Input validation error in ghostscript (Alpine package)



Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2015-3228
CWE-ID CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
 ghostscript (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Input validation error

EUVDB-ID: #VU33785

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2015-3228

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Integer overflow in the gs_heap_alloc_bytes function in base/gsmalloc.c in Ghostscript 9.15 and earlier allows remote attackers to cause a denial of service (crash) via a crafted Postscript (ps) file, as demonstrated by using the ps2pdf command, which triggers an out-of-bounds read or write.

Mitigation

Install update from vendor's website.

Vulnerable software versions

ghostscript (Alpine package): 9.04-r0 - 9.10-r1

CPE2.3 External links

https://git.alpinelinux.org/aports/commit/?id=2e939e62766bb3312688de5c933788f9e86f4b6c
https://git.alpinelinux.org/aports/commit/?id=6c275fa9475ad80a6e7801bf9356cb7acc22c654
https://git.alpinelinux.org/aports/commit/?id=85d3c3bf7d2914b99cad25b6b45a73e5c8f7df54
https://git.alpinelinux.org/aports/commit/?id=4562dbd2e017349035b31df017bee36d5d6b201b
https://git.alpinelinux.org/aports/commit/?id=ca4a30adeb8a02a127c6030e2730f8ec7900c915


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###