98680

https://bugs.ghostscript.com/show_bug.cgi?id=697934

According to the versions of the ghostscript package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The PS Interpreter in Ghostscript 9.18 and 9.20 allows     remote attackers to execute arbitrary code via crafted     userparams.(CVE-2016-7976)

  - psi/zfile.c in Artifex Ghostscript before 9.21rc1     permits the status command even if -dSAFER is used,     which might allow remote attackers to determine the     existence and size of arbitrary files, a similar issue     to CVE-2016-7977.(CVE-2018-11645)

  - A flaw was found in the .pdfexectoken and other     procedures where it did not properly secure its     privileged calls, enabling scripts to bypass `-dSAFER`     restrictions. A specially crafted PostScript file could     disable security protection and then have access to the     file system, or execute arbitrary     commands.(CVE-2019-14817)

  - A flaw was found in the setsystemparams procedure where     it did not properly secure its privileged calls,     enabling scripts to bypass `-dSAFER` restrictions. A     specially crafted PostScript file could disable     security protection and then have access to the file     system, or execute arbitrary commands.(CVE-2019-14813)

  - A flaw was found in the .setuserparams2 procedure where     it did not properly secure its privileged calls,     enabling scripts to bypass `-dSAFER` restrictions. A     specially crafted PostScript file could disable     security protection and then have access to the file     system, or execute arbitrary commands.(CVE-2019-14812)

  - A flaw was found in the .pdf_hook_DSC_Creator procedure     where it did not properly secure its privileged calls,     enabling scripts to bypass `-dSAFER` restrictions. A     specially crafted PostScript file could disable     security protection and then have access to the file     system, or execute arbitrary commands.(CVE-2019-14811)

  - libjbig2dec.a in Artifex jbig2dec 0.13, as used in     MuPDF and Ghostscript, has a NULL pointer dereference     in the jbig2_huffman_get function in jbig2_huffman.c.
    For example, the jbig2dec utility will crash     (segmentation fault) when parsing an invalid     file.(CVE-2017-9216)

  - Artifex jbig2dec 0.13, as used in Ghostscript, allows     out-of-bounds writes because of an integer overflow in     the jbig2_build_huffman_table function in     jbig2_huffman.c during operations on a crafted JBIG2     file, leading to a denial of service (application     crash) or possibly execution of arbitrary     code.(CVE-2017-7975)

  - Artifex jbig2dec 0.13 has a heap-based buffer over-read     leading to denial of service (application crash) or     disclosure of sensitive information from process     memory, because of an integer overflow in the     jbig2_decode_symbol_dict function in     jbig2_symbol_dict.c in libjbig2dec.a during operation     on a crafted .jb2 file.(CVE-2017-7885)

  - Artifex jbig2dec 0.13 allows out-of-bounds writes and     reads because of an integer overflow in the     jbig2_image_compose function in jbig2_image.c during     operations on a crafted .jb2 file, leading to a denial     of service (application crash) or disclosure of     sensitive information from process     memory.(CVE-2017-7976)

  - ghostscript before version 9.21 is vulnerable to a heap     based buffer overflow that was found in the ghostscript     jbig2_decode_gray_scale_image function which is used to     decode halftone segments in a JBIG2 image. A document     (PostScript or PDF) with an embedded, specially     crafted, jbig2 image could trigger a segmentation fault     in ghostscript.(CVE-2016-9601)

  - In Artifex Ghostscript before 9.26, a carefully crafted     PDF file can trigger an extremely long running     computation when parsing the file.(CVE-2018-19478)

  - It was found that the .buildfont1 procedure did not     properly secure its privileged calls, enabling scripts     to bypass `-dSAFER` restrictions. An attacker could     abuse this flaw by creating a specially crafted     PostScript file that could escalate privileges and     access files outside of restricted     areas.(CVE-2019-10216)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The PS Interpreter in Ghostscript 9.18 and 9.20 allows     remote attackers to execute arbitrary code via crafted     userparams.(CVE-2016-7976)

  - psi/zfile.c in Artifex Ghostscript before 9.21rc1     permits the status command even if -dSAFER is used,     which might allow remote attackers to determine the     existence and size of arbitrary files, a similar issue     to CVE-2016-7977.(CVE-2018-11645)

  - A flaw was found in, ghostscript versions prior to     9.50, in the .pdfexectoken and other procedures where     it did not properly secure its privileged calls,     enabling scripts to bypass `-dSAFER` restrictions. A     specially crafted PostScript file could disable     security protection and then have access to the file     system, or execute arbitrary commands.(CVE-2019-14817)

  - A flaw was found in ghostscript, versions 9.x before     9.50, in the setsystemparams procedure where it did not     properly secure its privileged calls, enabling scripts     to bypass `-dSAFER` restrictions. A specially crafted     PostScript file could disable security protection and     then have access to the file system, or execute     arbitrary commands.(CVE-2019-14813)

  - A flaw was found in all ghostscript versions 9.x before     9.50, in the .setuserparams2 procedure where it did not     properly secure its privileged calls, enabling scripts     to bypass `-dSAFER` restrictions. A specially crafted     PostScript file could disable security protection and     then have access to the file system, or execute     arbitrary commands.(CVE-2019-14812)

  - A flaw was found in, ghostscript versions prior to     9.50, in the .pdf_hook_DSC_Creator procedure where it     did not properly secure its privileged calls, enabling     scripts to bypass `-dSAFER` restrictions. A specially     crafted PostScript file could disable security     protection and then have access to the file system, or     execute arbitrary commands.(CVE-2019-14811)

  - libjbig2dec.a in Artifex jbig2dec 0.13, as used in     MuPDF and Ghostscript, has a NULL pointer dereference     in the jbig2_huffman_get function in jbig2_huffman.c.
    For example, the jbig2dec utility will crash     (segmentation fault) when parsing an invalid     file.(CVE-2017-9216)

  - Artifex jbig2dec 0.13, as used in Ghostscript, allows     out-of-bounds writes because of an integer overflow in     the jbig2_build_huffman_table function in     jbig2_huffman.c during operations on a crafted JBIG2     file, leading to a denial of service (application     crash) or possibly execution of arbitrary     code.(CVE-2017-7975)

  - Artifex jbig2dec 0.13 has a heap-based buffer over-read     leading to denial of service (application crash) or     disclosure of sensitive information from process     memory, because of an integer overflow in the     jbig2_decode_symbol_dict function in     jbig2_symbol_dict.c in libjbig2dec.a during operation     on a crafted .jb2 file.(CVE-2017-7885)

  - Artifex jbig2dec 0.13 allows out-of-bounds writes and     reads because of an integer overflow in the     jbig2_image_compose function in jbig2_image.c during     operations on a crafted .jb2 file, leading to a denial     of service (application crash) or disclosure of     sensitive information from process     memory.(CVE-2017-7976)

  - A heap based buffer overflow was found in the     ghostscript jbig2_decode_gray_scale_image() function     used to decode halftone segments in a JBIG2 image. A     document (PostScript or PDF) with an embedded,     specially crafted, jbig2 image could trigger a     segmentation fault in ghostscript.(CVE-2016-9601)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Artifex jbig2dec 0.13 has a heap-based buffer over-read     leading to denial of service (application crash) or     disclosure of sensitive information from process     memory, because of an integer overflow in the     jbig2_decode_symbol_dict function in     jbig2_symbol_dict.c in libjbig2dec.a during operation     on a crafted .jb2 file.(CVE-2017-7885)

  - Artifex jbig2dec 0.13, as used in Ghostscript, allows     out-of-bounds writes because of an integer overflow in     the jbig2_build_huffman_table function in     jbig2_huffman.c during operations on a crafted JBIG2     file, leading to a denial of service (application     crash) or possibly execution of arbitrary     code.(CVE-2017-7975)

  - ghostscript before version 9.21 is vulnerable to a heap     based buffer overflow that was found in the ghostscript     jbig2_decode_gray_scale_image function which is used to     decode halftone segments in a JBIG2 image. A document     (PostScript or PDF) with an embedded, specially     crafted, jbig2 image could trigger a segmentation fault     in ghostscript.(CVE-2016-9601)

  - libjbig2dec.a in Artifex jbig2dec 0.13, as used in     MuPDF and Ghostscript, has a NULL pointer dereference     in the jbig2_huffman_get function in jbig2_huffman.c.
    For example, the jbig2dec utility will crash     (segmentation fault) when parsing an invalid     file.(CVE-2017-9216)

  - psi/ztoken.c in Artifex Ghostscript 9.21 mishandles     references to the scanner state structure, which allows     remote attackers to cause a denial of service     (application crash) or possibly have unspecified other     impact via a crafted PostScript document, related to an     out-of-bounds read in the igc_reloc_struct_ptr function     in psi/igc.c.(CVE-2017-11714)

  - The fill_threshhold_buffer function in     base/gxht_thresh.c in Artifex Software, Inc.
    Ghostscript 9.20 allows remote attackers to cause a     denial of service (heap-based buffer overflow and     application crash) or possibly have unspecified other     impact via a crafted PostScript     document.(CVE-2016-10317)

  - The gs_alloc_ref_array function in psi/ialloc.c in     Artifex Ghostscript 9.21 allows remote attackers to     cause a denial of service (heap-based buffer overflow     and application crash) or possibly have unspecified     other impact via a crafted PostScript document. This is     related to a lack of an integer overflow check in     base/gsalloc.c.(CVE-2017-9835)

  - The gs_makewordimagedevice function in base/gsdevmem.c     in Artifex Software, Inc. Ghostscript 9.20 allows     remote attackers to cause a denial of service (NULL     pointer dereference and application crash) via a     crafted file that is mishandled in the PDF Transparency     module.(CVE-2016-10220)

  - The intersect function in base/gxfill.c in Artifex     Software, Inc. Ghostscript 9.20 allows remote attackers     to cause a denial of service (divide-by-zero error and     application crash) via a crafted file.(CVE-2016-10219)

  - The mem_get_bits_rectangle function in base/gdevmem.c     in Artifex Software, Inc. Ghostscript 9.20 allows     remote attackers to cause a denial of service (NULL     pointer dereference and application crash) via a     crafted file.(CVE-2017-5951)

  - The pdf14_open function in base/gdevp14.c in Artifex     Software, Inc. Ghostscript 9.20 allows remote attackers     to cause a denial of service (use-after-free and     application crash) via a crafted file that is     mishandled in the color management     module.(CVE-2016-10217)

  - The pdf14_pop_transparency_group function in     base/gdevp14.c in the PDF Transparency module in     Artifex Software, Inc. Ghostscript 9.20 allows remote     attackers to cause a denial of service (NULL pointer     dereference and application crash) via a crafted     file.(CVE-2016-10218)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - ghostscript before version 9.21 is vulnerable to a heap     based buffer overflow that was found in the ghostscript     jbig2_decode_gray_scale_image function which is used to     decode halftone segments in a JBIG2 image. A document     (PostScript or PDF) with an embedded, specially     crafted, jbig2 image could trigger a segmentation fault     in ghostscript.(CVE-2016-9601)

  - Artifex jbig2dec 0.13 allows out-of-bounds writes and     reads because of an integer overflow in the     jbig2_image_compose function in jbig2_image.c during     operations on a crafted .jb2 file, leading to a denial     of service (application crash) or disclosure of     sensitive information from process     memory.(CVE-2017-7976)

  - Artifex jbig2dec 0.13, as used in Ghostscript, allows     out-of-bounds writes because of an integer overflow in     the jbig2_build_huffman_table function in     jbig2_huffman.c during operations on a crafted JBIG2     file, leading to a denial of service (application     crash) or possibly execution of arbitrary     code.(CVE-2017-7975)

  - Artifex jbig2dec 0.13 has a heap-based buffer over-read     leading to denial of service (application crash) or     disclosure of sensitive information from process     memory, because of an integer overflow in the     jbig2_decode_symbol_dict function in     jbig2_symbol_dict.c in libjbig2dec.a during operation     on a crafted .jb2 file.(CVE-2017-7885)

  - libjbig2dec.a in Artifex jbig2dec 0.13, as used in     MuPDF and Ghostscript, has a NULL pointer dereference     in the jbig2_huffman_get function in jbig2_huffman.c.
    For example, the jbig2dec utility will crash     (segmentation fault) when parsing an invalid     file.(CVE-2017-9216)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ghostscript-library fixes several issues. These security issues were fixed :

  - CVE-2017-7207: The mem_get_bits_rectangle function     allowed remote attackers to cause a denial of service     (NULL pointer dereference) via a crafted PostScript     document (bsc#1030263).

  - CVE-2016-9601: Prevent heap-buffer overflow by checking     for an integer overflow in jbig2_image_new function     (bsc#1018128).

  - CVE-2017-9612: The Ins_IP function in base/ttinterp.c     allowed remote attackers to cause a denial of service     (use-after-free and application crash) or possibly have     unspecified other impact via a crafted document     (bsc#1050891)

  - CVE-2017-9726: The Ins_MDRP function in base/ttinterp.c     allowed remote attackers to cause a denial of service     (heap-based buffer over-read and application crash) or     possibly have unspecified other impact via a crafted     document (bsc#1050889)

  - CVE-2017-9727: The gx_ttfReader__Read function in     base/gxttfb.c allowed remote attackers to cause a denial     of service (heap-based buffer over-read and application     crash) or possibly have unspecified other impact via a     crafted document (bsc#1050888)

  - CVE-2017-9739: The Ins_JMPR function in base/ttinterp.c     allowed remote attackers to cause a denial of service     (heap-based buffer over-read and application crash) or     possibly have unspecified other impact via a crafted     document (bsc#1050887)

  - CVE-2017-11714: psi/ztoken.c mishandled references to     the scanner state structure, which allowed remote     attackers to cause a denial of service (application     crash) or possibly have unspecified other impact via a     crafted PostScript document, related to an out-of-bounds     read in the igc_reloc_struct_ptr function in psi/igc.c     (bsc#1051184)

  - CVE-2017-9835: The gs_alloc_ref_array function allowed     remote attackers to cause a denial of service     (heap-based buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     PostScript document (bsc#1050879)

  - CVE-2016-10219: The intersect function in base/gxfill.c     allowed remote attackers to cause a denial of service     (divide-by-zero error and application crash) via a     crafted file (bsc#1032138)

  - CVE-2017-9216: Prevent NULL pointer dereference in the     jbig2_huffman_get function in jbig2_huffman.c which     allowed for DoS (bsc#1040643)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ghostscript fixes several issues. These security issues were fixed :

  - CVE-2017-9835: The gs_alloc_ref_array function allowed     remote attackers to cause a denial of service     (heap-based buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     PostScript document (bsc#1050879).

  - CVE-2017-9216: Prevent NULL pointer dereference in the     jbig2_huffman_get function in jbig2_huffman.c which     allowed for DoS (bsc#1040643).

  - CVE-2016-10317: The fill_threshhold_buffer function in     base/gxht_thresh.c allowed remote attackers to cause a     denial of service (heap-based buffer overflow and     application crash) or possibly have unspecified other     impact via a crafted PostScript document (bsc#1032230).

  - CVE-2017-9612: The Ins_IP function in base/ttinterp.c     allowed remote attackers to cause a denial of service     (use-after-free and application crash) or possibly have     unspecified other impact via a crafted document     (bsc#1050891).

  - CVE-2017-9726: The Ins_MDRP function in base/ttinterp.c     allowed remote attackers to cause a denial of service     (heap-based buffer over-read and application crash) or     possibly have unspecified other impact via a crafted     document (bsc#1050889).

  - CVE-2017-9727: The gx_ttfReader__Read function in     base/gxttfb.c allowed remote attackers to cause a denial     of service (heap-based buffer over-read and application     crash) or possibly have unspecified other impact via a     crafted document (bsc#1050888).

  - CVE-2017-9739: The Ins_JMPR function in base/ttinterp.c     allowed remote attackers to cause a denial of service     (heap-based buffer over-read and application crash) or     possibly have unspecified other impact via a crafted     document (bsc#1050887).

  - CVE-2017-11714: psi/ztoken.c mishandled references to     the scanner state structure, which allowed remote     attackers to cause a denial of service (application     crash) or possibly have unspecified other impact via a     crafted PostScript document, related to an out-of-bounds     read in the igc_reloc_struct_ptr function in psi/igc.c     (bsc#1051184).

  - CVE-2016-10219: The intersect function in base/gxfill.c     allowed remote attackers to cause a denial of service     (divide-by-zero error and application crash) via a     crafted file (bsc#1032138).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ghostscript fixes several security issues :

  - CVE-2017-9835: The gs_alloc_ref_array function allowed     remote attackers to cause a denial of service     (heap-based buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     PostScript document (bsc#1050879).

  - CVE-2017-9216: Prevent NULL pointer dereference in the     jbig2_huffman_get function in jbig2_huffman.c which     allowed for DoS (bsc#1040643).

  - CVE-2016-10317: The fill_threshhold_buffer function in     base/gxht_thresh.c allowed remote attackers to cause a     denial of service (heap-based buffer overflow and     application crash) or possibly have unspecified other     impact via a crafted PostScript document (bsc#1032230).

  - CVE-2017-9612: The Ins_IP function in base/ttinterp.c     allowed remote attackers to cause a denial of service     (use-after-free and application crash) or possibly have     unspecified other impact via a crafted document     (bsc#1050891).

  - CVE-2017-9726: The Ins_MDRP function in base/ttinterp.c     allowed remote attackers to cause a denial of service     (heap-based buffer over-read and application crash) or     possibly have unspecified other impact via a crafted     document (bsc#1050889).

  - CVE-2017-9727: The gx_ttfReader__Read function in     base/gxttfb.c allowed remote attackers to cause a denial     of service (heap-based buffer over-read and application     crash) or possibly have unspecified other impact via a     crafted document (bsc#1050888).

  - CVE-2017-9739: The Ins_JMPR function in base/ttinterp.c     allowed remote attackers to cause a denial of service     (heap-based buffer over-read and application crash) or     possibly have unspecified other impact via a crafted     document (bsc#1050887).

  - CVE-2017-11714: psi/ztoken.c mishandled references to     the scanner state structure, which allowed remote     attackers to cause a denial of service (application     crash) or possibly have unspecified other impact via a     crafted PostScript document, related to an out-of-bounds     read in the igc_reloc_struct_ptr function in psi/igc.c     (bsc#1051184).

  - CVE-2016-10219: The intersect function in base/gxfill.c     allowed remote attackers to cause a denial of service     (divide-by-zero error and application crash) via a     crafted file (bsc#1032138).

This update was imported from the SUSE:SLE-12:Update update project.

Latest release of `Ghostscript` (version `9.22`) fixes several
*low-impact* security issues, as it provides regular quality improvements & fixes as well.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

CVE-2017-15369 CVE-2017-15587 CVE-2017-9216 CVE-2017-14685 CVE-2017-14686 CVE-2017-14687

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

update to 0.14 (bugfix release)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

update to 0.14 (bugfix release CVE-2017-9216)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
135661	EulerOS Virtualization 3.0.2.2 : ghostscript (EulerOS-SA-2020-1499)	Nessus	Huawei Local Security Checks	high
134529	EulerOS Virtualization for ARM 64 3.0.2.0 : ghostscript (EulerOS-SA-2020-1240)	Nessus	Huawei Local Security Checks	high
132121	EulerOS 2.0 SP3 : ghostscript (EulerOS-SA-2019-2586)	Nessus	Huawei Local Security Checks	medium
131802	EulerOS 2.0 SP5 : ghostscript (EulerOS-SA-2019-2528)	Nessus	Huawei Local Security Checks	medium
109572	SUSE SLES11 Security Update : ghostscript-library (SUSE-SU-2018:1140-1)	Nessus	SuSE Local Security Checks	medium
106745	SUSE SLED12 / SLES12 Security Update : ghostscript (SUSE-SU-2018:0407-1)	Nessus	SuSE Local Security Checks	medium
106744	openSUSE Security Update : ghostscript (openSUSE-2018-157)	Nessus	SuSE Local Security Checks	medium
105974	Fedora 27 : ghostscript / poppler-data (2017-c9b0c406b3)	Nessus	Fedora Local Security Checks	medium
105942	Fedora 27 : mupdf (2017-a1ad512b22)	Nessus	Fedora Local Security Checks	medium
105844	Fedora 27 : jbig2dec (2017-2e5119be33)	Nessus	Fedora Local Security Checks	medium
105132	Fedora 25 : mupdf (2017-9ae6e39bde)	Nessus	Fedora Local Security Checks	medium
104976	Fedora 26 : mupdf (2017-267f37c544)	Nessus	Fedora Local Security Checks	medium
104832	Fedora 25 : jbig2dec (2017-ed565f9ed0)	Nessus	Fedora Local Security Checks	medium
104725	Fedora 26 : jbig2dec (2017-13f0fd3028)	Nessus	Fedora Local Security Checks	medium

CVE-2017-9216

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins