http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=cfde94be1d4286bc47633c6e6eaf4e659bd78066

DSA-3986

99991

https://bugs.ghostscript.com/show_bug.cgi?id=697985

GLSA-201811-12

According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Artifex jbig2dec 0.13 has a heap-based buffer over-read     leading to denial of service (application crash) or     disclosure of sensitive information from process     memory, because of an integer overflow in the     jbig2_decode_symbol_dict function in     jbig2_symbol_dict.c in libjbig2dec.a during operation     on a crafted .jb2 file.(CVE-2017-7885)

  - Artifex jbig2dec 0.13, as used in Ghostscript, allows     out-of-bounds writes because of an integer overflow in     the jbig2_build_huffman_table function in     jbig2_huffman.c during operations on a crafted JBIG2     file, leading to a denial of service (application     crash) or possibly execution of arbitrary     code.(CVE-2017-7975)

  - ghostscript before version 9.21 is vulnerable to a heap     based buffer overflow that was found in the ghostscript     jbig2_decode_gray_scale_image function which is used to     decode halftone segments in a JBIG2 image. A document     (PostScript or PDF) with an embedded, specially     crafted, jbig2 image could trigger a segmentation fault     in ghostscript.(CVE-2016-9601)

  - libjbig2dec.a in Artifex jbig2dec 0.13, as used in     MuPDF and Ghostscript, has a NULL pointer dereference     in the jbig2_huffman_get function in jbig2_huffman.c.
    For example, the jbig2dec utility will crash     (segmentation fault) when parsing an invalid     file.(CVE-2017-9216)

  - psi/ztoken.c in Artifex Ghostscript 9.21 mishandles     references to the scanner state structure, which allows     remote attackers to cause a denial of service     (application crash) or possibly have unspecified other     impact via a crafted PostScript document, related to an     out-of-bounds read in the igc_reloc_struct_ptr function     in psi/igc.c.(CVE-2017-11714)

  - The fill_threshhold_buffer function in     base/gxht_thresh.c in Artifex Software, Inc.
    Ghostscript 9.20 allows remote attackers to cause a     denial of service (heap-based buffer overflow and     application crash) or possibly have unspecified other     impact via a crafted PostScript     document.(CVE-2016-10317)

  - The gs_alloc_ref_array function in psi/ialloc.c in     Artifex Ghostscript 9.21 allows remote attackers to     cause a denial of service (heap-based buffer overflow     and application crash) or possibly have unspecified     other impact via a crafted PostScript document. This is     related to a lack of an integer overflow check in     base/gsalloc.c.(CVE-2017-9835)

  - The gs_makewordimagedevice function in base/gsdevmem.c     in Artifex Software, Inc. Ghostscript 9.20 allows     remote attackers to cause a denial of service (NULL     pointer dereference and application crash) via a     crafted file that is mishandled in the PDF Transparency     module.(CVE-2016-10220)

  - The intersect function in base/gxfill.c in Artifex     Software, Inc. Ghostscript 9.20 allows remote attackers     to cause a denial of service (divide-by-zero error and     application crash) via a crafted file.(CVE-2016-10219)

  - The mem_get_bits_rectangle function in base/gdevmem.c     in Artifex Software, Inc. Ghostscript 9.20 allows     remote attackers to cause a denial of service (NULL     pointer dereference and application crash) via a     crafted file.(CVE-2017-5951)

  - The pdf14_open function in base/gdevp14.c in Artifex     Software, Inc. Ghostscript 9.20 allows remote attackers     to cause a denial of service (use-after-free and     application crash) via a crafted file that is     mishandled in the color management     module.(CVE-2016-10217)

  - The pdf14_pop_transparency_group function in     base/gdevp14.c in the PDF Transparency module in     Artifex Software, Inc. Ghostscript 9.20 allows remote     attackers to cause a denial of service (NULL pointer     dereference and application crash) via a crafted     file.(CVE-2016-10218)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In Artifex Ghostscript before 9.26, a carefully crafted     PDF file can trigger an extremely long running     computation when parsing the file.(CVE-2018-19478)

  - The gs_makewordimagedevice function in base/gsdevmem.c     in Artifex Software, Inc. Ghostscript 9.20 allows     remote attackers to cause a denial of service (NULL     pointer dereference and application crash) via a     crafted file that is mishandled in the PDF Transparency     module.(CVE-2016-10220)

  - Artifex jbig2dec 0.13 has a heap-based buffer over-read     leading to denial of service (application crash) or     disclosure of sensitive information from process     memory, because of an integer overflow in the     jbig2_decode_symbol_dict function in     jbig2_symbol_dict.c in libjbig2dec.a during operation     on a crafted .jb2 file.(CVE-2017-7885)

  - Artifex jbig2dec 0.13, as used in Ghostscript, allows     out-of-bounds writes because of an integer overflow in     the jbig2_build_huffman_table function in     jbig2_huffman.c during operations on a crafted JBIG2     file, leading to a denial of service (application     crash) or possibly execution of arbitrary     code.(CVE-2017-7975)

  - psi/ztoken.c in Artifex Ghostscript 9.21 mishandles     references to the scanner state structure, which allows     remote attackers to cause a denial of service     (application crash) or possibly have unspecified other     impact via a crafted PostScript document, related to an     out-of-bounds read in the igc_reloc_struct_ptr function     in psi/igc.c.(CVE-2017-11714)

  - The gs_alloc_ref_array function in psi/ialloc.c in     Artifex Ghostscript 9.21 allows remote attackers to     cause a denial of service (heap-based buffer overflow     and application crash) or possibly have unspecified     other impact via a crafted PostScript document. This is     related to a lack of an integer overflow check in     base/gsalloc.c.(CVE-2017-9835)

  - The pdf14_pop_transparency_group function in     base/gdevp14.c in the PDF Transparency module in     Artifex Software, Inc. Ghostscript 9.20 allows remote     attackers to cause a denial of service (NULL pointer     dereference and application crash) via a crafted     file.(CVE-2016-10218)

  - The fill_threshhold_buffer function in     base/gxht_thresh.c in Artifex Software, Inc.
    Ghostscript 9.20 allows remote attackers to cause a     denial of service (heap-based buffer overflow and     application crash) or possibly have unspecified other     impact via a crafted PostScript     document.(CVE-2016-10317)

  - The pdf14_open function in base/gdevp14.c in Artifex     Software, Inc. Ghostscript 9.20 allows remote attackers     to cause a denial of service (use-after-free and     application crash) via a crafted file that is     mishandled in the color management     module.(CVE-2016-10217)

  - The intersect function in base/gxfill.c in Artifex     Software, Inc. Ghostscript 9.20 allows remote attackers     to cause a denial of service (divide-by-zero error and     application crash) via a crafted file.(CVE-2016-10219)

  - The mem_get_bits_rectangle function in base/gdevmem.c     in Artifex Software, Inc. Ghostscript 9.20 allows     remote attackers to cause a denial of service (NULL     pointer dereference and application crash) via a     crafted file.(CVE-2017-5951)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201811-12 (GPL Ghostscript: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in GPL Ghostscript. Please       review the CVE identifiers referenced below for additional information.
  Impact :

    A context-dependent attacker could entice a user to open a specially       crafted PostScript file or PDF document using GPL Ghostscript possibly       resulting in the execution of arbitrary code with the privileges of the       process, a Denial of Service condition, or other unspecified impacts,   Workaround :

    There is no known workaround at this time.

This update for ghostscript-library fixes several issues. These security issues were fixed :

  - CVE-2017-7207: The mem_get_bits_rectangle function     allowed remote attackers to cause a denial of service     (NULL pointer dereference) via a crafted PostScript     document (bsc#1030263).

  - CVE-2016-9601: Prevent heap-buffer overflow by checking     for an integer overflow in jbig2_image_new function     (bsc#1018128).

  - CVE-2017-9612: The Ins_IP function in base/ttinterp.c     allowed remote attackers to cause a denial of service     (use-after-free and application crash) or possibly have     unspecified other impact via a crafted document     (bsc#1050891)

  - CVE-2017-9726: The Ins_MDRP function in base/ttinterp.c     allowed remote attackers to cause a denial of service     (heap-based buffer over-read and application crash) or     possibly have unspecified other impact via a crafted     document (bsc#1050889)

  - CVE-2017-9727: The gx_ttfReader__Read function in     base/gxttfb.c allowed remote attackers to cause a denial     of service (heap-based buffer over-read and application     crash) or possibly have unspecified other impact via a     crafted document (bsc#1050888)

  - CVE-2017-9739: The Ins_JMPR function in base/ttinterp.c     allowed remote attackers to cause a denial of service     (heap-based buffer over-read and application crash) or     possibly have unspecified other impact via a crafted     document (bsc#1050887)

  - CVE-2017-11714: psi/ztoken.c mishandled references to     the scanner state structure, which allowed remote     attackers to cause a denial of service (application     crash) or possibly have unspecified other impact via a     crafted PostScript document, related to an out-of-bounds     read in the igc_reloc_struct_ptr function in psi/igc.c     (bsc#1051184)

  - CVE-2017-9835: The gs_alloc_ref_array function allowed     remote attackers to cause a denial of service     (heap-based buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     PostScript document (bsc#1050879)

  - CVE-2016-10219: The intersect function in base/gxfill.c     allowed remote attackers to cause a denial of service     (divide-by-zero error and application crash) via a     crafted file (bsc#1032138)

  - CVE-2017-9216: Prevent NULL pointer dereference in the     jbig2_huffman_get function in jbig2_huffman.c which     allowed for DoS (bsc#1040643)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ghostscript fixes several issues. These security issues were fixed :

  - CVE-2017-9835: The gs_alloc_ref_array function allowed     remote attackers to cause a denial of service     (heap-based buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     PostScript document (bsc#1050879).

  - CVE-2017-9216: Prevent NULL pointer dereference in the     jbig2_huffman_get function in jbig2_huffman.c which     allowed for DoS (bsc#1040643).

  - CVE-2016-10317: The fill_threshhold_buffer function in     base/gxht_thresh.c allowed remote attackers to cause a     denial of service (heap-based buffer overflow and     application crash) or possibly have unspecified other     impact via a crafted PostScript document (bsc#1032230).

  - CVE-2017-9612: The Ins_IP function in base/ttinterp.c     allowed remote attackers to cause a denial of service     (use-after-free and application crash) or possibly have     unspecified other impact via a crafted document     (bsc#1050891).

  - CVE-2017-9726: The Ins_MDRP function in base/ttinterp.c     allowed remote attackers to cause a denial of service     (heap-based buffer over-read and application crash) or     possibly have unspecified other impact via a crafted     document (bsc#1050889).

  - CVE-2017-9727: The gx_ttfReader__Read function in     base/gxttfb.c allowed remote attackers to cause a denial     of service (heap-based buffer over-read and application     crash) or possibly have unspecified other impact via a     crafted document (bsc#1050888).

  - CVE-2017-9739: The Ins_JMPR function in base/ttinterp.c     allowed remote attackers to cause a denial of service     (heap-based buffer over-read and application crash) or     possibly have unspecified other impact via a crafted     document (bsc#1050887).

  - CVE-2017-11714: psi/ztoken.c mishandled references to     the scanner state structure, which allowed remote     attackers to cause a denial of service (application     crash) or possibly have unspecified other impact via a     crafted PostScript document, related to an out-of-bounds     read in the igc_reloc_struct_ptr function in psi/igc.c     (bsc#1051184).

  - CVE-2016-10219: The intersect function in base/gxfill.c     allowed remote attackers to cause a denial of service     (divide-by-zero error and application crash) via a     crafted file (bsc#1032138).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ghostscript fixes several security issues :

  - CVE-2017-9835: The gs_alloc_ref_array function allowed     remote attackers to cause a denial of service     (heap-based buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     PostScript document (bsc#1050879).

  - CVE-2017-9216: Prevent NULL pointer dereference in the     jbig2_huffman_get function in jbig2_huffman.c which     allowed for DoS (bsc#1040643).

  - CVE-2016-10317: The fill_threshhold_buffer function in     base/gxht_thresh.c allowed remote attackers to cause a     denial of service (heap-based buffer overflow and     application crash) or possibly have unspecified other     impact via a crafted PostScript document (bsc#1032230).

  - CVE-2017-9612: The Ins_IP function in base/ttinterp.c     allowed remote attackers to cause a denial of service     (use-after-free and application crash) or possibly have     unspecified other impact via a crafted document     (bsc#1050891).

  - CVE-2017-9726: The Ins_MDRP function in base/ttinterp.c     allowed remote attackers to cause a denial of service     (heap-based buffer over-read and application crash) or     possibly have unspecified other impact via a crafted     document (bsc#1050889).

  - CVE-2017-9727: The gx_ttfReader__Read function in     base/gxttfb.c allowed remote attackers to cause a denial     of service (heap-based buffer over-read and application     crash) or possibly have unspecified other impact via a     crafted document (bsc#1050888).

  - CVE-2017-9739: The Ins_JMPR function in base/ttinterp.c     allowed remote attackers to cause a denial of service     (heap-based buffer over-read and application crash) or     possibly have unspecified other impact via a crafted     document (bsc#1050887).

  - CVE-2017-11714: psi/ztoken.c mishandled references to     the scanner state structure, which allowed remote     attackers to cause a denial of service (application     crash) or possibly have unspecified other impact via a     crafted PostScript document, related to an out-of-bounds     read in the igc_reloc_struct_ptr function in psi/igc.c     (bsc#1051184).

  - CVE-2016-10219: The intersect function in base/gxfill.c     allowed remote attackers to cause a denial of service     (divide-by-zero error and application crash) via a     crafted file (bsc#1032138).

This update was imported from the SUSE:SLE-12:Update update project.

Several vulnerabilities were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service if a specially crafted Postscript file is processed.

Kamil Frankowicz discovered that Ghostscript mishandles references. A remote attacker could use this to cause a denial of service.
(CVE-2017-11714)

Kim Gwan Yeong discovered that Ghostscript could allow a heap-based buffer over-read and application crash. A remote attacker could use a crafted document to cause a denial of service. (CVE-2017-9611, CVE-2017-9726, CVE-2017-9727, CVE-2017-9739)

Kim Gwan Yeong discovered an use-after-free vulnerability in Ghostscript. A remote attacker could use a crafted file to cause a denial of service. (CVE-2017-9612)

Kim Gwan Yeong discovered a lack of integer overflow check in Ghostscript. A remote attacker could use crafted PostScript document to cause a denial of service. (CVE-2017-9835).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several issues were found in Ghostscript, the GPL PostScript/PDF interpreter, which allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted PostScript document.

For Debian 7 'Wheezy', these problems have been fixed in version 9.05~dfsg-6.3+deb7u7.

We recommend that you upgrade your ghostscript packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
132121	EulerOS 2.0 SP3 : ghostscript (EulerOS-SA-2019-2586)	Nessus	Huawei Local Security Checks	medium
131862	EulerOS 2.0 SP2 : ghostscript (EulerOS-SA-2019-2370)	Nessus	Huawei Local Security Checks	medium
119132	GLSA-201811-12 : GPL Ghostscript: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
109572	SUSE SLES11 Security Update : ghostscript-library (SUSE-SU-2018:1140-1)	Nessus	SuSE Local Security Checks	medium
106745	SUSE SLED12 / SLES12 Security Update : ghostscript (SUSE-SU-2018:0407-1)	Nessus	SuSE Local Security Checks	medium
106744	openSUSE Security Update : ghostscript (openSUSE-2018-157)	Nessus	SuSE Local Security Checks	medium
103578	Debian DSA-3986-1 : ghostscript - security update	Nessus	Debian Local Security Checks	medium
102815	Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : ghostscript vulnerabilities (USN-3403-1)	Nessus	Ubuntu Local Security Checks	medium
102096	Debian DLA-1048-1 : ghostscript security update	Nessus	Debian Local Security Checks	medium

CVE-2017-9835

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins