Vulnerabilities > CVE-2018-19476 - Incorrect Type Conversion or Cast vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
psi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a setcolorspace type confusion.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2019-0229.NASL description An update for ghostscript is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * ghostscript: use-after-free in copydevice handling (699661) (CVE-2018-16540) * ghostscript: access bypass in psi/zdevice2.c (700153) (CVE-2018-19475) * ghostscript: access bypass in psi/zicc.c (700169) (CVE-2018-19476) * ghostscript: access bypass in psi/zfjbig2.c (700168) (CVE-2018-19477) * ghostscript: subroutines within pseudo-operators must themselves be pseudo-operators (700317) (CVE-2019-6116) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Tavis Ormandy (Google Project Zero) for reporting CVE-2019-6116. Bug Fix(es) : * Previously, ghostscript-9.07-31.el7_6.1 introduced a regression during the standard input reading, causing a last seen 2020-06-01 modified 2020-06-02 plugin id 122061 published 2019-02-11 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122061 title CentOS 7 : ghostscript (CESA-2019:0229) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2019:0229 and # CentOS Errata and Security Advisory 2019:0229 respectively. # include("compat.inc"); if (description) { script_id(122061); script_version("1.4"); script_cvs_date("Date: 2019/12/31"); script_cve_id("CVE-2018-16540", "CVE-2018-19475", "CVE-2018-19476", "CVE-2018-19477", "CVE-2019-6116"); script_xref(name:"RHSA", value:"2019:0229"); script_name(english:"CentOS 7 : ghostscript (CESA-2019:0229)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for ghostscript is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * ghostscript: use-after-free in copydevice handling (699661) (CVE-2018-16540) * ghostscript: access bypass in psi/zdevice2.c (700153) (CVE-2018-19475) * ghostscript: access bypass in psi/zicc.c (700169) (CVE-2018-19476) * ghostscript: access bypass in psi/zfjbig2.c (700168) (CVE-2018-19477) * ghostscript: subroutines within pseudo-operators must themselves be pseudo-operators (700317) (CVE-2019-6116) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Tavis Ormandy (Google Project Zero) for reporting CVE-2019-6116. Bug Fix(es) : * Previously, ghostscript-9.07-31.el7_6.1 introduced a regression during the standard input reading, causing a '/invalidfileaccess in --run--' error. With this update, the regression has been fixed and the described error no longer occurs. (BZ#1665919)" ); # https://lists.centos.org/pipermail/centos-announce/2019-February/023191.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?437d1158" ); script_set_attribute( attribute:"solution", value:"Update the affected ghostscript packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-16540"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ghostscript"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ghostscript-cups"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ghostscript-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ghostscript-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:ghostscript-gtk"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/09/05"); script_set_attribute(attribute:"patch_publication_date", value:"2019/02/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/11"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"ghostscript-9.07-31.el7_6.9")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"ghostscript-cups-9.07-31.el7_6.9")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"ghostscript-devel-9.07-31.el7_6.9")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"ghostscript-doc-9.07-31.el7_6.9")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"ghostscript-gtk-9.07-31.el7_6.9")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ghostscript / ghostscript-cups / ghostscript-devel / etc"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-1552.NASL description This update for ghostscript to version 9.26 fixes the following issues : Security issues fixed : - CVE-2018-19475: Fixed bypass of an intended access restriction in psi/zdevice2.c (bsc#1117327) - CVE-2018-19476: Fixed bypass of an intended access restriction in psi/zicc.c (bsc#1117313) - CVE-2018-19477: Fixed bypass of an intended access restriction in psi/zfjbig2.c (bsc#1117274) - CVE-2018-19409: Check if another device is used correctly in LockSafetyParams (bsc#1117022) - CVE-2018-18284: Fixed potential sandbox escape through 1Policy operator (bsc#1112229) - CVE-2018-18073: Fixed leaks through operator in saved execution stacks (bsc#1111480) - CVE-2018-17961: Fixed a -dSAFER sandbox escape by bypassing executeonly (bsc#1111479) - CVE-2018-17183: Fixed a potential code injection by specially crafted PostScript files (bsc#1109105) Version update to 9.26 (bsc#1117331) : - Security issues have been the primary focus - Minor bug fixes and improvements - For release summary see: http://www.ghostscript.com/doc/9.26/News.htm This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-05 modified 2018-12-17 plugin id 119711 published 2018-12-17 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119711 title openSUSE Security Update : ghostscript (openSUSE-2018-1552) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1065.NASL description According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ghostscript: access bypass in psi/zdevice2.c (700153) (CVE-2018-19475) - ghostscript: access bypass in psi/zicc.c (700169) (CVE-2018-19476) - ghostscript: access bypass in psi/zfjbig2.c (700168) (CVE-2018-19477) - ghostscript: subroutines within pseudo-operators must themselves be pseudo-operators (700317) (CVE-2019-6116) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-03-08 plugin id 122688 published 2019-03-08 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122688 title EulerOS 2.0 SP5 : ghostscript (EulerOS-SA-2019-1065) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-4087-1.NASL description This update for ghostscript to version 9.26 fixes the following issues : Security issues fixed : CVE-2018-19475: Fixed bypass of an intended access restriction in psi/zdevice2.c (bsc#1117327) CVE-2018-19476: Fixed bypass of an intended access restriction in psi/zicc.c (bsc#1117313) CVE-2018-19477: Fixed bypass of an intended access restriction in psi/zfjbig2.c (bsc#1117274) CVE-2018-19409: Check if another device is used correctly in LockSafetyParams (bsc#1117022) CVE-2018-18284: Fixed potential sandbox escape through 1Policy operator (bsc#1112229) CVE-2018-18073: Fixed leaks through operator in saved execution stacks (bsc#1111480) CVE-2018-17961: Fixed a -dSAFER sandbox escape by bypassing executeonly (bsc#1111479) CVE-2018-17183: Fixed a potential code injection by specially crafted PostScript files (bsc#1109105) Version update to 9.26 (bsc#1117331): Security issues have been the primary focus Minor bug fixes and improvements For release summary see: http://www.ghostscript.com/doc/9.26/News.htm Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 120186 published 2019-01-02 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120186 title SUSE SLED15 / SLES15 Security Update : ghostscript (SUSE-SU-2018:4087-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1092.NASL description According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ghostscript: access bypass in psi/zdevice2.c (700153) (CVE-2018-19475) - ghostscript: access bypass in psi/zicc.c (700169) (CVE-2018-19476) - ghostscript: access bypass in psi/zfjbig2.c (700168) (CVE-2018-19477) - ghostscript: subroutines within pseudo-operators must themselves be pseudo-operators (700317) (CVE-2019-6116) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-03-26 plugin id 123105 published 2019-03-26 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123105 title EulerOS 2.0 SP3 : ghostscript (EulerOS-SA-2019-1092) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-4090-1.NASL description This update for ghostscript to version 9.26 fixes the following issues : Security issues fixed : CVE-2018-19475: Fixed bypass of an intended access restriction in psi/zdevice2.c (bsc#1117327) CVE-2018-19476: Fixed bypass of an intended access restriction in psi/zicc.c (bsc#1117313) CVE-2018-19477: Fixed bypass of an intended access restriction in psi/zfjbig2.c (bsc#1117274) CVE-2018-19409: Check if another device is used correctly in LockSafetyParams (bsc#1117022) CVE-2018-18284: Fixed potential sandbox escape through 1Policy operator (bsc#1112229) CVE-2018-18073: Fixed leaks through operator in saved execution stacks (bsc#1111480) CVE-2018-17961: Fixed a -dSAFER sandbox escape by bypassing executeonly (bsc#1111479) CVE-2018-17183: Fixed a potential code injection by specially crafted PostScript files (bsc#1109105) Version update to 9.26 (bsc#1117331): Security issues have been the primary focus Minor bug fixes and improvements For release summary see: http://www.ghostscript.com/doc/9.26/News.htm Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 119651 published 2018-12-13 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119651 title SUSE SLED12 / SLES12 Security Update : ghostscript (SUSE-SU-2018:4090-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1110.NASL description According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ghostscript: access bypass in psi/zdevice2.c (700153) (CVE-2018-19475) - ghostscript: access bypass in psi/zicc.c (700169) (CVE-2018-19476) - ghostscript: access bypass in psi/zfjbig2.c (700168) (CVE-2018-19477) - ghostscript: subroutines within pseudo-operators must themselves be pseudo-operators (700317) (CVE-2019-6116) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-04-02 plugin id 123584 published 2019-04-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123584 title EulerOS 2.0 SP2 : ghostscript (EulerOS-SA-2019-1110) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0054_GHOSTSCRIPT.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has ghostscript packages installed that are affected by multiple vulnerabilities: - It was discovered that the ghostscript PDF14 compositor did not properly handle the copying of a device. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document. (CVE-2018-16540) - psi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because available stack space is not checked when the device remains the same. (CVE-2018-19475) - psi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a setcolorspace type confusion. (CVE-2018-19476) - psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a JBIG2Decode type confusion. (CVE-2018-19477) - It was found that ghostscript could leak sensitive operators on the operand stack when a pseudo-operator pushes a subroutine. A specially crafted PostScript file could use this flaw to escape the -dSAFER protection in order to, for example, have access to the file system outside of the SAFER constraints. (CVE-2019-6116) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127241 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127241 title NewStart CGSL CORE 5.04 / MAIN 5.04 : ghostscript Multiple Vulnerabilities (NS-SA-2019-0054) NASL family Windows NASL id GHOSTSCRIPT_9_26.NASL description The version of Artifex Ghostscript installed on the remote Windows host is prior to 9.26. It is, therefore, affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 119240 published 2018-11-28 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119240 title Artifex Ghostscript < 9.26 PostScript Multiple Vulnerabilities NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-1556.NASL description This update for ghostscript to version 9.26 fixes the following issues : Security issues fixed : - CVE-2018-19475: Fixed bypass of an intended access restriction in psi/zdevice2.c (bsc#1117327) - CVE-2018-19476: Fixed bypass of an intended access restriction in psi/zicc.c (bsc#1117313) - CVE-2018-19477: Fixed bypass of an intended access restriction in psi/zfjbig2.c (bsc#1117274) - CVE-2018-19409: Check if another device is used correctly in LockSafetyParams (bsc#1117022) - CVE-2018-18284: Fixed potential sandbox escape through 1Policy operator (bsc#1112229) - CVE-2018-18073: Fixed leaks through operator in saved execution stacks (bsc#1111480) - CVE-2018-17961: Fixed a -dSAFER sandbox escape by bypassing executeonly (bsc#1111479) - CVE-2018-17183: Fixed a potential code injection by specially crafted PostScript files (bsc#1109105) Version update to 9.26 (bsc#1117331) : - Security issues have been the primary focus - Minor bug fixes and improvements - For release summary see: http://www.ghostscript.com/doc/9.26/News.htm This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2018-12-17 plugin id 119713 published 2018-12-17 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119713 title openSUSE Security Update : ghostscript (openSUSE-2018-1556) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2019-0229.NASL description From Red Hat Security Advisory 2019:0229 : An update for ghostscript is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * ghostscript: use-after-free in copydevice handling (699661) (CVE-2018-16540) * ghostscript: access bypass in psi/zdevice2.c (700153) (CVE-2018-19475) * ghostscript: access bypass in psi/zicc.c (700169) (CVE-2018-19476) * ghostscript: access bypass in psi/zfjbig2.c (700168) (CVE-2018-19477) * ghostscript: subroutines within pseudo-operators must themselves be pseudo-operators (700317) (CVE-2019-6116) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Tavis Ormandy (Google Project Zero) for reporting CVE-2019-6116. Bug Fix(es) : * Previously, ghostscript-9.07-31.el7_6.1 introduced a regression during the standard input reading, causing a last seen 2020-06-01 modified 2020-06-02 plugin id 121523 published 2019-02-01 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121523 title Oracle Linux 7 : ghostscript (ELSA-2019-0229) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-0229.NASL description An update for ghostscript is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * ghostscript: use-after-free in copydevice handling (699661) (CVE-2018-16540) * ghostscript: access bypass in psi/zdevice2.c (700153) (CVE-2018-19475) * ghostscript: access bypass in psi/zicc.c (700169) (CVE-2018-19476) * ghostscript: access bypass in psi/zfjbig2.c (700168) (CVE-2018-19477) * ghostscript: subroutines within pseudo-operators must themselves be pseudo-operators (700317) (CVE-2019-6116) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Tavis Ormandy (Google Project Zero) for reporting CVE-2019-6116. Bug Fix(es) : * Previously, ghostscript-9.07-31.el7_6.1 introduced a regression during the standard input reading, causing a last seen 2020-06-01 modified 2020-06-02 plugin id 121527 published 2019-02-01 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121527 title RHEL 7 : ghostscript (RHSA-2019:0229) NASL family Scientific Linux Local Security Checks NASL id SL_20190131_GHOSTSCRIPT_ON_SL7_X.NASL description Security Fix(es) : - ghostscript: use-after-free in copydevice handling (699661) (CVE-2018-16540) - ghostscript: access bypass in psi/zdevice2.c (700153) (CVE-2018-19475) - ghostscript: access bypass in psi/zicc.c (700169) (CVE-2018-19476) - ghostscript: access bypass in psi/zfjbig2.c (700168) (CVE-2018-19477) - ghostscript: subroutines within pseudo-operators must themselves be pseudo-operators (700317) (CVE-2019-6116) Bug Fix(es) : - Previously, ghostscript-9.07-31.el7_6.1 introduced a regression during the standard input reading, causing a last seen 2020-03-18 modified 2019-02-01 plugin id 121532 published 2019-02-01 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121532 title Scientific Linux Security Update : ghostscript on SL7.x x86_64 (20190131) NASL family Fedora Local Security Checks NASL id FEDORA_2019-82ACB29C1B.NASL description - rebase to latest upstream version 9.26 - Security fix for CVE-2018-19478 CVE-2018-19134 CVE-2018-19477 CVE-2018-19476 CVE-2018-19475 CVE-2018-19409 CVE-2018-18284 CVE-2018-18073 CVE-2018-17961 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 122284 published 2019-02-19 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122284 title Fedora 28 : ghostscript (2019-82acb29c1b) NASL family Fedora Local Security Checks NASL id FEDORA_2019-077A3F23C0.NASL description - rebase to latest upstream version 9.26 - Security fix for CVE-2018-19478 CVE-2018-19134 CVE-2018-19477 CVE-2018-19476 CVE-2018-19475 CVE-2018-19409 CVE-2018-18284 CVE-2018-18073 CVE-2018-17961 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 122103 published 2019-02-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122103 title Fedora 29 : ghostscript (2019-077a3f23c0) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3831-1.NASL description It was discovered that Ghostscript contained multiple security issues. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could possibly use these issues to access arbitrary files, execute arbitrary code, or cause a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 119301 published 2018-11-30 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119301 title Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : ghostscript vulnerabilities (USN-3831-1) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1598.NASL description Several security vulnerabilities were discovered in Ghostscript, an interpreter for the PostScript language, which could result in denial of service, the creation of files or the execution of arbitrary code if a malformed Postscript file is processed (despite the dSAFER sandbox being enabled). For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 119267 published 2018-11-29 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119267 title Debian DLA-1598-1 : ghostscript security update NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4346.NASL description Several vulnerabilities were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service or the execution of arbitrary code if a malformed Postscript file is processed (despite the -dSAFER sandbox being enabled). This update rebases ghostscript for stretch to the upstream version 9.26 which includes additional changes. last seen 2020-06-01 modified 2020-06-02 plugin id 119269 published 2018-11-29 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119269 title Debian DSA-4346-1 : ghostscript - security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1254.NASL description According to the versions of the ghostscript package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - psi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because available stack space is not checked when the device remains the same.i1/4^CVE-2018-19475i1/4%0 - psi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a setcolorspace type confusion.i1/4^CVE-2018-19476i1/4%0 - psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a JBIG2Decode type confusion.i1/4^CVE-2018-19477i1/4%0 - It was found that ghostscript could leak sensitive operators on the operand stack when a pseudo-operator pushes a subroutine. A specially crafted PostScript file could use this flaw to escape the -dSAFER protection in order to, for example, have access to the file system outside of the SAFER constraints.i1/4^CVE-2019-6116i1/4%0 Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-19 modified 2019-04-04 plugin id 123722 published 2019-04-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123722 title EulerOS Virtualization 2.5.3 : ghostscript (EulerOS-SA-2019-1254) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-1007.NASL description This update for ghostscript to version 9.26 fixes the following issues : Security issues fixed : - CVE-2018-19475: Fixed bypass of an intended access restriction in psi/zdevice2.c (bsc#1117327) - CVE-2018-19476: Fixed bypass of an intended access restriction in psi/zicc.c (bsc#1117313) - CVE-2018-19477: Fixed bypass of an intended access restriction in psi/zfjbig2.c (bsc#1117274) - CVE-2018-19409: Check if another device is used correctly in LockSafetyParams (bsc#1117022) - CVE-2018-18284: Fixed potential sandbox escape through 1Policy operator (bsc#1112229) - CVE-2018-18073: Fixed leaks through operator in saved execution stacks (bsc#1111480) - CVE-2018-17961: Fixed a -dSAFER sandbox escape by bypassing executeonly (bsc#1111479) - CVE-2018-17183: Fixed a potential code injection by specially crafted PostScript files (bsc#1109105) Version update to 9.26 (bsc#1117331) : - Security issues have been the primary focus - Minor bug fixes and improvements - For release summary see: http://www.ghostscript.com/doc/9.26/News.htm This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 123151 published 2019-03-27 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123151 title openSUSE Security Update : ghostscript (openSUSE-2019-1007)
Redhat
| advisories |
| ||||||||
| rpms |
|
References
- https://www.ghostscript.com/doc/9.26/History9.htm#Version9.26
- https://bugs.ghostscript.com/show_bug.cgi?id=700169
- https://www.debian.org/security/2018/dsa-4346
- https://lists.debian.org/debian-lts-announce/2018/11/msg00036.html
- https://usn.ubuntu.com/3831-1/
- http://www.securityfocus.com/bid/106154
- https://semmle.com/news/semmle-discovers-severe-vulnerability-ghostscript-postscript-pdf
- https://access.redhat.com/errata/RHSA-2019:0229
- https://access.redhat.com/errata/RHBA-2019:0327
- http://git.ghostscript.com/?p=ghostpdl.git%3Bh=434753adbe8be5534bfb9b7d91746023e8073d16
- http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=67d760ab775dae4efe803b5944b0439aa3c0b04a