Vulnerabilities > CVE-2019-10216

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
artifex
redhat
nessus

Summary

In ghostscript before version 9.50, the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges and access files outside of restricted areas.

Vulnerable Configurations

Part Description Count
Application
Artifex
252
Application
Redhat
1
OS
Redhat
9

Nessus

  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1499.NASL
    descriptionAccording to the versions of the ghostscript package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The PS Interpreter in Ghostscript 9.18 and 9.20 allows remote attackers to execute arbitrary code via crafted userparams.(CVE-2016-7976) - psi/zfile.c in Artifex Ghostscript before 9.21rc1 permits the status command even if -dSAFER is used, which might allow remote attackers to determine the existence and size of arbitrary files, a similar issue to CVE-2016-7977.(CVE-2018-11645) - A flaw was found in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14817) - A flaw was found in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14813) - A flaw was found in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14812) - A flaw was found in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14811) - libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and Ghostscript, has a NULL pointer dereference in the jbig2_huffman_get function in jbig2_huffman.c. For example, the jbig2dec utility will crash (segmentation fault) when parsing an invalid file.(CVE-2017-9216) - Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds writes because of an integer overflow in the jbig2_build_huffman_table function in jbig2_huffman.c during operations on a crafted JBIG2 file, leading to a denial of service (application crash) or possibly execution of arbitrary code.(CVE-2017-7975) - Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to denial of service (application crash) or disclosure of sensitive information from process memory, because of an integer overflow in the jbig2_decode_symbol_dict function in jbig2_symbol_dict.c in libjbig2dec.a during operation on a crafted .jb2 file.(CVE-2017-7885) - Artifex jbig2dec 0.13 allows out-of-bounds writes and reads because of an integer overflow in the jbig2_image_compose function in jbig2_image.c during operations on a crafted .jb2 file, leading to a denial of service (application crash) or disclosure of sensitive information from process memory.(CVE-2017-7976) - ghostscript before version 9.21 is vulnerable to a heap based buffer overflow that was found in the ghostscript jbig2_decode_gray_scale_image function which is used to decode halftone segments in a JBIG2 image. A document (PostScript or PDF) with an embedded, specially crafted, jbig2 image could trigger a segmentation fault in ghostscript.(CVE-2016-9601) - In Artifex Ghostscript before 9.26, a carefully crafted PDF file can trigger an extremely long running computation when parsing the file.(CVE-2018-19478) - It was found that the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges and access files outside of restricted areas.(CVE-2019-10216) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-30
    modified2020-04-16
    plugin id135661
    published2020-04-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135661
    titleEulerOS Virtualization 3.0.2.2 : ghostscript (EulerOS-SA-2020-1499)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(135661);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/24");
    
      script_cve_id(
        "CVE-2016-7976",
        "CVE-2016-9601",
        "CVE-2017-7885",
        "CVE-2017-7975",
        "CVE-2017-7976",
        "CVE-2017-9216",
        "CVE-2018-11645",
        "CVE-2018-19478",
        "CVE-2019-10216",
        "CVE-2019-14811",
        "CVE-2019-14812",
        "CVE-2019-14813",
        "CVE-2019-14817"
      );
    
      script_name(english:"EulerOS Virtualization 3.0.2.2 : ghostscript (EulerOS-SA-2020-1499)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the ghostscript package installed, the
    EulerOS Virtualization installation on the remote host is affected by
    the following vulnerabilities :
    
      - The PS Interpreter in Ghostscript 9.18 and 9.20 allows
        remote attackers to execute arbitrary code via crafted
        userparams.(CVE-2016-7976)
    
      - psi/zfile.c in Artifex Ghostscript before 9.21rc1
        permits the status command even if -dSAFER is used,
        which might allow remote attackers to determine the
        existence and size of arbitrary files, a similar issue
        to CVE-2016-7977.(CVE-2018-11645)
    
      - A flaw was found in the .pdfexectoken and other
        procedures where it did not properly secure its
        privileged calls, enabling scripts to bypass `-dSAFER`
        restrictions. A specially crafted PostScript file could
        disable security protection and then have access to the
        file system, or execute arbitrary
        commands.(CVE-2019-14817)
    
      - A flaw was found in the setsystemparams procedure where
        it did not properly secure its privileged calls,
        enabling scripts to bypass `-dSAFER` restrictions. A
        specially crafted PostScript file could disable
        security protection and then have access to the file
        system, or execute arbitrary commands.(CVE-2019-14813)
    
      - A flaw was found in the .setuserparams2 procedure where
        it did not properly secure its privileged calls,
        enabling scripts to bypass `-dSAFER` restrictions. A
        specially crafted PostScript file could disable
        security protection and then have access to the file
        system, or execute arbitrary commands.(CVE-2019-14812)
    
      - A flaw was found in the .pdf_hook_DSC_Creator procedure
        where it did not properly secure its privileged calls,
        enabling scripts to bypass `-dSAFER` restrictions. A
        specially crafted PostScript file could disable
        security protection and then have access to the file
        system, or execute arbitrary commands.(CVE-2019-14811)
    
      - libjbig2dec.a in Artifex jbig2dec 0.13, as used in
        MuPDF and Ghostscript, has a NULL pointer dereference
        in the jbig2_huffman_get function in jbig2_huffman.c.
        For example, the jbig2dec utility will crash
        (segmentation fault) when parsing an invalid
        file.(CVE-2017-9216)
    
      - Artifex jbig2dec 0.13, as used in Ghostscript, allows
        out-of-bounds writes because of an integer overflow in
        the jbig2_build_huffman_table function in
        jbig2_huffman.c during operations on a crafted JBIG2
        file, leading to a denial of service (application
        crash) or possibly execution of arbitrary
        code.(CVE-2017-7975)
    
      - Artifex jbig2dec 0.13 has a heap-based buffer over-read
        leading to denial of service (application crash) or
        disclosure of sensitive information from process
        memory, because of an integer overflow in the
        jbig2_decode_symbol_dict function in
        jbig2_symbol_dict.c in libjbig2dec.a during operation
        on a crafted .jb2 file.(CVE-2017-7885)
    
      - Artifex jbig2dec 0.13 allows out-of-bounds writes and
        reads because of an integer overflow in the
        jbig2_image_compose function in jbig2_image.c during
        operations on a crafted .jb2 file, leading to a denial
        of service (application crash) or disclosure of
        sensitive information from process
        memory.(CVE-2017-7976)
    
      - ghostscript before version 9.21 is vulnerable to a heap
        based buffer overflow that was found in the ghostscript
        jbig2_decode_gray_scale_image function which is used to
        decode halftone segments in a JBIG2 image. A document
        (PostScript or PDF) with an embedded, specially
        crafted, jbig2 image could trigger a segmentation fault
        in ghostscript.(CVE-2016-9601)
    
      - In Artifex Ghostscript before 9.26, a carefully crafted
        PDF file can trigger an extremely long running
        computation when parsing the file.(CVE-2018-19478)
    
      - It was found that the .buildfont1 procedure did not
        properly secure its privileged calls, enabling scripts
        to bypass `-dSAFER` restrictions. An attacker could
        abuse this flaw by creating a specially crafted
        PostScript file that could escalate privileges and
        access files outside of restricted
        areas.(CVE-2019-10216)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1499
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ce7df4f5");
      script_set_attribute(attribute:"solution", value:
    "Update the affected ghostscript packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/16");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ghostscript");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.2");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.2.2") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.2");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["ghostscript-9.07-31.6.h13.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ghostscript");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1549.NASL
    descriptionAccording to the versions of the ghostscript package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In Artifex Ghostscript before 9.26, a carefully crafted PDF file can trigger an extremely long running computation when parsing the file.(CVE-2018-19478) - In ghostscript before version 9.50, the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges and access files outside of restricted areas.(CVE-2019-10216) - The Ins_MIRP function in base/ttinterp.c in Artifex Ghostscript GhostXPS 9.21 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact via a crafted document.(CVE-2017-9611) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2020-05-01
    plugin id136252
    published2020-05-01
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136252
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : ghostscript (EulerOS-SA-2020-1549)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(136252);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2017-9611",
        "CVE-2018-19478",
        "CVE-2019-10216"
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.2.0 : ghostscript (EulerOS-SA-2020-1549)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the ghostscript package installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - In Artifex Ghostscript before 9.26, a carefully crafted
        PDF file can trigger an extremely long running
        computation when parsing the file.(CVE-2018-19478)
    
      - In ghostscript before version 9.50, the .buildfont1
        procedure did not properly secure its privileged calls,
        enabling scripts to bypass `-dSAFER` restrictions. An
        attacker could abuse this flaw by creating a specially
        crafted PostScript file that could escalate privileges
        and access files outside of restricted
        areas.(CVE-2019-10216)
    
      - The Ins_MIRP function in base/ttinterp.c in Artifex
        Ghostscript GhostXPS 9.21 allows remote attackers to
        cause a denial of service (heap-based buffer over-read
        and application crash) or possibly have unspecified
        other impact via a crafted document.(CVE-2017-9611)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1549
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cf85a932");
      script_set_attribute(attribute:"solution", value:
    "Update the affected ghostscript packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/01");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ghostscript");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.2.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["ghostscript-9.07-31.6.h14"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ghostscript");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-2139.NASL
    descriptionThis update for ghostscript fixes the following issues : Security issue fixed : - CVE-2019-10216: Fix privilege escalation via specially crafted PostScript file (bsc#1144621). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id128869
    published2019-09-16
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128869
    titleopenSUSE Security Update : ghostscript (openSUSE-2019-2139)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-2462.NASL
    descriptionFrom Red Hat Security Advisory 2019:2462 : An update for ghostscript is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * ghostscript: -dSAFER escape via .buildfont1 (701394) (CVE-2019-10216) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127979
    published2019-08-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127979
    titleOracle Linux 7 : ghostscript (ELSA-2019-2462)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-93E0145607.NASL
    description - Fix for CVE-2019-10216 added Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128041
    published2019-08-21
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128041
    titleFedora 30 : ghostscript (2019-93e0145607)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0203_GHOSTSCRIPT.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has ghostscript packages installed that are affected by multiple vulnerabilities: - psi/zfile.c in Artifex Ghostscript before 9.21rc1 permits the status command even if -dSAFER is used, which might allow remote attackers to determine the existence and size of arbitrary files, a similar issue to CVE-2016-7977. (CVE-2018-11645) - A flaw was found in ghostscript, versions 9.x before 9.28, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14813) - A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14811) - A flaw was found in, ghostscript versions prior to 9.28, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14817) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id129908
    published2019-10-15
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129908
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : ghostscript Multiple Vulnerabilities (NS-SA-2019-0203)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4499.NASL
    descriptionNetanel reported that the .buildfont1 procedure in Ghostscript, the GPL PostScript/PDF interpreter, does not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox.
    last seen2020-06-01
    modified2020-06-02
    plugin id127823
    published2019-08-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127823
    titleDebian DSA-4499-1 : ghostscript - security update
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2465.NASL
    descriptionAn update for ghostscript is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * ghostscript: -dSAFER escape via .buildfont1 (701394) (CVE-2019-10216) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127832
    published2019-08-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127832
    titleRHEL 8 : ghostscript (RHSA-2019:2465)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-22F1C93255.NASL
    description - Fix for CVE-2019-10216 added Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128039
    published2019-08-21
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128039
    titleFedora 29 : ghostscript (2019-22f1c93255)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2076.NASL
    descriptionAccording to the version of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was found that the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges and access files outside of restricted areas.(CVE-2019-10216) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-03
    modified2019-09-30
    plugin id129435
    published2019-09-30
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129435
    titleEulerOS 2.0 SP8 : ghostscript (EulerOS-SA-2019-2076)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1100.NASL
    descriptionAccording to the version of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - In ghostscript before version 9.50, the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges and access files outside of restricted areas.(CVE-2019-10216) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2020-02-24
    plugin id133901
    published2020-02-24
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133901
    titleEulerOS 2.0 SP5 : ghostscript (EulerOS-SA-2020-1100)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0250_GHOSTSCRIPT.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has ghostscript packages installed that are affected by multiple vulnerabilities: - psi/zfile.c in Artifex Ghostscript before 9.21rc1 permits the status command even if -dSAFER is used, which might allow remote attackers to determine the existence and size of arbitrary files, a similar issue to CVE-2016-7977. (CVE-2018-11645) - It was found that the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges and access files outside of restricted areas. (CVE-2019-10216) - A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14813) - A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14812) - A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14811) - A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14817) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id132453
    published2019-12-31
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132453
    titleNewStart CGSL CORE 5.05 / MAIN 5.05 : ghostscript Multiple Vulnerabilities (NS-SA-2019-0250)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2348-1.NASL
    descriptionThis update for ghostscript fixes the following issues : Security issue fixed : CVE-2019-10216: Fix privilege escalation via specially crafted PostScript file (bsc#1144621). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128678
    published2019-09-11
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128678
    titleSUSE SLED15 / SLES15 Security Update : ghostscript (SUSE-SU-2019:2348-1)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190812_GHOSTSCRIPT_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - ghostscript: -dSAFER escape via .buildfont1 (701394) (CVE-2019-10216)
    last seen2020-03-18
    modified2019-08-27
    plugin id128273
    published2019-08-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128273
    titleScientific Linux Security Update : ghostscript on SL7.x x86_64 (20190812)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2462.NASL
    descriptionAn update for ghostscript is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * ghostscript: -dSAFER escape via .buildfont1 (701394) (CVE-2019-10216) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127831
    published2019-08-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127831
    titleRHEL 7 : ghostscript (RHSA-2019:2462)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-2465.NASL
    descriptionFrom Red Hat Security Advisory 2019:2465 : An update for ghostscript is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * ghostscript: -dSAFER escape via .buildfont1 (701394) (CVE-2019-10216) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127980
    published2019-08-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127980
    titleOracle Linux 8 : ghostscript (ELSA-2019-2465)
  • NASL familyWindows
    NASL idGHOSTSCRIPT_9_50.NASL
    descriptionThe version of Artifex Ghostscript installed on the remote Windows host is prior to 9.50. It is, therefore, affected by multiple security bypass vulnerabilities. An attacker could exploit one of these vulnerabilities to gain access to the file system and execute arbitrary commands.
    last seen2020-06-01
    modified2020-06-02
    plugin id130273
    published2019-10-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130273
    titleArtifex Ghostscript < 9.50 Multiple Vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1880.NASL
    descriptionNetanel reported that the .buildfont1 procedure in Ghostscript, the GPL PostScript/PDF interpreter, does not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id127862
    published2019-08-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127862
    titleDebian DLA-1880-1 : ghostscript security update
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4092-1.NASL
    descriptionNetanel Fisher discovered that the font handler in Ghostscript did not properly restrict privileged calls when
    last seen2020-06-01
    modified2020-06-02
    plugin id127840
    published2019-08-13
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127840
    titleUbuntu 16.04 LTS / 18.04 LTS / 19.04 : ghostscript vulnerability (USN-4092-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2347-1.NASL
    descriptionThis update for ghostscript fixes the following issues : Security issue fixed : CVE-2019-10216: Fix privilege escalation via specially crafted PostScript file (bsc#1144621). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128677
    published2019-09-11
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128677
    titleSUSE SLED12 / SLES12 Security Update : ghostscript (SUSE-SU-2019:2347-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-202004-03.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-202004-03 (GPL Ghostscript: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in GPL Ghostscript. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to process a specially crafted file using GPL Ghostscript, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-04-07
    modified2020-04-02
    plugin id135114
    published2020-04-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135114
    titleGLSA-202004-03 : GPL Ghostscript: Multiple vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-2160.NASL
    descriptionThis update for ghostscript fixes the following issues : Security issue fixed : - CVE-2019-10216: Fix privilege escalation via specially crafted PostScript file (bsc#1144621). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id129336
    published2019-09-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129336
    titleopenSUSE Security Update : ghostscript (openSUSE-2019-2160)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2338.NASL
    descriptionAccording to the versions of the ghostscript packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In Artifex Ghostscript before 9.26, a carefully crafted PDF file can trigger an extremely long running computation when parsing the file.(CVE-2018-19478) - It was found that the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges and access files outside of restricted areas.(CVE-2019-10216) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id131503
    published2019-12-03
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131503
    titleEulerOS Virtualization for ARM 64 3.0.3.0 : ghostscript (EulerOS-SA-2019-2338)

Redhat

advisories
  • bugzilla
    id1737080
    titleCVE-2019-10216 ghostscript: -dSAFER escape via .buildfont1 (701394)
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentlibgs-devel is earlier than 0:9.25-2.el7_7.1
            ovaloval:com.redhat.rhsa:tst:20192462001
          • commentlibgs-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190971012
        • AND
          • commentghostscript-gtk is earlier than 0:9.25-2.el7_7.1
            ovaloval:com.redhat.rhsa:tst:20192462003
          • commentghostscript-gtk is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20120095013
        • AND
          • commentghostscript-doc is earlier than 0:9.25-2.el7_7.1
            ovaloval:com.redhat.rhsa:tst:20192462005
          • commentghostscript-doc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20120095011
        • AND
          • commentlibgs is earlier than 0:9.25-2.el7_7.1
            ovaloval:com.redhat.rhsa:tst:20192462007
          • commentlibgs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190971006
        • AND
          • commentghostscript-cups is earlier than 0:9.25-2.el7_7.1
            ovaloval:com.redhat.rhsa:tst:20192462009
          • commentghostscript-cups is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20170013010
        • AND
          • commentghostscript is earlier than 0:9.25-2.el7_7.1
            ovaloval:com.redhat.rhsa:tst:20192462011
          • commentghostscript is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20120095009
    rhsa
    idRHSA-2019:2462
    released2019-08-12
    severityImportant
    titleRHSA-2019:2462: ghostscript security update (Important)
  • bugzilla
    id1737080
    titleCVE-2019-10216 ghostscript: -dSAFER escape via .buildfont1 (701394)
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 8 is installed
        ovaloval:com.redhat.rhba:tst:20193384074
      • OR
        • AND
          • commentghostscript-debugsource is earlier than 0:9.25-2.el8_0.2
            ovaloval:com.redhat.rhsa:tst:20192465001
          • commentghostscript-debugsource is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190971004
        • AND
          • commentlibgs is earlier than 0:9.25-2.el8_0.2
            ovaloval:com.redhat.rhsa:tst:20192465003
          • commentlibgs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190971006
        • AND
          • commentghostscript is earlier than 0:9.25-2.el8_0.2
            ovaloval:com.redhat.rhsa:tst:20192465005
          • commentghostscript is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20120095009
        • AND
          • commentlibgs-devel is earlier than 0:9.25-2.el8_0.2
            ovaloval:com.redhat.rhsa:tst:20192465007
          • commentlibgs-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190971012
        • AND
          • commentghostscript-x11 is earlier than 0:9.25-2.el8_0.2
            ovaloval:com.redhat.rhsa:tst:20192465009
          • commentghostscript-x11 is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190971014
        • AND
          • commentghostscript-tools-printing is earlier than 0:9.25-2.el8_0.2
            ovaloval:com.redhat.rhsa:tst:20192465011
          • commentghostscript-tools-printing is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190971016
        • AND
          • commentghostscript-tools-fonts is earlier than 0:9.25-2.el8_0.2
            ovaloval:com.redhat.rhsa:tst:20192465013
          • commentghostscript-tools-fonts is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190971018
        • AND
          • commentghostscript-tools-dvipdf is earlier than 0:9.25-2.el8_0.2
            ovaloval:com.redhat.rhsa:tst:20192465015
          • commentghostscript-tools-dvipdf is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190971010
        • AND
          • commentghostscript-doc is earlier than 0:9.25-2.el8_0.2
            ovaloval:com.redhat.rhsa:tst:20192465017
          • commentghostscript-doc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20120095011
    rhsa
    idRHSA-2019:2465
    released2019-08-12
    severityImportant
    titleRHSA-2019:2465: ghostscript security update (Important)
rpms
  • ghostscript-0:9.25-2.el7_7.1
  • ghostscript-cups-0:9.25-2.el7_7.1
  • ghostscript-debuginfo-0:9.25-2.el7_7.1
  • ghostscript-doc-0:9.25-2.el7_7.1
  • ghostscript-gtk-0:9.25-2.el7_7.1
  • libgs-0:9.25-2.el7_7.1
  • libgs-devel-0:9.25-2.el7_7.1
  • ghostscript-0:9.25-2.el8_0.2
  • ghostscript-debuginfo-0:9.25-2.el8_0.2
  • ghostscript-debugsource-0:9.25-2.el8_0.2
  • ghostscript-doc-0:9.25-2.el8_0.2
  • ghostscript-gtk-debuginfo-0:9.25-2.el8_0.2
  • ghostscript-tools-dvipdf-0:9.25-2.el8_0.2
  • ghostscript-tools-fonts-0:9.25-2.el8_0.2
  • ghostscript-tools-printing-0:9.25-2.el8_0.2
  • ghostscript-x11-0:9.25-2.el8_0.2
  • ghostscript-x11-debuginfo-0:9.25-2.el8_0.2
  • libgs-0:9.25-2.el8_0.2
  • libgs-debuginfo-0:9.25-2.el8_0.2
  • libgs-devel-0:9.25-2.el8_0.2