EulerOS Virtualization 2.5.2 : ghostscript (EulerOS-SA-2019-1087)
High Nessus Plugin ID 122709
SynopsisThe remote EulerOS Virtualization host is missing multiple security updates.
DescriptionAccording to the versions of the ghostscript package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :
- The set_text_distance function in devices/vector/gdevpdts.c in the pdfwrite component in Artifex Ghostscript through 9.22 does not prevent overflows in text-positioning calculation, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document.(CVE-2018-10194)
- In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use a type confusion in the LockDistillerParams parameter to crash the interpreter or execute code.(CVE-2018-15910)
- An issue was discovered in Artifex Ghostscript before 9.24. Incorrect 'restoration of privilege' checking during handling of /invalidaccess exceptions could be used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction.(CVE-2018-16509)
- In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use insufficient interpreter stack-size checking during error handling to crash the interpreter.(CVE-2018-16542)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
SolutionUpdate the affected ghostscript packages.