Vulnerabilities > CVE-2019-14817 - Incorrect Authorization vulnerability in multiple products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH

Summary

A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.

Vulnerable Configurations

Part Description Count
Application
Artifex
252
Application
Redhat
2
OS
Opensuse
2
OS
Fedoraproject
3
OS
Debian
3

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1499.NASL
    descriptionAccording to the versions of the ghostscript package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The PS Interpreter in Ghostscript 9.18 and 9.20 allows remote attackers to execute arbitrary code via crafted userparams.(CVE-2016-7976) - psi/zfile.c in Artifex Ghostscript before 9.21rc1 permits the status command even if -dSAFER is used, which might allow remote attackers to determine the existence and size of arbitrary files, a similar issue to CVE-2016-7977.(CVE-2018-11645) - A flaw was found in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14817) - A flaw was found in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14813) - A flaw was found in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14812) - A flaw was found in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14811) - libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and Ghostscript, has a NULL pointer dereference in the jbig2_huffman_get function in jbig2_huffman.c. For example, the jbig2dec utility will crash (segmentation fault) when parsing an invalid file.(CVE-2017-9216) - Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds writes because of an integer overflow in the jbig2_build_huffman_table function in jbig2_huffman.c during operations on a crafted JBIG2 file, leading to a denial of service (application crash) or possibly execution of arbitrary code.(CVE-2017-7975) - Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to denial of service (application crash) or disclosure of sensitive information from process memory, because of an integer overflow in the jbig2_decode_symbol_dict function in jbig2_symbol_dict.c in libjbig2dec.a during operation on a crafted .jb2 file.(CVE-2017-7885) - Artifex jbig2dec 0.13 allows out-of-bounds writes and reads because of an integer overflow in the jbig2_image_compose function in jbig2_image.c during operations on a crafted .jb2 file, leading to a denial of service (application crash) or disclosure of sensitive information from process memory.(CVE-2017-7976) - ghostscript before version 9.21 is vulnerable to a heap based buffer overflow that was found in the ghostscript jbig2_decode_gray_scale_image function which is used to decode halftone segments in a JBIG2 image. A document (PostScript or PDF) with an embedded, specially crafted, jbig2 image could trigger a segmentation fault in ghostscript.(CVE-2016-9601) - In Artifex Ghostscript before 9.26, a carefully crafted PDF file can trigger an extremely long running computation when parsing the file.(CVE-2018-19478) - It was found that the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges and access files outside of restricted areas.(CVE-2019-10216) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-30
    modified2020-04-16
    plugin id135661
    published2020-04-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135661
    titleEulerOS Virtualization 3.0.2.2 : ghostscript (EulerOS-SA-2020-1499)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(135661);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/24");
    
      script_cve_id(
        "CVE-2016-7976",
        "CVE-2016-9601",
        "CVE-2017-7885",
        "CVE-2017-7975",
        "CVE-2017-7976",
        "CVE-2017-9216",
        "CVE-2018-11645",
        "CVE-2018-19478",
        "CVE-2019-10216",
        "CVE-2019-14811",
        "CVE-2019-14812",
        "CVE-2019-14813",
        "CVE-2019-14817"
      );
    
      script_name(english:"EulerOS Virtualization 3.0.2.2 : ghostscript (EulerOS-SA-2020-1499)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the ghostscript package installed, the
    EulerOS Virtualization installation on the remote host is affected by
    the following vulnerabilities :
    
      - The PS Interpreter in Ghostscript 9.18 and 9.20 allows
        remote attackers to execute arbitrary code via crafted
        userparams.(CVE-2016-7976)
    
      - psi/zfile.c in Artifex Ghostscript before 9.21rc1
        permits the status command even if -dSAFER is used,
        which might allow remote attackers to determine the
        existence and size of arbitrary files, a similar issue
        to CVE-2016-7977.(CVE-2018-11645)
    
      - A flaw was found in the .pdfexectoken and other
        procedures where it did not properly secure its
        privileged calls, enabling scripts to bypass `-dSAFER`
        restrictions. A specially crafted PostScript file could
        disable security protection and then have access to the
        file system, or execute arbitrary
        commands.(CVE-2019-14817)
    
      - A flaw was found in the setsystemparams procedure where
        it did not properly secure its privileged calls,
        enabling scripts to bypass `-dSAFER` restrictions. A
        specially crafted PostScript file could disable
        security protection and then have access to the file
        system, or execute arbitrary commands.(CVE-2019-14813)
    
      - A flaw was found in the .setuserparams2 procedure where
        it did not properly secure its privileged calls,
        enabling scripts to bypass `-dSAFER` restrictions. A
        specially crafted PostScript file could disable
        security protection and then have access to the file
        system, or execute arbitrary commands.(CVE-2019-14812)
    
      - A flaw was found in the .pdf_hook_DSC_Creator procedure
        where it did not properly secure its privileged calls,
        enabling scripts to bypass `-dSAFER` restrictions. A
        specially crafted PostScript file could disable
        security protection and then have access to the file
        system, or execute arbitrary commands.(CVE-2019-14811)
    
      - libjbig2dec.a in Artifex jbig2dec 0.13, as used in
        MuPDF and Ghostscript, has a NULL pointer dereference
        in the jbig2_huffman_get function in jbig2_huffman.c.
        For example, the jbig2dec utility will crash
        (segmentation fault) when parsing an invalid
        file.(CVE-2017-9216)
    
      - Artifex jbig2dec 0.13, as used in Ghostscript, allows
        out-of-bounds writes because of an integer overflow in
        the jbig2_build_huffman_table function in
        jbig2_huffman.c during operations on a crafted JBIG2
        file, leading to a denial of service (application
        crash) or possibly execution of arbitrary
        code.(CVE-2017-7975)
    
      - Artifex jbig2dec 0.13 has a heap-based buffer over-read
        leading to denial of service (application crash) or
        disclosure of sensitive information from process
        memory, because of an integer overflow in the
        jbig2_decode_symbol_dict function in
        jbig2_symbol_dict.c in libjbig2dec.a during operation
        on a crafted .jb2 file.(CVE-2017-7885)
    
      - Artifex jbig2dec 0.13 allows out-of-bounds writes and
        reads because of an integer overflow in the
        jbig2_image_compose function in jbig2_image.c during
        operations on a crafted .jb2 file, leading to a denial
        of service (application crash) or disclosure of
        sensitive information from process
        memory.(CVE-2017-7976)
    
      - ghostscript before version 9.21 is vulnerable to a heap
        based buffer overflow that was found in the ghostscript
        jbig2_decode_gray_scale_image function which is used to
        decode halftone segments in a JBIG2 image. A document
        (PostScript or PDF) with an embedded, specially
        crafted, jbig2 image could trigger a segmentation fault
        in ghostscript.(CVE-2016-9601)
    
      - In Artifex Ghostscript before 9.26, a carefully crafted
        PDF file can trigger an extremely long running
        computation when parsing the file.(CVE-2018-19478)
    
      - It was found that the .buildfont1 procedure did not
        properly secure its privileged calls, enabling scripts
        to bypass `-dSAFER` restrictions. An attacker could
        abuse this flaw by creating a specially crafted
        PostScript file that could escalate privileges and
        access files outside of restricted
        areas.(CVE-2019-10216)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1499
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ce7df4f5");
      script_set_attribute(attribute:"solution", value:
    "Update the affected ghostscript packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/16");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ghostscript");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.2");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.2.2") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.2");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["ghostscript-9.07-31.6.h13.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ghostscript");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-2222.NASL
    descriptionThis update for ghostscript fixes the following issues : Security issues fixed : - CVE-2019-3835: Fixed an unauthorized file system access caused by an available superexec operator. (bsc#1129180) - CVE-2019-3839: Fixed an unauthorized file system access caused by available privileged operators. (bsc#1134156) - CVE-2019-12973: Fixed a denial-of-service vulnerability in the OpenJPEG function opj_t1_encode_cblks. (bsc#1140359) - CVE-2019-14811: Fixed a safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator. (bsc#1146882) - CVE-2019-14812: Fixed a safer mode bypass by .forceput exposure in setuserparams. (bsc#1146882) - CVE-2019-14813: Fixed a safer mode bypass by .forceput exposure in setsystemparams. (bsc#1146882) - CVE-2019-14817: Fixed a safer mode bypass by .forceput exposure in .pdfexectoken and other procedures. (bsc#1146884) This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id129482
    published2019-10-01
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129482
    titleopenSUSE Security Update : ghostscript (openSUSE-2019-2222)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2019-2222.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(129482);
      script_version("1.3");
      script_cvs_date("Date: 2019/12/23");
    
      script_cve_id("CVE-2019-12973", "CVE-2019-14811", "CVE-2019-14812", "CVE-2019-14813", "CVE-2019-14817", "CVE-2019-3835", "CVE-2019-3839");
      script_xref(name:"IAVB", value:"2019-B-0081");
    
      script_name(english:"openSUSE Security Update : ghostscript (openSUSE-2019-2222)");
      script_summary(english:"Check for the openSUSE-2019-2222 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for ghostscript fixes the following issues :
    
    Security issues fixed :
    
      - CVE-2019-3835: Fixed an unauthorized file system access
        caused by an available superexec operator. (bsc#1129180)
    
      - CVE-2019-3839: Fixed an unauthorized file system access
        caused by available privileged operators. (bsc#1134156)
    
      - CVE-2019-12973: Fixed a denial-of-service vulnerability
        in the OpenJPEG function opj_t1_encode_cblks.
        (bsc#1140359)
    
      - CVE-2019-14811: Fixed a safer mode bypass by .forceput
        exposure in .pdf_hook_DSC_Creator. (bsc#1146882)
    
      - CVE-2019-14812: Fixed a safer mode bypass by .forceput
        exposure in setuserparams. (bsc#1146882)
    
      - CVE-2019-14813: Fixed a safer mode bypass by .forceput
        exposure in setsystemparams. (bsc#1146882)
    
      - CVE-2019-14817: Fixed a safer mode bypass by .forceput
        exposure in .pdfexectoken and other procedures.
        (bsc#1146884)
    
    This update was imported from the SUSE:SLE-15:Update update project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1129180"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1129186"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1134156"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1140359"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1146882"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1146884"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected ghostscript packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ghostscript");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ghostscript-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ghostscript-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ghostscript-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ghostscript-mini");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ghostscript-mini-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ghostscript-mini-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ghostscript-mini-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ghostscript-x11");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ghostscript-x11-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/25");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/09/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/01");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE15.0", reference:"ghostscript-9.27-lp150.2.23.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"ghostscript-debuginfo-9.27-lp150.2.23.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"ghostscript-debugsource-9.27-lp150.2.23.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"ghostscript-devel-9.27-lp150.2.23.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"ghostscript-mini-9.27-lp150.2.23.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"ghostscript-mini-debuginfo-9.27-lp150.2.23.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"ghostscript-mini-debugsource-9.27-lp150.2.23.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"ghostscript-mini-devel-9.27-lp150.2.23.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"ghostscript-x11-9.27-lp150.2.23.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"ghostscript-x11-debuginfo-9.27-lp150.2.23.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ghostscript-mini / ghostscript-mini-debuginfo / etc");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-2586.NASL
    descriptionAn update for ghostscript is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator (701445) (CVE-2019-14811) * ghostscript: Safer mode bypass by .forceput exposure in setuserparams (701444) (CVE-2019-14812) * ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443) (CVE-2019-14813) * ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450) (CVE-2019-14817) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id129019
    published2019-09-19
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129019
    titleCentOS 7 : ghostscript (CESA-2019:2586)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0203_GHOSTSCRIPT.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has ghostscript packages installed that are affected by multiple vulnerabilities: - psi/zfile.c in Artifex Ghostscript before 9.21rc1 permits the status command even if -dSAFER is used, which might allow remote attackers to determine the existence and size of arbitrary files, a similar issue to CVE-2016-7977. (CVE-2018-11645) - A flaw was found in ghostscript, versions 9.x before 9.28, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14813) - A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14811) - A flaw was found in, ghostscript versions prior to 9.28, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14817) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id129908
    published2019-10-15
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129908
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : ghostscript Multiple Vulnerabilities (NS-SA-2019-0203)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-953FC0F16D.NASL
    description - rebase to latest upstream version 9.27 - security fixes added for : - CVE-2019-14811 (bug #1747908) - CVE-2019-14812 (bug #1747907) - CVE-2019-14813 (bug #1747906) - CVE-2019-14817 (bug #1747909) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129323
    published2019-09-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129323
    titleFedora 30 : ghostscript (2019-953fc0f16d)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2478-1.NASL
    descriptionThis update for ghostscript to 9.27 fixes the following issues : Security issues fixed : CVE-2019-3835: Fixed an unauthorized file system access caused by an available superexec operator. (bsc#1129180) CVE-2019-3839: Fixed an unauthorized file system access caused by available privileged operators. (bsc#1134156) CVE-2019-12973: Fixed a denial-of-service vulnerability in the OpenJPEG function opj_t1_encode_cblks. (bsc#1140359) CVE-2019-14811: Fixed a safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator. (bsc#1146882) CVE-2019-14812: Fixed a safer mode bypass by .forceput exposure in setuserparams. (bsc#1146882) CVE-2019-14813: Fixed a safer mode bypass by .forceput exposure in setsystemparams. (bsc#1146882) CVE-2019-14817: Fixed a safer mode bypass by .forceput exposure in .pdfexectoken and other procedures. (bsc#1146884) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129404
    published2019-09-27
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129404
    titleSUSE SLED12 / SLES12 Security Update : ghostscript (SUSE-SU-2019:2478-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2591.NASL
    descriptionAn update for ghostscript is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator (701445) (CVE-2019-14811) * ghostscript: Safer mode bypass by .forceput exposure in setuserparams (701444) (CVE-2019-14812) * ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443) (CVE-2019-14813) * ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450) (CVE-2019-14817) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id128450
    published2019-09-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128450
    titleRHEL 8 : ghostscript (RHSA-2019:2591)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190903_GHOSTSCRIPT_ON_SL7_X.NASL
    descriptionSecurity Fix(es):&#13; &#13; - ghostscript: Safer mode bypass by .forceput exposure in&#13; .pdf_hook_DSC_Creator (701445) (CVE-2019-14811)&#13; &#13; - ghostscript: Safer mode bypass by .forceput exposure in setuserparams&#13; (701444) (CVE-2019-14812)&#13; &#13; - ghostscript: Safer mode bypass by .forceput exposure in setsystemparams&#13; (701443) (CVE-2019-14813)&#13; &#13; - ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken&#13; and other procedures (701450) (CVE-2019-14817)&#13; --&#13;
    last seen2020-03-18
    modified2019-09-04
    plugin id128499
    published2019-09-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128499
    titleScientific Linux Security Update : ghostscript on SL7.x x86_64 (20190903)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1348.NASL
    descriptionAccording to the versions of the ghostscript packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14817) - A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14813) - A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14812) - A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14811) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-07
    modified2020-04-02
    plugin id135135
    published2020-04-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135135
    titleEulerOS Virtualization for ARM 64 3.0.6.0 : ghostscript (EulerOS-SA-2020-1348)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-EBD6C4F15A.NASL
    description - rebase to latest upstream version 9.27 - security fixes added for : - CVE-2019-14811 (bug #1747908) - CVE-2019-14812 (bug #1747907) - CVE-2019-14813 (bug #1747906) - CVE-2019-14817 (bug #1747909) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129423
    published2019-09-30
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129423
    titleFedora 29 : ghostscript (2019-ebd6c4f15a)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2151.NASL
    descriptionAccording to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - psi/zfile.c in Artifex Ghostscript before 9.21rc1 permits the status command even if -dSAFER is used, which might allow remote attackers to determine the existence and size of arbitrary files, a similar issue to CVE-2016-7977.(CVE-2018-11645) - The PS Interpreter in Ghostscript 9.18 and 9.20 allows remote attackers to execute arbitrary code via crafted userparams.(CVE-2016-7976) - A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14811) - A flaw was found in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14812) - A flaw was found in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14813) - A flaw was found in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14817) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-11-12
    plugin id130860
    published2019-11-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130860
    titleEulerOS 2.0 SP5 : ghostscript (EulerOS-SA-2019-2151)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2242.NASL
    descriptionAccording to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14811) - A flaw was found in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14812) - A flaw was found in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14813) - A flaw was found in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14817) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-11-08
    plugin id130704
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130704
    titleEulerOS 2.0 SP3 : ghostscript (EulerOS-SA-2019-2242)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0250_GHOSTSCRIPT.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has ghostscript packages installed that are affected by multiple vulnerabilities: - psi/zfile.c in Artifex Ghostscript before 9.21rc1 permits the status command even if -dSAFER is used, which might allow remote attackers to determine the existence and size of arbitrary files, a similar issue to CVE-2016-7977. (CVE-2018-11645) - It was found that the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges and access files outside of restricted areas. (CVE-2019-10216) - A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14813) - A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14812) - A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14811) - A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14817) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id132453
    published2019-12-31
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132453
    titleNewStart CGSL CORE 5.05 / MAIN 5.05 : ghostscript Multiple Vulnerabilities (NS-SA-2019-0250)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4518.NASL
    descriptionIt was discovered that various procedures in Ghostscript, the GPL PostScript/PDF interpreter, do not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox.
    last seen2020-06-01
    modified2020-06-02
    plugin id128560
    published2019-09-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128560
    titleDebian DSA-4518-1 : ghostscript - security update
  • NASL familyWindows
    NASL idGHOSTSCRIPT_9_50.NASL
    descriptionThe version of Artifex Ghostscript installed on the remote Windows host is prior to 9.50. It is, therefore, affected by multiple security bypass vulnerabilities. An attacker could exploit one of these vulnerabilities to gain access to the file system and execute arbitrary commands.
    last seen2020-06-01
    modified2020-06-02
    plugin id130273
    published2019-10-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130273
    titleArtifex Ghostscript < 9.50 Multiple Vulnerabilities
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_22AE307A1AC411EAB267001CC0382B2F.NASL
    descriptionCedric Buissart (Red Hat) reports : A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
    last seen2020-06-01
    modified2020-06-02
    plugin id131844
    published2019-12-10
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131844
    titleFreeBSD : Ghostscript -- Security bypass vulnerabilities (22ae307a-1ac4-11ea-b267-001cc0382b2f)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-2591.NASL
    descriptionFrom Red Hat Security Advisory 2019:2591 : An update for ghostscript is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator (701445) (CVE-2019-14811) * ghostscript: Safer mode bypass by .forceput exposure in setuserparams (701444) (CVE-2019-14812) * ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443) (CVE-2019-14813) * ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450) (CVE-2019-14817) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id128598
    published2019-09-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128598
    titleOracle Linux 8 : ghostscript (ELSA-2019-2591)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-0A9D525D71.NASL
    description - rebase to latest upstream version 9.27 - security fixes added for : - CVE-2019-14811 (bug #1747908) - CVE-2019-14812 (bug #1747907) - CVE-2019-14813 (bug #1747906) - CVE-2019-14817 (bug #1747909) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129601
    published2019-10-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129601
    titleFedora 31 : ghostscript (2019-0a9d525d71)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1240.NASL
    descriptionAccording to the versions of the ghostscript package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The PS Interpreter in Ghostscript 9.18 and 9.20 allows remote attackers to execute arbitrary code via crafted userparams.(CVE-2016-7976) - psi/zfile.c in Artifex Ghostscript before 9.21rc1 permits the status command even if -dSAFER is used, which might allow remote attackers to determine the existence and size of arbitrary files, a similar issue to CVE-2016-7977.(CVE-2018-11645) - A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14817) - A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14813) - A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14812) - A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14811) - libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and Ghostscript, has a NULL pointer dereference in the jbig2_huffman_get function in jbig2_huffman.c. For example, the jbig2dec utility will crash (segmentation fault) when parsing an invalid file.(CVE-2017-9216) - Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds writes because of an integer overflow in the jbig2_build_huffman_table function in jbig2_huffman.c during operations on a crafted JBIG2 file, leading to a denial of service (application crash) or possibly execution of arbitrary code.(CVE-2017-7975) - Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to denial of service (application crash) or disclosure of sensitive information from process memory, because of an integer overflow in the jbig2_decode_symbol_dict function in jbig2_symbol_dict.c in libjbig2dec.a during operation on a crafted .jb2 file.(CVE-2017-7885) - Artifex jbig2dec 0.13 allows out-of-bounds writes and reads because of an integer overflow in the jbig2_image_compose function in jbig2_image.c during operations on a crafted .jb2 file, leading to a denial of service (application crash) or disclosure of sensitive information from process memory.(CVE-2017-7976) - A heap based buffer overflow was found in the ghostscript jbig2_decode_gray_scale_image() function used to decode halftone segments in a JBIG2 image. A document (PostScript or PDF) with an embedded, specially crafted, jbig2 image could trigger a segmentation fault in ghostscript.(CVE-2016-9601) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-19
    modified2020-03-13
    plugin id134529
    published2020-03-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134529
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : ghostscript (EulerOS-SA-2020-1240)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2586.NASL
    descriptionAn update for ghostscript is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator (701445) (CVE-2019-14811) * ghostscript: Safer mode bypass by .forceput exposure in setuserparams (701444) (CVE-2019-14812) * ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443) (CVE-2019-14813) * ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450) (CVE-2019-14817) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id128448
    published2019-09-03
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128448
    titleRHEL 7 : ghostscript (RHSA-2019:2586)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-2223.NASL
    descriptionThis update for ghostscript fixes the following issues : Security issues fixed : - CVE-2019-3835: Fixed an unauthorized file system access caused by an available superexec operator. (bsc#1129180) - CVE-2019-3839: Fixed an unauthorized file system access caused by available privileged operators. (bsc#1134156) - CVE-2019-12973: Fixed a denial-of-service vulnerability in the OpenJPEG function opj_t1_encode_cblks. (bsc#1140359) - CVE-2019-14811: Fixed a safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator. (bsc#1146882) - CVE-2019-14812: Fixed a safer mode bypass by .forceput exposure in setuserparams. (bsc#1146882) - CVE-2019-14813: Fixed a safer mode bypass by .forceput exposure in setsystemparams. (bsc#1146882) - CVE-2019-14817: Fixed a safer mode bypass by .forceput exposure in .pdfexectoken and other procedures. (bsc#1146884) This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id129483
    published2019-10-01
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129483
    titleopenSUSE Security Update : ghostscript (openSUSE-2019-2223)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1150.NASL
    descriptionAccording to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14811) - A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14812) - A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14813) - A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.(CVE-2019-14817) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-03
    modified2020-02-25
    plugin id133984
    published2020-02-25
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133984
    titleEulerOS 2.0 SP8 : ghostscript (EulerOS-SA-2020-1150)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2460-1.NASL
    descriptionThis update for ghostscript fixes the following issues : Security issues fixed : CVE-2019-3835: Fixed an unauthorized file system access caused by an available superexec operator. (bsc#1129180) CVE-2019-3839: Fixed an unauthorized file system access caused by available privileged operators. (bsc#1134156) CVE-2019-12973: Fixed a denial-of-service vulnerability in the OpenJPEG function opj_t1_encode_cblks. (bsc#1140359) CVE-2019-14811: Fixed a safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator. (bsc#1146882) CVE-2019-14812: Fixed a safer mode bypass by .forceput exposure in setuserparams. (bsc#1146882) CVE-2019-14813: Fixed a safer mode bypass by .forceput exposure in setsystemparams. (bsc#1146882) CVE-2019-14817: Fixed a safer mode bypass by .forceput exposure in .pdfexectoken and other procedures. (bsc#1146884) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129381
    published2019-09-26
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129381
    titleSUSE SLED15 / SLES15 Security Update : ghostscript (SUSE-SU-2019:2460-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-202004-03.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-202004-03 (GPL Ghostscript: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in GPL Ghostscript. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to process a specially crafted file using GPL Ghostscript, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-04-07
    modified2020-04-02
    plugin id135114
    published2020-04-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135114
    titleGLSA-202004-03 : GPL Ghostscript: Multiple vulnerabilities
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4111-1.NASL
    descriptionHiroki Matsukuma discovered that the PDF interpreter in Ghostscript did not properly restrict privileged calls when
    last seen2020-06-01
    modified2020-06-02
    plugin id128322
    published2019-08-29
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128322
    titleUbuntu 16.04 LTS / 18.04 LTS / 19.04 : ghostscript vulnerabilities (USN-4111-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1915.NASL
    descriptionIt was discovered that various procedures in Ghostscript, the GPL PostScript/PDF interpreter, do not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id128619
    published2019-09-10
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128619
    titleDebian DLA-1915-1 : ghostscript security update
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-2586.NASL
    descriptionFrom Red Hat Security Advisory 2019:2586 : An update for ghostscript is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix(es) : * ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator (701445) (CVE-2019-14811) * ghostscript: Safer mode bypass by .forceput exposure in setuserparams (701444) (CVE-2019-14812) * ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443) (CVE-2019-14813) * ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450) (CVE-2019-14817) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id128445
    published2019-09-03
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128445
    titleOracle Linux 7 : ghostscript (ELSA-2019-2586)

Redhat

advisories
  • bugzilla
    id1744042
    titleCVE-2019-14817 ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450)
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentlibgs-devel is earlier than 0:9.25-2.el7_7.2
            ovaloval:com.redhat.rhsa:tst:20192586001
          • commentlibgs-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190971012
        • AND
          • commentghostscript-gtk is earlier than 0:9.25-2.el7_7.2
            ovaloval:com.redhat.rhsa:tst:20192586003
          • commentghostscript-gtk is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20120095013
        • AND
          • commentghostscript-doc is earlier than 0:9.25-2.el7_7.2
            ovaloval:com.redhat.rhsa:tst:20192586005
          • commentghostscript-doc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20120095011
        • AND
          • commentlibgs is earlier than 0:9.25-2.el7_7.2
            ovaloval:com.redhat.rhsa:tst:20192586007
          • commentlibgs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190971006
        • AND
          • commentghostscript-cups is earlier than 0:9.25-2.el7_7.2
            ovaloval:com.redhat.rhsa:tst:20192586009
          • commentghostscript-cups is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20170013010
        • AND
          • commentghostscript is earlier than 0:9.25-2.el7_7.2
            ovaloval:com.redhat.rhsa:tst:20192586011
          • commentghostscript is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20120095009
    rhsa
    idRHSA-2019:2586
    released2019-09-02
    severityImportant
    titleRHSA-2019:2586: ghostscript security update (Important)
  • bugzilla
    id1744042
    titleCVE-2019-14817 ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450)
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 8 is installed
        ovaloval:com.redhat.rhba:tst:20193384074
      • OR
        • AND
          • commentghostscript-debugsource is earlier than 0:9.25-2.el8_0.3
            ovaloval:com.redhat.rhsa:tst:20192591001
          • commentghostscript-debugsource is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190971004
        • AND
          • commentlibgs is earlier than 0:9.25-2.el8_0.3
            ovaloval:com.redhat.rhsa:tst:20192591003
          • commentlibgs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190971006
        • AND
          • commentghostscript is earlier than 0:9.25-2.el8_0.3
            ovaloval:com.redhat.rhsa:tst:20192591005
          • commentghostscript is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20120095009
        • AND
          • commentlibgs-devel is earlier than 0:9.25-2.el8_0.3
            ovaloval:com.redhat.rhsa:tst:20192591007
          • commentlibgs-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190971012
        • AND
          • commentghostscript-x11 is earlier than 0:9.25-2.el8_0.3
            ovaloval:com.redhat.rhsa:tst:20192591009
          • commentghostscript-x11 is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190971014
        • AND
          • commentghostscript-tools-printing is earlier than 0:9.25-2.el8_0.3
            ovaloval:com.redhat.rhsa:tst:20192591011
          • commentghostscript-tools-printing is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190971016
        • AND
          • commentghostscript-tools-fonts is earlier than 0:9.25-2.el8_0.3
            ovaloval:com.redhat.rhsa:tst:20192591013
          • commentghostscript-tools-fonts is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190971018
        • AND
          • commentghostscript-tools-dvipdf is earlier than 0:9.25-2.el8_0.3
            ovaloval:com.redhat.rhsa:tst:20192591015
          • commentghostscript-tools-dvipdf is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190971010
        • AND
          • commentghostscript-doc is earlier than 0:9.25-2.el8_0.3
            ovaloval:com.redhat.rhsa:tst:20192591017
          • commentghostscript-doc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20120095011
    rhsa
    idRHSA-2019:2591
    released2019-09-02
    severityImportant
    titleRHSA-2019:2591: ghostscript security update (Important)
  • rhsa
    idRHBA-2019:2824
  • rhsa
    idRHSA-2019:2594
rpms
  • ghostscript-0:9.25-2.el7_7.2
  • ghostscript-cups-0:9.25-2.el7_7.2
  • ghostscript-debuginfo-0:9.25-2.el7_7.2
  • ghostscript-doc-0:9.25-2.el7_7.2
  • ghostscript-gtk-0:9.25-2.el7_7.2
  • libgs-0:9.25-2.el7_7.2
  • libgs-devel-0:9.25-2.el7_7.2
  • ghostscript-0:9.25-2.el8_0.3
  • ghostscript-debuginfo-0:9.25-2.el8_0.3
  • ghostscript-debugsource-0:9.25-2.el8_0.3
  • ghostscript-doc-0:9.25-2.el8_0.3
  • ghostscript-gtk-debuginfo-0:9.25-2.el8_0.3
  • ghostscript-tools-dvipdf-0:9.25-2.el8_0.3
  • ghostscript-tools-fonts-0:9.25-2.el8_0.3
  • ghostscript-tools-printing-0:9.25-2.el8_0.3
  • ghostscript-x11-0:9.25-2.el8_0.3
  • ghostscript-x11-debuginfo-0:9.25-2.el8_0.3
  • libgs-0:9.25-2.el8_0.3
  • libgs-debuginfo-0:9.25-2.el8_0.3
  • libgs-devel-0:9.25-2.el8_0.3

References