http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=693baf02152119af6e6afd30bb8ec76d14f84bbf

106278

RHSA-2018:3834

https://bugs.ghostscript.com/show_bug.cgi?id=700141

[debian-lts-announce] 20181227 [SECURITY] [DLA 1620-1] ghostscript security update

https://semmle.com/news/semmle-discovers-severe-vulnerability-ghostscript-postscript-pdf

https://www.ghostscript.com/doc/9.26/News.htm

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has ghostscript packages installed that are affected by multiple vulnerabilities:

  - An issue was discovered in Artifex Ghostscript before     9.26. LockSafetyParams is not checked correctly if     another device is used. (CVE-2018-19409)

  - It was discovered that the ghostscript .tempfile     function did not properly handle file permissions. An     attacker could possibly exploit this to exploit this to     bypass the -dSAFER protection and delete files or     disclose their content via a specially crafted     PostScript document. (CVE-2018-15908)

  - An issue was discovered in Artifex Ghostscript before     9.25. Incorrect restoration of privilege checking when     running out of stack during exception handling could be     used by attackers able to supply crafted PostScript to     execute code using the pipe instruction. This is due     to an incomplete fix for CVE-2018-16509.
    (CVE-2018-16802)

  - It was discovered that the ghostscript device cleanup     did not properly handle devices replaced with a null     device. An attacker could possibly exploit this to     bypass the -dSAFER protection and crash ghostscript or,     possibly, execute arbitrary code in the ghostscript     context via a specially crafted PostScript document.
    (CVE-2018-16541)

  - It was discovered that ghostscript did not properly     verify the key used in aesdecode. An attacker could     possibly exploit this to bypass the -dSAFER protection     and crash ghostscript or, possibly, execute arbitrary     code in the ghostscript context via a specially crafted     PostScript document. (CVE-2018-15911)

  - It was discovered that the ghostscript did not properly     restrict access to files open prior to enabling the
    -dSAFER mode. An attacker could possibly exploit this to     bypass the -dSAFER protection and disclose the content     of affected files via a specially crafted PostScript     document. (CVE-2018-16539)

  - Artifex Ghostscript before 9.25 allowed a user-writable     error exception table, which could be used by remote     attackers able to supply crafted PostScript to     potentially overwrite or replace error handlers to     inject code. (CVE-2018-17183)

  - Artifex Ghostscript 9.25 and earlier allows attackers to     bypass a sandbox protection mechanism via vectors     involving errorhandler setup. NOTE: this issue exists     because of an incomplete fix for CVE-2018-17183.
    (CVE-2018-17961)

  - Artifex Ghostscript allows attackers to bypass a sandbox     protection mechanism by leveraging exposure of system     operators in the saved execution stack in an error     object. (CVE-2018-18073)

  - Artifex Ghostscript 9.25 and earlier allows attackers to     bypass a sandbox protection mechanism via vectors     involving the 1Policy operator. (CVE-2018-18284)

  - It was found that RHSA-2018:2918 did not fully fix     CVE-2018-16509. An attacker could possibly exploit     another variant of the flaw and bypass the -dSAFER     protection to, for example, execute arbitrary shell     commands via a specially crafted PostScript document.
    (CVE-2018-16863)

  - In Artifex Ghostscript through 9.25, the setpattern     operator did not properly validate certain types. A     specially crafted PostScript document could exploit this     to crash Ghostscript or, possibly, execute arbitrary     code in the context of the Ghostscript process. This is     a type confusion issue because of failure to check     whether the Implementation of a pattern dictionary was a     structure type. (CVE-2018-19134)

  - It was discovered that the ghostscript .shfill operator     did not properly validate certain types. An attacker     could possibly exploit this to bypass the -dSAFER     protection and crash ghostscript or, possibly, execute     arbitrary code in the ghostscript context via a     specially crafted PostScript document. (CVE-2018-15909)

  - It was discovered that the ghostscript .type operator     did not properly validate its operands. A specially     crafted PostScript document could exploit this to crash     ghostscript or, possibly, execute arbitrary code in the     context of the ghostscript process. (CVE-2018-16511)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the ghostscript package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in Artifex Ghostscript before     9.26. LockSafetyParams is not checked correctly if     another device is used.(CVE-2018-19409)

  - In Artifex Ghostscript 9.23 before 2018-08-24,     attackers able to supply crafted PostScript could use     uninitialized memory access in the aesdecode operator     to crash the interpreter or potentially execute     code.(CVE-2018-15911)

  - In Artifex Ghostscript before 9.24, attackers able to     supply crafted PostScript files could use incorrect     free logic in pagedevice replacement to crash the     interpreter.(CVE-2018-16541)

  - An issue was discovered in Artifex Ghostscript before     9.25. Incorrect 'restoration of privilege' checking     when running out of stack during exception handling     could be used by attackers able to supply crafted     PostScript to execute code using the 'pipe'     instruction. This is due to an incomplete fix for     CVE-2018-16509.(CVE-2018-16802)

  - Artifex Ghostscript before 9.25 allowed a user-writable     error exception table, which could be used by remote     attackers able to supply crafted PostScript to     potentially overwrite or replace error handlers to     inject code.(CVE-2018-17183)

  - Artifex Ghostscript allows attackers to bypass a     sandbox protection mechanism by leveraging exposure of     system operators in the saved execution stack in an     error object.(CVE-2018-18073)

  - Artifex Ghostscript 9.25 and earlier allows attackers     to bypass a sandbox protection mechanism via vectors     involving the 1Policy operator.(CVE-2018-18284)

  - Artifex Ghostscript 9.25 and earlier allows attackers     to bypass a sandbox protection mechanism via vectors     involving errorhandler setup. NOTE: this issue exists     because of an incomplete fix for     CVE-2018-17183.(CVE-2018-17961)

  - In Artifex Ghostscript through 9.25, the setpattern     operator did not properly validate certain types. A     specially crafted PostScript document could exploit     this to crash Ghostscript or, possibly, execute     arbitrary code in the context of the Ghostscript     process. This is a type confusion issue because of     failure to check whether the Implementation of a     pattern dictionary was a structure     type.(CVE-2018-19134)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - It was discovered that ghostscript did not properly     verify the key used in aesdecode. An attacker could     possibly exploit this to bypass the -dSAFER protection     and crash ghostscript or, possibly, execute arbitrary     code in the ghostscript context via a specially crafted     PostScript document.i1/4^CVE-2018-15911i1/4%0

  - An issue was discovered in Artifex Ghostscript before     9.25. Incorrect 'restoration of privilege' checking     when running out of stack during exception handling     could be used by attackers able to supply crafted     PostScript to execute code using the 'pipe'     instruction. This is due to an incomplete fix for     CVE-2018-16509.i1/4^CVE-2018-16802i1/4%0

  - It was found that RHSA-2018:2918 did not fully fix     CVE-2018-16509. An attacker could possibly exploit     another variant of the flaw and bypass the -dSAFER     protection to, for example, execute arbitrary shell     commands via a specially crafted PostScript     document.i1/4^CVE-2018-16863i1/4%0

  - Artifex Ghostscript before 9.25 allowed a user-writable     error exception table, which could be used by remote     attackers able to supply crafted PostScript to     potentially overwrite or replace error handlers to     inject code.i1/4^CVE-2018-17183i1/4%0

  - Artifex Ghostscript 9.25 and earlier allows attackers     to bypass a sandbox protection mechanism via vectors     involving errorhandler setup. NOTE: this issue exists     because of an incomplete fix for     CVE-2018-17183.i1/4^CVE-2018-17961i1/4%0

  - Artifex Ghostscript allows attackers to bypass a     sandbox protection mechanism by leveraging exposure of     system operators in the saved execution stack in an     error object.i1/4^CVE-2018-18073i1/4%0

  - Artifex Ghostscript 9.25 and earlier allows attackers     to bypass a sandbox protection mechanism via vectors     involving the 1Policy operator.i1/4^CVE-2018-18284i1/4%0

  - In Artifex Ghostscript through 9.25, the setpattern     operator did not properly validate certain types. A     specially crafted PostScript document could exploit     this to crash Ghostscript or, possibly, execute     arbitrary code in the context of the Ghostscript     process. This is a type confusion issue because of     failure to check whether the Implementation of a     pattern dictionary was a structure     type.i1/4^CVE-2018-19134i1/4%0

  - An issue was discovered in Artifex Ghostscript before     9.26. LockSafetyParams is not checked correctly if     another device is used.i1/4^CVE-2018-19409i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - It was discovered that the ghostscript .tempfile     function did not properly handle file permissions. An     attacker could possibly exploit this to exploit this to     bypass the -dSAFER protection and delete files or     disclose their content via a specially crafted     PostScript document.i1/4^CVE-2018-15908i1/4%0

  - It was discovered that the ghostscript .shfill operator     did not properly validate certain types. An attacker     could possibly exploit this to bypass the -dSAFER     protection and crash ghostscript or, possibly, execute     arbitrary code in the ghostscript context via a     specially crafted PostScript     document.i1/4^CVE-2018-15909i1/4%0

  - It was discovered that ghostscript did not properly     verify the key used in aesdecode. An attacker could     possibly exploit this to bypass the -dSAFER protection     and crash ghostscript or, possibly, execute arbitrary     code in the ghostscript context via a specially crafted     PostScript document.i1/4^CVE-2018-15911i1/4%0

  - It was discovered that the ghostscript .type operator     did not properly validate its operands. A specially     crafted PostScript document could exploit this to crash     ghostscript or, possibly, execute arbitrary code in the     context of the ghostscript process.i1/4^CVE-2018-16511i1/4%0

  - It was discovered that the ghostscript did not properly     restrict access to files open prior to enabling the
    -dSAFER mode. An attacker could possibly exploit this     to bypass the -dSAFER protection and disclose the     content of affected files via a specially crafted     PostScript document.i1/4^CVE-2018-16539i1/4%0

  - It was discovered that the ghostscript device cleanup     did not properly handle devices replaced with a null     device. An attacker could possibly exploit this to     bypass the -dSAFER protection and crash ghostscript or,     possibly, execute arbitrary code in the ghostscript     context via a specially crafted PostScript     document.i1/4^CVE-2018-16541i1/4%0

  - An issue was discovered in Artifex Ghostscript before     9.25. Incorrect 'restoration of privilege' checking     when running out of stack during exception handling     could be used by attackers able to supply crafted     PostScript to execute code using the 'pipe'     instruction. This is due to an incomplete fix for     CVE-2018-16509.i1/4^CVE-2018-16802i1/4%0

  - It was found that RHSA-2018:2918 did not fully fix     CVE-2018-16509. An attacker could possibly exploit     another variant of the flaw and bypass the -dSAFER     protection to, for example, execute arbitrary shell     commands via a specially crafted PostScript     document.i1/4^CVE-2018-16863i1/4%0

  - Artifex Ghostscript before 9.25 allowed a user-writable     error exception table, which could be used by remote     attackers able to supply crafted PostScript to     potentially overwrite or replace error handlers to     inject code.i1/4^CVE-2018-17183i1/4%0

  - Artifex Ghostscript 9.25 and earlier allows attackers     to bypass a sandbox protection mechanism via vectors     involving errorhandler setup. NOTE: this issue exists     because of an incomplete fix for     CVE-2018-17183.i1/4^CVE-2018-17961i1/4%0

  - Artifex Ghostscript allows attackers to bypass a     sandbox protection mechanism by leveraging exposure of     system operators in the saved execution stack in an     error object.i1/4^CVE-2018-18073i1/4%0

  - Artifex Ghostscript 9.25 and earlier allows attackers     to bypass a sandbox protection mechanism via vectors     involving the 1Policy operator.i1/4^CVE-2018-18284i1/4%0

  - In Artifex Ghostscript through 9.25, the setpattern     operator did not properly validate certain types. A     specially crafted PostScript document could exploit     this to crash Ghostscript or, possibly, execute     arbitrary code in the context of the Ghostscript     process. This is a type confusion issue because of     failure to check whether the Implementation of a     pattern dictionary was a structure     type.i1/4^CVE-2018-19134i1/4%0

  - An issue was discovered in Artifex Ghostscript before     9.26. LockSafetyParams is not checked correctly if     another device is used.i1/4^CVE-2018-19409i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - ghostscript: Incorrect 'restoration of privilege'     checking when running out of stack during exception     handling (CVE-2018-16802)

  - ghostscript: User-writable error exception table     (CVE-2018-17183)

  - ghostscript: Saved execution stacks can leak operator     arrays (incomplete fix for CVE-2018-17183)     (CVE-2018-17961)

  - ghostscript: Saved execution stacks can leak operator     arrays (CVE-2018-18073)

  - ghostscript: 1Policy operator allows a sandbox     protection bypass (CVE-2018-18284)

  - ghostscript: Type confusion in setpattern (700141)     (CVE-2018-19134)

  - ghostscript: Improperly implemented security check in     zsetdevice function in psi/zdevice.c (CVE-2018-19409)

  - ghostscript: Uninitialized memory access in the     aesdecode operator (699665) (CVE-2018-15911)

  - ghostscript: incomplete fix for CVE-2018-16509     (CVE-2018-16863)

  - ghostscript: incorrect access checking in temp file     handling to disclose contents of files (699658)     (CVE-2018-16539)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- rebase to latest upstream version 9.26

  - Security fix for CVE-2018-19478 CVE-2018-19134     CVE-2018-19477 CVE-2018-19476 CVE-2018-19475     CVE-2018-19409 CVE-2018-18284 CVE-2018-18073     CVE-2018-17961

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - ghostscript: Incorrect 'restoration of privilege'     checking when running out of stack during exception     handling (CVE-2018-16802)

  - ghostscript: User-writable error exception table     (CVE-2018-17183)

  - ghostscript: Saved execution stacks can leak operator     arrays (incomplete fix for CVE-2018-17183)     (CVE-2018-17961)

  - ghostscript: Saved execution stacks can leak operator     arrays (CVE-2018-18073)

  - ghostscript: 1Policy operator allows a sandbox     protection bypass (CVE-2018-18284)

  - ghostscript: Type confusion in setpattern (700141)     (CVE-2018-19134)

  - ghostscript: Improperly implemented security check in     zsetdevice function in psi/zdevice.c (CVE-2018-19409)

  - ghostscript: Uninitialized memory access in the     aesdecode operator (699665) (CVE-2018-15911)

  - ghostscript: incomplete fix for CVE-2018-16509     (CVE-2018-16863)

  - ghostscript: gssetresolution and gsgetresolution memory     corruption(CVE-2018-16543)

  - ghostscript: use-after-free in copydevice     handling(CVE-2018-16540)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - It was discovered that the ghostscript .tempfile     function did not properly handle file permissions. An     attacker could possibly exploit this to exploit this to     bypass the -dSAFER protection and delete files or     disclose their content via a specially crafted     PostScript document.i1/4^CVE-2018-15908i1/4%0

  - It was discovered that the ghostscript .shfill operator     did not properly validate certain types. An attacker     could possibly exploit this to bypass the -dSAFER     protection and crash ghostscript or, possibly, execute     arbitrary code in the ghostscript context via a     specially crafted PostScript     document.i1/4^CVE-2018-15909i1/4%0

  - It was discovered that ghostscript did not properly     verify the key used in aesdecode. An attacker could     possibly exploit this to bypass the -dSAFER protection     and crash ghostscript or, possibly, execute arbitrary     code in the ghostscript context via a specially crafted     PostScript document.i1/4^CVE-2018-15911i1/4%0

  - It was discovered that the ghostscript .type operator     did not properly validate its operands. A specially     crafted PostScript document could exploit this to crash     ghostscript or, possibly, execute arbitrary code in the     context of the ghostscript process.i1/4^CVE-2018-16511i1/4%0

  - It was discovered that the ghostscript did not properly     restrict access to files open prior to enabling the
    -dSAFER mode. An attacker could possibly exploit this     to bypass the -dSAFER protection and disclose the     content of affected files via a specially crafted     PostScript document.i1/4^CVE-2018-16539i1/4%0

  - It was discovered that the ghostscript device cleanup     did not properly handle devices replaced with a null     device. An attacker could possibly exploit this to     bypass the -dSAFER protection and crash ghostscript or,     possibly, execute arbitrary code in the ghostscript     context via a specially crafted PostScript     document.i1/4^CVE-2018-16541i1/4%0

  - An issue was discovered in Artifex Ghostscript before     9.25. Incorrect 'restoration of privilege' checking     when running out of stack during exception handling     could be used by attackers able to supply crafted     PostScript to execute code using the 'pipe'     instruction. This is due to an incomplete fix for     CVE-2018-16509.i1/4^CVE-2018-16802i1/4%0

  - It was found that RHSA-2018:2918 did not fully fix     CVE-2018-16509. An attacker could possibly exploit     another variant of the flaw and bypass the -dSAFER     protection to, for example, execute arbitrary shell     commands via a specially crafted PostScript     document.i1/4^CVE-2018-16863i1/4%0

  - Artifex Ghostscript before 9.25 allowed a user-writable     error exception table, which could be used by remote     attackers able to supply crafted PostScript to     potentially overwrite or replace error handlers to     inject code.i1/4^CVE-2018-17183i1/4%0

  - Artifex Ghostscript 9.25 and earlier allows attackers     to bypass a sandbox protection mechanism via vectors     involving errorhandler setup. NOTE: this issue exists     because of an incomplete fix for     CVE-2018-17183.i1/4^CVE-2018-17961i1/4%0

  - Artifex Ghostscript allows attackers to bypass a     sandbox protection mechanism by leveraging exposure of     system operators in the saved execution stack in an     error object.i1/4^CVE-2018-18073i1/4%0

  - Artifex Ghostscript 9.25 and earlier allows attackers     to bypass a sandbox protection mechanism via vectors     involving the 1Policy operator.i1/4^CVE-2018-18284i1/4%0

  - In Artifex Ghostscript through 9.25, the setpattern     operator did not properly validate certain types. A     specially crafted PostScript document could exploit     this to crash Ghostscript or, possibly, execute     arbitrary code in the context of the Ghostscript     process. This is a type confusion issue because of     failure to check whether the Implementation of a     pattern dictionary was a structure     type.i1/4^CVE-2018-19134i1/4%0

  - An issue was discovered in Artifex Ghostscript before     9.26. LockSafetyParams is not checked correctly if     another device is used.i1/4^CVE-2018-19409i1/4%0

  - It was discovered that ghostscript did not properly     handle certain stack overflow error conditions. An     attacker could possibly exploit this to bypass the
    -dSAFER protection and crash ghostscript or, possibly,     execute arbitrary code in the ghostscript context via a     specially crafted PostScript     document.i1/4^CVE-2018-16542i1/4%0

  - It was discovered that the type of the     LockDistillerParams parameter is not properly verified.
    An attacker could possibly exploit this to bypass the
    -dSAFER protection and crash ghostscript or, possibly,     execute arbitrary code in the ghostscript context via a     specially crafted PostScript     document.i1/4^CVE-2018-15910i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - ghostscript: Incorrect free logic in pagedevice     replacement (699664) (CVE-2018-16541)

  - ghostscript: Incorrect 'restoration of privilege'     checking when running out of stack during exception     handling (CVE-2018-16802)

  - ghostscript: User-writable error exception table     (CVE-2018-17183)

  - ghostscript: Saved execution stacks can leak operator     arrays (incomplete fix for CVE-2018-17183)     (CVE-2018-17961)

  - ghostscript: Saved execution stacks can leak operator     arrays (CVE-2018-18073)

  - ghostscript: 1Policy operator allows a sandbox     protection bypass (CVE-2018-18284)

  - ghostscript: Type confusion in setpattern (700141)     (CVE-2018-19134)

  - ghostscript: Improperly implemented security check in     zsetdevice function in psi/zdevice.c (CVE-2018-19409)

  - ghostscript: Uninitialized memory access in the     aesdecode operator (699665) (CVE-2018-15911)

  - ghostscript: incorrect access checking in temp file     handling to disclose contents of files (699658)     (CVE-2018-16539)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Some vulnerabilities were discovered in ghostscript, an interpreter for the PostScript language and for PDF.

CVE-2018-19134

The setpattern operator did not properly validate certain types. A specially crafted PostScript document could exploit this to crash Ghostscript or, possibly, execute arbitrary code in the context of the Ghostscript process. This is a type confusion issue because of failure to check whether the Implementation of a pattern dictionary was a structure type.

CVE-2018-19478

Attempting to open a carefully crafted PDF file results in long-running computation. A sufficiently bad page tree can lead to us taking significant amounts of time when checking the tree for recursion.

For Debian 8 'Jessie', these problems have been fixed in version 9.06~dfsg-2+deb8u13.

We recommend that you upgrade your ghostscript packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security Fix(es) :

  - ghostscript: Incorrect free logic in pagedevice     replacement (699664) (CVE-2018-16541)

  - ghostscript: Incorrect 'restoration of privilege'     checking when running out of stack during exception     handling (CVE-2018-16802)

  - ghostscript: User-writable error exception table     (CVE-2018-17183)

  - ghostscript: Saved execution stacks can leak operator     arrays (incomplete fix for CVE-2018-17183)     (CVE-2018-17961)

  - ghostscript: Saved execution stacks can leak operator     arrays (CVE-2018-18073)

  - ghostscript: 1Policy operator allows a sandbox     protection bypass (CVE-2018-18284)

  - ghostscript: Type confusion in setpattern (700141)     (CVE-2018-19134)

  - ghostscript: Improperly implemented security check in     zsetdevice function in psi/zdevice.c (CVE-2018-19409)

  - ghostscript: Uninitialized memory access in the     aesdecode operator (699665) (CVE-2018-15911)

Bug Fix(es) :

  - It has been found that ghostscript-9.07-31.el7_6.1     introduced regression during the handling of shading     objects, causing a 'Dropping incorrect smooth shading     object' warning. With this update, the regression has     been fixed and the described problem no longer occurs.

From Red Hat Security Advisory 2018:3834 :

An update for ghostscript is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed.

Security Fix(es) :

* ghostscript: Incorrect free logic in pagedevice replacement (699664) (CVE-2018-16541)

* ghostscript: Incorrect 'restoration of privilege' checking when running out of stack during exception handling (CVE-2018-16802)

* ghostscript: User-writable error exception table (CVE-2018-17183)

* ghostscript: Saved execution stacks can leak operator arrays (incomplete fix for CVE-2018-17183) (CVE-2018-17961)

* ghostscript: Saved execution stacks can leak operator arrays (CVE-2018-18073)

* ghostscript: 1Policy operator allows a sandbox protection bypass (CVE-2018-18284)

* ghostscript: Type confusion in setpattern (700141) (CVE-2018-19134)

* ghostscript: Improperly implemented security check in zsetdevice function in psi/zdevice.c (CVE-2018-19409)

* ghostscript: Uninitialized memory access in the aesdecode operator (699665) (CVE-2018-15911)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Tavis Ormandy (Google Project Zero) for reporting CVE-2018-16541.

Bug Fix(es) :

* It has been found that ghostscript-9.07-31.el7_6.1 introduced regression during the handling of shading objects, causing a 'Dropping incorrect smooth shading object' warning. With this update, the regression has been fixed and the described problem no longer occurs.
(BZ#1657822)

An update for ghostscript is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed.

Security Fix(es) :

* ghostscript: Incorrect free logic in pagedevice replacement (699664) (CVE-2018-16541)

* ghostscript: Incorrect 'restoration of privilege' checking when running out of stack during exception handling (CVE-2018-16802)

* ghostscript: User-writable error exception table (CVE-2018-17183)

* ghostscript: Saved execution stacks can leak operator arrays (incomplete fix for CVE-2018-17183) (CVE-2018-17961)

* ghostscript: Saved execution stacks can leak operator arrays (CVE-2018-18073)

* ghostscript: 1Policy operator allows a sandbox protection bypass (CVE-2018-18284)

* ghostscript: Type confusion in setpattern (700141) (CVE-2018-19134)

* ghostscript: Improperly implemented security check in zsetdevice function in psi/zdevice.c (CVE-2018-19409)

* ghostscript: Uninitialized memory access in the aesdecode operator (699665) (CVE-2018-15911)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Tavis Ormandy (Google Project Zero) for reporting CVE-2018-16541.

Bug Fix(es) :

* It has been found that ghostscript-9.07-31.el7_6.1 introduced regression during the handling of shading objects, causing a 'Dropping incorrect smooth shading object' warning. With this update, the regression has been fixed and the described problem no longer occurs.
(BZ#1657822)

Several vulnerabilities were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service or the execution of arbitrary code if a malformed Postscript file is processed (despite the -dSAFER sandbox being enabled).

This update rebases ghostscript for stretch to the upstream version 9.26 which includes additional changes.

The version of Artifex Ghostscript installed on the remote Windows host is prior to 9.26. It is, therefore, affected by multiple vulnerabilities.

ID	Name	Product	Family	Severity
127227	NewStart CGSL CORE 5.04 / MAIN 5.04 : ghostscript Multiple Vulnerabilities (NS-SA-2019-0046)	Nessus	NewStart CGSL Local Security Checks	high
124887	EulerOS Virtualization for ARM 64 3.0.1.0 : ghostscript (EulerOS-SA-2019-1384)	Nessus	Huawei Local Security Checks	high
123895	EulerOS Virtualization 2.5.4 : ghostscript (EulerOS-SA-2019-1209)	Nessus	Huawei Local Security Checks	high
123891	EulerOS Virtualization 2.5.3 : ghostscript (EulerOS-SA-2019-1205)	Nessus	Huawei Local Security Checks	high
122376	EulerOS 2.0 SP2 : ghostscript (EulerOS-SA-2019-1049)	Nessus	Huawei Local Security Checks	high
122284	Fedora 28 : ghostscript (2019-82acb29c1b)	Nessus	Fedora Local Security Checks	high
122169	EulerOS 2.0 SP3 : ghostscript (EulerOS-SA-2019-1022)	Nessus	Huawei Local Security Checks	high
122103	Fedora 29 : ghostscript (2019-077a3f23c0)	Nessus	Fedora Local Security Checks	high
121276	EulerOS Virtualization 2.5.1 : ghostscript (EulerOS-SA-2019-1016)	Nessus	Huawei Local Security Checks	high
120992	EulerOS 2.0 SP5 : ghostscript (EulerOS-SA-2019-1004)	Nessus	Huawei Local Security Checks	high
119901	EulerOS Virtualization 2.5.2 : ghostscript (EulerOS-SA-2018-1412)	Nessus	Huawei Local Security Checks	high
119890	Debian DLA-1620-1 : ghostscript security update	Nessus	Debian Local Security Checks	medium
119883	Scientific Linux Security Update : ghostscript on SL7.x x86_64 (20181217)	Nessus	Scientific Linux Local Security Checks	high
119757	Oracle Linux 7 : ghostscript (ELSA-2018-3834)	Nessus	Oracle Linux Local Security Checks	high
119754	CentOS 7 : ghostscript (CESA-2018:3834)	Nessus	CentOS Local Security Checks	high
119736	RHEL 7 : ghostscript (RHSA-2018:3834)	Nessus	Red Hat Local Security Checks	high
119269	Debian DSA-4346-1 : ghostscript - security update	Nessus	Debian Local Security Checks	high
119240	Artifex Ghostscript < 9.26 PostScript Multiple Vulnerabilities	Nessus	Windows	high

CVE-2018-19134

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins