SB2017040312 - Multiple vulnerabilities in Ghostscript

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017040312

SB2017040312 - Multiple vulnerabilities in Ghostscript

Published: April 3, 2017 Updated: September 27, 2021

Security Bulletin ID SB2017040312
Severity
High
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 50% Medium 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2016-7976)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The PS Interpreter in Ghostscript 9.18 and 9.20 allows remote attackers to execute arbitrary code via crafted userparams.


2) Use-after-free (CVE-ID: CVE-2016-7978)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Use-after-free vulnerability in Ghostscript 9.20 might allow remote attackers to execute arbitrary code via vectors related to a reference leak in .setdevice.


3) Use-after-free (CVE-ID: CVE-2016-10217)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing a crafted file that is mishandled in the color management module. A remote attackers can cause a denial of service (use-after-free and application crash).

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.


4) NULL pointer dereference (CVE-ID: CVE-2016-10218)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via a crafted file.


Remediation

Install update from vendor's website.

References