Debian DSA-2093-1 : ghostscript - several vulnerabilities

high Nessus Plugin ID 48386

Language:

Synopsis

The remote Debian host is missing a security-related update.

Description

Two security issues have been discovered in Ghostscript, the GPL PostScript/PDF interpreter. The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2009-4897 A buffer overflow was discovered that allows remote attackers to execute arbitrary code or cause a denial of service via a crafted PDF document containing a long name.

- CVE-2010-1628 Dan Rosenberg discovered that ghostscript incorrectly handled certain recursive Postscript files. An attacker could execute arbitrary code via a PostScript file containing unlimited recursive procedure invocations, which trigger memory corruption in the stack of the interpreter.

Solution

Upgrade the ghostscript package.

For the stable distribution (lenny), these problems have been fixed in version 8.62.dfsg.1-3.2lenny5

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584516

https://security-tracker.debian.org/tracker/CVE-2009-4897

https://security-tracker.debian.org/tracker/CVE-2010-1628

https://www.debian.org/security/2010/dsa-2093

Plugin Details

Severity: High

ID: 48386

File Name: debian_DSA-2093.nasl

Version: 1.9

Type: local

Agent: unix

Published: 8/23/2010

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:ghostscript, cpe:/o:debian:debian_linux:5.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/19/2010

Reference Information

CVE: CVE-2009-4897, CVE-2010-1628

BID: 40107, 41593

DSA: 2093