) *(use-after-free and application crash)* - [CVE-2016-10218](https://access.redhat.com/security/cve/ CVE-2016-10218) *(NULL pointer dereference and application crash)* - [CVE-2016-10219](https://access.redhat.com/security/cve/ CVE-2016-10219) *(divide-by-zero error and application crash)* - [CVE-2016-10220](https://access.redhat.com/security/cve/ CVE-2016-10220) *(NULL pointer dereference and application crash)* - [CVE-2017-5951](https://access.redhat.com/security/cve/C VE-2017-5951) *(NULL pointer dereference and application crash)* - [CVE-2017-7975](https://access.redhat.com/security/cve/C VE-2017-7975) *(application crash or possible execution of arbitrary code)* - [CVE-2017-8291](https://access.redhat.com/security/cve/C VE-2017-8291) *( -dSAFER bypass and remote command execution)* Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-05-08
    plugin id100013
    published2017-05-08
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100013
    titleFedora 25 : ghostscript (2017-c85c0e5637)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1100.NASL
    descriptionAccording to the version of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was found that ghostscript did not properly validate the parameters passed to the .rsdparams and .eqproc functions. During its execution, a specially crafted PostScript document could execute code in the context of the ghostscript process, bypassing the -dSAFER protection. (CVE-2017-8291) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-06-09
    plugin id100693
    published2017-06-09
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100693
    titleEulerOS 2.0 SP1 : ghostscript (EulerOS-SA-2017-1100)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-A606D224A5.NASL
    descriptionSecurity fixes release for these CVEs : - [CVE-2016-10217](https://access.redhat.com/security/cve/ CVE-2016-10217) *(use-after-free and application crash)* - [CVE-2016-10218](https://access.redhat.com/security/cve/ CVE-2016-10218) *(NULL pointer dereference and application crash)* - [CVE-2016-10219](https://access.redhat.com/security/cve/ CVE-2016-10219) *(divide-by-zero error and application crash)* - [CVE-2016-10220](https://access.redhat.com/security/cve/ CVE-2016-10220) *(NULL pointer dereference and application crash)* - [CVE-2017-5951](https://access.redhat.com/security/cve/C VE-2017-5951) *(NULL pointer dereference and application crash)* - [CVE-2017-7975](https://access.redhat.com/security/cve/C VE-2017-7975) *(application crash or possible execution of arbitrary code)* - [CVE-2017-8291](https://access.redhat.com/security/cve/C VE-2017-8291) *( -dSAFER bypass and remote command execution)* Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-07-17
    plugin id101695
    published2017-07-17
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101695
    titleFedora 26 : ghostscript (2017-a606d224a5)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3838.NASL
    descriptionSeveral vulnerabilities were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may lead to the execution of arbitrary code or denial of service if a specially crafted Postscript file is processed.
    last seen2020-06-01
    modified2020-06-02
    plugin id99741
    published2017-05-01
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99741
    titleDebian DSA-3838-1 : ghostscript - security update

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/142363/ghostscript_type_confusion.rb.txt
idPACKETSTORM:142363
last seen2017-05-02
published2017-05-01
reporterH D Moore
sourcehttps://packetstormsecurity.com/files/142363/Ghostscript-9.21-Type-Confusion-Arbitrary-Command-Execution.html
titleGhostscript 9.21 Type Confusion Arbitrary Command Execution

Redhat

advisories
bugzilla
id1446063
titleCVE-2017-8291 ghostscript: corruption of operand stack
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 6 is installed
      ovaloval:com.redhat.rhba:tst:20111656003
    • OR
      • AND
        • commentghostscript-gtk is earlier than 0:8.70-23.el6_9.2
          ovaloval:com.redhat.rhsa:tst:20171230001
        • commentghostscript-gtk is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20120095013
      • AND
        • commentghostscript-devel is earlier than 0:8.70-23.el6_9.2
          ovaloval:com.redhat.rhsa:tst:20171230003
        • commentghostscript-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20120095015
      • AND
        • commentghostscript-doc is earlier than 0:8.70-23.el6_9.2
          ovaloval:com.redhat.rhsa:tst:20171230005
        • commentghostscript-doc is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20120095011
      • AND
        • commentghostscript is earlier than 0:8.70-23.el6_9.2
          ovaloval:com.redhat.rhsa:tst:20171230007
        • commentghostscript is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20120095009
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentghostscript-doc is earlier than 0:9.07-20.el7_3.5
          ovaloval:com.redhat.rhsa:tst:20171230010
        • commentghostscript-doc is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20120095011
      • AND
        • commentghostscript-devel is earlier than 0:9.07-20.el7_3.5
          ovaloval:com.redhat.rhsa:tst:20171230011
        • commentghostscript-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20120095015
      • AND
        • commentghostscript-gtk is earlier than 0:9.07-20.el7_3.5
          ovaloval:com.redhat.rhsa:tst:20171230012
        • commentghostscript-gtk is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20120095013
      • AND
        • commentghostscript-cups is earlier than 0:9.07-20.el7_3.5
          ovaloval:com.redhat.rhsa:tst:20171230013
        • commentghostscript-cups is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20170013010
      • AND
        • commentghostscript is earlier than 0:9.07-20.el7_3.5
          ovaloval:com.redhat.rhsa:tst:20171230015
        • commentghostscript is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20120095009
rhsa
idRHSA-2017:1230
released2017-05-12
severityImportant
titleRHSA-2017:1230: ghostscript security update (Important)
rpms
  • ghostscript-0:8.70-23.el6_9.2
  • ghostscript-0:9.07-20.el7_3.5
  • ghostscript-cups-0:9.07-20.el7_3.5
  • ghostscript-debuginfo-0:8.70-23.el6_9.2
  • ghostscript-debuginfo-0:9.07-20.el7_3.5
  • ghostscript-devel-0:8.70-23.el6_9.2
  • ghostscript-devel-0:9.07-20.el7_3.5
  • ghostscript-doc-0:8.70-23.el6_9.2
  • ghostscript-doc-0:9.07-20.el7_3.5
  • ghostscript-gtk-0:8.70-23.el6_9.2
  • ghostscript-gtk-0:9.07-20.el7_3.5

Seebug

bulletinFamilyexploit
descriptionNo description provided by source.
idSSV:93067
last seen2017-11-19
modified2017-04-29
published2017-04-29
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-93067
titleGhostscript remote code execution (CVE-2017-8291) (ghostbutt)

The Hacker News

idTHN:6EE883925125E982A6EC7C360E183C43
last seen2018-08-22
modified2018-08-22
published2018-08-22
reporterThe Hacker News
sourcehttps://thehackernews.com/2018/08/ghostscript-postscript-vulnerability.html
titleCritical Flaws in Ghostscript Could Leave Many Systems at Risk of Hacking