Vulnerabilities > CVE-2019-14812 - Incorrect Permission Assignment for Critical Resource vulnerability in multiple products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
artifex
fedoraproject
CWE-732
nessus

Summary

A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Accessing Functionality Not Properly Constrained by ACLs
    In applications, particularly web applications, access to functionality is mitigated by the authorization framework, whose job it is to map ACLs to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application or can run queries for data that he is otherwise not supposed to.
  • Privilege Abuse
    An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources. If access control mechanisms are absent or misconfigured, a user may be able to access resources that are intended only for higher level users. An adversary may be able to exploit this to utilize a less trusted account to gain information and perform activities reserved for more trusted accounts. This attack differs from privilege escalation and other privilege stealing attacks in that the adversary never actually escalates their privileges but instead is able to use a lesser degree of privilege to access resources that should be (but are not) reserved for higher privilege accounts. Likewise, the adversary does not exploit trust or subvert systems - all control functionality is working as configured but the configuration does not adequately protect sensitive resources at an appropriate level.
  • Directory Indexing
    An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Exploiting Incorrectly Configured Access Control Security Levels
    An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack. Most commonly, attackers would take advantage of controls that provided too little protection for sensitive activities in order to perform actions that should be denied to them. In some circumstances, an attacker may be able to take advantage of overly restrictive access control policies, initiating denial of services (if an application locks because it unexpectedly failed to be granted access) or causing other legitimate actions to fail due to security. The latter class of attacks, however, is usually less severe and easier to detect than attacks based on inadequate security restrictions. This attack pattern differs from CAPEC 1, "Accessing Functionality Not Properly Constrained by ACLs" in that the latter describes attacks where sensitive functionality lacks access controls, where, in this pattern, the access control is present, but incorrectly configured.

Nessus

  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1499.NASL
    descriptionAccording to the versions of the ghostscript package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The PS Interpreter in Ghostscript 9.18 and 9.20 allows remote attackers to execute arbitrary code via crafted userparams.(CVE-2016-7976) - psi/zfile.c in Artifex Ghostscript before 9.21rc1 permits the status command even if -dSAFER is used, which might allow remote attackers to determine the existence and size of arbitrary files, a similar issue to CVE-2016-7977.(CVE-2018-11645) - A flaw was found in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14817) - A flaw was found in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14813) - A flaw was found in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14812) - A flaw was found in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14811) - libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and Ghostscript, has a NULL pointer dereference in the jbig2_huffman_get function in jbig2_huffman.c. For example, the jbig2dec utility will crash (segmentation fault) when parsing an invalid file.(CVE-2017-9216) - Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds writes because of an integer overflow in the jbig2_build_huffman_table function in jbig2_huffman.c during operations on a crafted JBIG2 file, leading to a denial of service (application crash) or possibly execution of arbitrary code.(CVE-2017-7975) - Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to denial of service (application crash) or disclosure of sensitive information from process memory, because of an integer overflow in the jbig2_decode_symbol_dict function in jbig2_symbol_dict.c in libjbig2dec.a during operation on a crafted .jb2 file.(CVE-2017-7885) - Artifex jbig2dec 0.13 allows out-of-bounds writes and reads because of an integer overflow in the jbig2_image_compose function in jbig2_image.c during operations on a crafted .jb2 file, leading to a denial of service (application crash) or disclosure of sensitive information from process memory.(CVE-2017-7976) - ghostscript before version 9.21 is vulnerable to a heap based buffer overflow that was found in the ghostscript jbig2_decode_gray_scale_image function which is used to decode halftone segments in a JBIG2 image. A document (PostScript or PDF) with an embedded, specially crafted, jbig2 image could trigger a segmentation fault in ghostscript.(CVE-2016-9601) - In Artifex Ghostscript before 9.26, a carefully crafted PDF file can trigger an extremely long running computation when parsing the file.(CVE-2018-19478) - It was found that the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges and access files outside of restricted areas.(CVE-2019-10216) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-30
    modified2020-04-16
    plugin id135661
    published2020-04-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135661
    titleEulerOS Virtualization 3.0.2.2 : ghostscript (EulerOS-SA-2020-1499)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(135661);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/24");
    
      script_cve_id(
        "CVE-2016-7976",
        "CVE-2016-9601",
        "CVE-2017-7885",
        "CVE-2017-7975",
        "CVE-2017-7976",
        "CVE-2017-9216",
        "CVE-2018-11645",
        "CVE-2018-19478",
        "CVE-2019-10216",
        "CVE-2019-14811",
        "CVE-2019-14812",
        "CVE-2019-14813",
        "CVE-2019-14817"
      );
    
      script_name(english:"EulerOS Virtualization 3.0.2.2 : ghostscript (EulerOS-SA-2020-1499)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the ghostscript package installed, the
    EulerOS Virtualization installation on the remote host is affected by
    the following vulnerabilities :
    
      - The PS Interpreter in Ghostscript 9.18 and 9.20 allows
        remote attackers to execute arbitrary code via crafted
        userparams.(CVE-2016-7976)
    
      - psi/zfile.c in Artifex Ghostscript before 9.21rc1
        permits the status command even if -dSAFER is used,
        which might allow remote attackers to determine the
        existence and size of arbitrary files, a similar issue
        to CVE-2016-7977.(CVE-2018-11645)
    
      - A flaw was found in the .pdfexectoken and other
        procedures where it did not properly secure its
        privileged calls, enabling scripts to bypass `-dSAFER`
        restrictions. A specially crafted PostScript file could
        disable security protection and then have access to the
        file system, or execute arbitrary
        commands.(CVE-2019-14817)
    
      - A flaw was found in the setsystemparams procedure where
        it did not properly secure its privileged calls,
        enabling scripts to bypass `-dSAFER` restrictions. A
        specially crafted PostScript file could disable
        security protection and then have access to the file
        system, or execute arbitrary commands.(CVE-2019-14813)
    
      - A flaw was found in the .setuserparams2 procedure where
        it did not properly secure its privileged calls,
        enabling scripts to bypass `-dSAFER` restrictions. A
        specially crafted PostScript file could disable
        security protection and then have access to the file
        system, or execute arbitrary commands.(CVE-2019-14812)
    
      - A flaw was found in the .pdf_hook_DSC_Creator procedure
        where it did not properly secure its privileged calls,
        enabling scripts to bypass `-dSAFER` restrictions. A
        specially crafted PostScript file could disable
        security protection and then have access to the file
        system, or execute arbitrary commands.(CVE-2019-14811)
    
      - libjbig2dec.a in Artifex jbig2dec 0.13, as used in
        MuPDF and Ghostscript, has a NULL pointer dereference
        in the jbig2_huffman_get function in jbig2_huffman.c.
        For example, the jbig2dec utility will crash
        (segmentation fault) when parsing an invalid
        file.(CVE-2017-9216)
    
      - Artifex jbig2dec 0.13, as used in Ghostscript, allows
        out-of-bounds writes because of an integer overflow in
        the jbig2_build_huffman_table function in
        jbig2_huffman.c during operations on a crafted JBIG2
        file, leading to a denial of service (application
        crash) or possibly execution of arbitrary
        code.(CVE-2017-7975)
    
      - Artifex jbig2dec 0.13 has a heap-based buffer over-read
        leading to denial of service (application crash) or
        disclosure of sensitive information from process
        memory, because of an integer overflow in the
        jbig2_decode_symbol_dict function in
        jbig2_symbol_dict.c in libjbig2dec.a during operation
        on a crafted .jb2 file.(CVE-2017-7885)
    
      - Artifex jbig2dec 0.13 allows out-of-bounds writes and
        reads because of an integer overflow in the
        jbig2_image_compose function in jbig2_image.c during
        operations on a crafted .jb2 file, leading to a denial
        of service (application crash) or disclosure of
        sensitive information from process
        memory.(CVE-2017-7976)
    
      - ghostscript before version 9.21 is vulnerable to a heap
        based buffer overflow that was found in the ghostscript
        jbig2_decode_gray_scale_image function which is used to
        decode halftone segments in a JBIG2 image. A document
        (PostScript or PDF) with an embedded, specially
        crafted, jbig2 image could trigger a segmentation fault
        in ghostscript.(CVE-2016-9601)
    
      - In Artifex Ghostscript before 9.26, a carefully crafted
        PDF file can trigger an extremely long running
        computation when parsing the file.(CVE-2018-19478)
    
      - It was found that the .buildfont1 procedure did not
        properly secure its privileged calls, enabling scripts
        to bypass `-dSAFER` restrictions. An attacker could
        abuse this flaw by creating a specially crafted
        PostScript file that could escalate privileges and
        access files outside of restricted
        areas.(CVE-2019-10216)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1499
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ce7df4f5");
      script_set_attribute(attribute:"solution", value:
    "Update the affected ghostscript packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/16");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ghostscript");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.2");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.2.2") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.2");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["ghostscript-9.07-31.6.h13.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ghostscript");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-2222.NASL
    descriptionThis update for ghostscript fixes the following issues : Security issues fixed : - CVE-2019-3835: Fixed an unauthorized file system access caused by an available superexec operator. (bsc#1129180) - CVE-2019-3839: Fixed an unauthorized file system access caused by available privileged operators. (bsc#1134156) - CVE-2019-12973: Fixed a denial-of-service vulnerability in the OpenJPEG function opj_t1_encode_cblks. (bsc#1140359) - CVE-2019-14811: Fixed a safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator. (bsc#1146882) - CVE-2019-14812: Fixed a safer mode bypass by .forceput exposure in setuserparams. (bsc#1146882) - CVE-2019-14813: Fixed a safer mode bypass by .forceput exposure in setsystemparams. (bsc#1146882) - CVE-2019-14817: Fixed a safer mode bypass by .forceput exposure in .pdfexectoken and other procedures. (bsc#1146884) This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id129482
    published2019-10-01
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129482
    titleopenSUSE Security Update : ghostscript (openSUSE-2019-2222)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2019-2222.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(129482);
      script_version("1.3");
      script_cvs_date("Date: 2019/12/23");
    
      script_cve_id("CVE-2019-12973", "CVE-2019-14811", "CVE-2019-14812", "CVE-2019-14813", "CVE-2019-14817", "CVE-2019-3835", "CVE-2019-3839");
      script_xref(name:"IAVB", value:"2019-B-0081");
    
      script_name(english:"openSUSE Security Update : ghostscript (openSUSE-2019-2222)");
      script_summary(english:"Check for the openSUSE-2019-2222 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for ghostscript fixes the following issues :
    
    Security issues fixed :
    
      - CVE-2019-3835: Fixed an unauthorized file system access
        caused by an available superexec operator. (bsc#1129180)
    
      - CVE-2019-3839: Fixed an unauthorized file system access
        caused by available privileged operators. (bsc#1134156)
    
      - CVE-2019-12973: Fixed a denial-of-service vulnerability
        in the OpenJPEG function opj_t1_encode_cblks.
        (bsc#1140359)
    
      - CVE-2019-14811: Fixed a safer mode bypass by .forceput
        exposure in .pdf_hook_DSC_Creator. (bsc#1146882)
    
      - CVE-2019-14812: Fixed a safer mode bypass by .forceput
        exposure in setuserparams. (bsc#1146882)
    
      - CVE-2019-14813: Fixed a safer mode bypass by .forceput
        exposure in setsystemparams. (bsc#1146882)
    
      - CVE-2019-14817: Fixed a safer mode bypass by .forceput
        exposure in .pdfexectoken and other procedures.
        (bsc#1146884)
    
    This update was imported from the SUSE:SLE-15:Update update project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1129180"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1129186"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1134156"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1140359"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1146882"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1146884"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected ghostscript packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ghostscript");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ghostscript-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ghostscript-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ghostscript-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ghostscript-mini");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ghostscript-mini-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ghostscript-mini-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ghostscript-mini-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ghostscript-x11");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ghostscript-x11-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/25");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/09/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/01");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE15.0", reference:"ghostscript-9.27-lp150.2.23.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"ghostscript-debuginfo-9.27-lp150.2.23.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"ghostscript-debugsource-9.27-lp150.2.23.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"ghostscript-devel-9.27-lp150.2.23.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"ghostscript-mini-9.27-lp150.2.23.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"ghostscript-mini-debuginfo-9.27-lp150.2.23.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"ghostscript-mini-debugsource-9.27-lp150.2.23.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"ghostscript-mini-devel-9.27-lp150.2.23.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"ghostscript-x11-9.27-lp150.2.23.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"ghostscript-x11-debuginfo-9.27-lp150.2.23.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ghostscript-mini / ghostscript-mini-debuginfo / etc");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-2586.NASL
    descriptionAn update for ghostscript is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator (701445) (CVE-2019-14811) * ghostscript: Safer mode bypass by .forceput exposure in setuserparams (701444) (CVE-2019-14812) * ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443) (CVE-2019-14813) * ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450) (CVE-2019-14817) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id129019
    published2019-09-19
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129019
    titleCentOS 7 : ghostscript (CESA-2019:2586)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0203_GHOSTSCRIPT.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has ghostscript packages installed that are affected by multiple vulnerabilities: - psi/zfile.c in Artifex Ghostscript before 9.21rc1 permits the status command even if -dSAFER is used, which might allow remote attackers to determine the existence and size of arbitrary files, a similar issue to CVE-2016-7977. (CVE-2018-11645) - A flaw was found in ghostscript, versions 9.x before 9.28, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14813) - A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14811) - A flaw was found in, ghostscript versions prior to 9.28, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14817) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id129908
    published2019-10-15
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129908
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : ghostscript Multiple Vulnerabilities (NS-SA-2019-0203)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-953FC0F16D.NASL
    description - rebase to latest upstream version 9.27 - security fixes added for : - CVE-2019-14811 (bug #1747908) - CVE-2019-14812 (bug #1747907) - CVE-2019-14813 (bug #1747906) - CVE-2019-14817 (bug #1747909) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129323
    published2019-09-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129323
    titleFedora 30 : ghostscript (2019-953fc0f16d)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2478-1.NASL
    descriptionThis update for ghostscript to 9.27 fixes the following issues : Security issues fixed : CVE-2019-3835: Fixed an unauthorized file system access caused by an available superexec operator. (bsc#1129180) CVE-2019-3839: Fixed an unauthorized file system access caused by available privileged operators. (bsc#1134156) CVE-2019-12973: Fixed a denial-of-service vulnerability in the OpenJPEG function opj_t1_encode_cblks. (bsc#1140359) CVE-2019-14811: Fixed a safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator. (bsc#1146882) CVE-2019-14812: Fixed a safer mode bypass by .forceput exposure in setuserparams. (bsc#1146882) CVE-2019-14813: Fixed a safer mode bypass by .forceput exposure in setsystemparams. (bsc#1146882) CVE-2019-14817: Fixed a safer mode bypass by .forceput exposure in .pdfexectoken and other procedures. (bsc#1146884) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129404
    published2019-09-27
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129404
    titleSUSE SLED12 / SLES12 Security Update : ghostscript (SUSE-SU-2019:2478-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2591.NASL
    descriptionAn update for ghostscript is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator (701445) (CVE-2019-14811) * ghostscript: Safer mode bypass by .forceput exposure in setuserparams (701444) (CVE-2019-14812) * ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443) (CVE-2019-14813) * ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450) (CVE-2019-14817) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id128450
    published2019-09-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128450
    titleRHEL 8 : ghostscript (RHSA-2019:2591)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190903_GHOSTSCRIPT_ON_SL7_X.NASL
    descriptionSecurity Fix(es):&#13; &#13; - ghostscript: Safer mode bypass by .forceput exposure in&#13; .pdf_hook_DSC_Creator (701445) (CVE-2019-14811)&#13; &#13; - ghostscript: Safer mode bypass by .forceput exposure in setuserparams&#13; (701444) (CVE-2019-14812)&#13; &#13; - ghostscript: Safer mode bypass by .forceput exposure in setsystemparams&#13; (701443) (CVE-2019-14813)&#13; &#13; - ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken&#13; and other procedures (701450) (CVE-2019-14817)&#13; --&#13;
    last seen2020-03-18
    modified2019-09-04
    plugin id128499
    published2019-09-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128499
    titleScientific Linux Security Update : ghostscript on SL7.x x86_64 (20190903)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1348.NASL
    descriptionAccording to the versions of the ghostscript packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14817) - A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14813) - A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14812) - A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14811) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-07
    modified2020-04-02
    plugin id135135
    published2020-04-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135135
    titleEulerOS Virtualization for ARM 64 3.0.6.0 : ghostscript (EulerOS-SA-2020-1348)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-EBD6C4F15A.NASL
    description - rebase to latest upstream version 9.27 - security fixes added for : - CVE-2019-14811 (bug #1747908) - CVE-2019-14812 (bug #1747907) - CVE-2019-14813 (bug #1747906) - CVE-2019-14817 (bug #1747909) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129423
    published2019-09-30
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129423
    titleFedora 29 : ghostscript (2019-ebd6c4f15a)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2151.NASL
    descriptionAccording to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - psi/zfile.c in Artifex Ghostscript before 9.21rc1 permits the status command even if -dSAFER is used, which might allow remote attackers to determine the existence and size of arbitrary files, a similar issue to CVE-2016-7977.(CVE-2018-11645) - The PS Interpreter in Ghostscript 9.18 and 9.20 allows remote attackers to execute arbitrary code via crafted userparams.(CVE-2016-7976) - A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14811) - A flaw was found in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14812) - A flaw was found in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14813) - A flaw was found in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14817) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-11-12
    plugin id130860
    published2019-11-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130860
    titleEulerOS 2.0 SP5 : ghostscript (EulerOS-SA-2019-2151)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2242.NASL
    descriptionAccording to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14811) - A flaw was found in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14812) - A flaw was found in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14813) - A flaw was found in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14817) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-11-08
    plugin id130704
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130704
    titleEulerOS 2.0 SP3 : ghostscript (EulerOS-SA-2019-2242)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0250_GHOSTSCRIPT.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has ghostscript packages installed that are affected by multiple vulnerabilities: - psi/zfile.c in Artifex Ghostscript before 9.21rc1 permits the status command even if -dSAFER is used, which might allow remote attackers to determine the existence and size of arbitrary files, a similar issue to CVE-2016-7977. (CVE-2018-11645) - It was found that the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges and access files outside of restricted areas. (CVE-2019-10216) - A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14813) - A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14812) - A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14811) - A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14817) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id132453
    published2019-12-31
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132453
    titleNewStart CGSL CORE 5.05 / MAIN 5.05 : ghostscript Multiple Vulnerabilities (NS-SA-2019-0250)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4518.NASL
    descriptionIt was discovered that various procedures in Ghostscript, the GPL PostScript/PDF interpreter, do not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox.
    last seen2020-06-01
    modified2020-06-02
    plugin id128560
    published2019-09-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128560
    titleDebian DSA-4518-1 : ghostscript - security update
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_22AE307A1AC411EAB267001CC0382B2F.NASL
    descriptionCedric Buissart (Red Hat) reports : A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
    last seen2020-06-01
    modified2020-06-02
    plugin id131844
    published2019-12-10
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131844
    titleFreeBSD : Ghostscript -- Security bypass vulnerabilities (22ae307a-1ac4-11ea-b267-001cc0382b2f)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-2591.NASL
    descriptionFrom Red Hat Security Advisory 2019:2591 : An update for ghostscript is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator (701445) (CVE-2019-14811) * ghostscript: Safer mode bypass by .forceput exposure in setuserparams (701444) (CVE-2019-14812) * ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443) (CVE-2019-14813) * ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450) (CVE-2019-14817) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id128598
    published2019-09-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128598
    titleOracle Linux 8 : ghostscript (ELSA-2019-2591)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-0A9D525D71.NASL
    description - rebase to latest upstream version 9.27 - security fixes added for : - CVE-2019-14811 (bug #1747908) - CVE-2019-14812 (bug #1747907) - CVE-2019-14813 (bug #1747906) - CVE-2019-14817 (bug #1747909) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129601
    published2019-10-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129601
    titleFedora 31 : ghostscript (2019-0a9d525d71)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1240.NASL
    descriptionAccording to the versions of the ghostscript package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The PS Interpreter in Ghostscript 9.18 and 9.20 allows remote attackers to execute arbitrary code via crafted userparams.(CVE-2016-7976) - psi/zfile.c in Artifex Ghostscript before 9.21rc1 permits the status command even if -dSAFER is used, which might allow remote attackers to determine the existence and size of arbitrary files, a similar issue to CVE-2016-7977.(CVE-2018-11645) - A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14817) - A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14813) - A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14812) - A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14811) - libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and Ghostscript, has a NULL pointer dereference in the jbig2_huffman_get function in jbig2_huffman.c. For example, the jbig2dec utility will crash (segmentation fault) when parsing an invalid file.(CVE-2017-9216) - Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds writes because of an integer overflow in the jbig2_build_huffman_table function in jbig2_huffman.c during operations on a crafted JBIG2 file, leading to a denial of service (application crash) or possibly execution of arbitrary code.(CVE-2017-7975) - Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to denial of service (application crash) or disclosure of sensitive information from process memory, because of an integer overflow in the jbig2_decode_symbol_dict function in jbig2_symbol_dict.c in libjbig2dec.a during operation on a crafted .jb2 file.(CVE-2017-7885) - Artifex jbig2dec 0.13 allows out-of-bounds writes and reads because of an integer overflow in the jbig2_image_compose function in jbig2_image.c during operations on a crafted .jb2 file, leading to a denial of service (application crash) or disclosure of sensitive information from process memory.(CVE-2017-7976) - A heap based buffer overflow was found in the ghostscript jbig2_decode_gray_scale_image() function used to decode halftone segments in a JBIG2 image. A document (PostScript or PDF) with an embedded, specially crafted, jbig2 image could trigger a segmentation fault in ghostscript.(CVE-2016-9601) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-19
    modified2020-03-13
    plugin id134529
    published2020-03-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134529
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : ghostscript (EulerOS-SA-2020-1240)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2586.NASL
    descriptionAn update for ghostscript is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator (701445) (CVE-2019-14811) * ghostscript: Safer mode bypass by .forceput exposure in setuserparams (701444) (CVE-2019-14812) * ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443) (CVE-2019-14813) * ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450) (CVE-2019-14817) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id128448
    published2019-09-03
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128448
    titleRHEL 7 : ghostscript (RHSA-2019:2586)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-2223.NASL
    descriptionThis update for ghostscript fixes the following issues : Security issues fixed : - CVE-2019-3835: Fixed an unauthorized file system access caused by an available superexec operator. (bsc#1129180) - CVE-2019-3839: Fixed an unauthorized file system access caused by available privileged operators. (bsc#1134156) - CVE-2019-12973: Fixed a denial-of-service vulnerability in the OpenJPEG function opj_t1_encode_cblks. (bsc#1140359) - CVE-2019-14811: Fixed a safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator. (bsc#1146882) - CVE-2019-14812: Fixed a safer mode bypass by .forceput exposure in setuserparams. (bsc#1146882) - CVE-2019-14813: Fixed a safer mode bypass by .forceput exposure in setsystemparams. (bsc#1146882) - CVE-2019-14817: Fixed a safer mode bypass by .forceput exposure in .pdfexectoken and other procedures. (bsc#1146884) This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id129483
    published2019-10-01
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129483
    titleopenSUSE Security Update : ghostscript (openSUSE-2019-2223)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1150.NASL
    descriptionAccording to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14811) - A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14812) - A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14813) - A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14817) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-03
    modified2020-02-25
    plugin id133984
    published2020-02-25
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133984
    titleEulerOS 2.0 SP8 : ghostscript (EulerOS-SA-2020-1150)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2460-1.NASL
    descriptionThis update for ghostscript fixes the following issues : Security issues fixed : CVE-2019-3835: Fixed an unauthorized file system access caused by an available superexec operator. (bsc#1129180) CVE-2019-3839: Fixed an unauthorized file system access caused by available privileged operators. (bsc#1134156) CVE-2019-12973: Fixed a denial-of-service vulnerability in the OpenJPEG function opj_t1_encode_cblks. (bsc#1140359) CVE-2019-14811: Fixed a safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator. (bsc#1146882) CVE-2019-14812: Fixed a safer mode bypass by .forceput exposure in setuserparams. (bsc#1146882) CVE-2019-14813: Fixed a safer mode bypass by .forceput exposure in setsystemparams. (bsc#1146882) CVE-2019-14817: Fixed a safer mode bypass by .forceput exposure in .pdfexectoken and other procedures. (bsc#1146884) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129381
    published2019-09-26
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129381
    titleSUSE SLED15 / SLES15 Security Update : ghostscript (SUSE-SU-2019:2460-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-202004-03.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-202004-03 (GPL Ghostscript: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in GPL Ghostscript. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to process a specially crafted file using GPL Ghostscript, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-04-07
    modified2020-04-02
    plugin id135114
    published2020-04-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135114
    titleGLSA-202004-03 : GPL Ghostscript: Multiple vulnerabilities
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4111-1.NASL
    descriptionHiroki Matsukuma discovered that the PDF interpreter in Ghostscript did not properly restrict privileged calls when
    last seen2020-06-01
    modified2020-06-02
    plugin id128322
    published2019-08-29
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128322
    titleUbuntu 16.04 LTS / 18.04 LTS / 19.04 : ghostscript vulnerabilities (USN-4111-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1915.NASL
    descriptionIt was discovered that various procedures in Ghostscript, the GPL PostScript/PDF interpreter, do not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id128619
    published2019-09-10
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128619
    titleDebian DLA-1915-1 : ghostscript security update
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-2586.NASL
    descriptionFrom Red Hat Security Advisory 2019:2586 : An update for ghostscript is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator (701445) (CVE-2019-14811) * ghostscript: Safer mode bypass by .forceput exposure in setuserparams (701444) (CVE-2019-14812) * ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443) (CVE-2019-14813) * ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450) (CVE-2019-14817) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id128445
    published2019-09-03
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128445
    titleOracle Linux 7 : ghostscript (ELSA-2019-2586)

Redhat

rpms
  • ghostscript-0:9.25-2.el7_7.2
  • ghostscript-cups-0:9.25-2.el7_7.2
  • ghostscript-debuginfo-0:9.25-2.el7_7.2
  • ghostscript-doc-0:9.25-2.el7_7.2
  • ghostscript-gtk-0:9.25-2.el7_7.2
  • libgs-0:9.25-2.el7_7.2
  • libgs-devel-0:9.25-2.el7_7.2
  • ghostscript-0:9.25-2.el8_0.3
  • ghostscript-debuginfo-0:9.25-2.el8_0.3
  • ghostscript-debugsource-0:9.25-2.el8_0.3
  • ghostscript-doc-0:9.25-2.el8_0.3
  • ghostscript-gtk-debuginfo-0:9.25-2.el8_0.3
  • ghostscript-tools-dvipdf-0:9.25-2.el8_0.3
  • ghostscript-tools-fonts-0:9.25-2.el8_0.3
  • ghostscript-tools-printing-0:9.25-2.el8_0.3
  • ghostscript-x11-0:9.25-2.el8_0.3
  • ghostscript-x11-debuginfo-0:9.25-2.el8_0.3
  • libgs-0:9.25-2.el8_0.3
  • libgs-debuginfo-0:9.25-2.el8_0.3
  • libgs-devel-0:9.25-2.el8_0.3