SB2017042802 - Debian update for ghostscript
Published: April 28, 2017
Security Bulletin ID
SB2017042802
Severity
Critical
Patch available
YES
Number of vulnerabilities
5
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Division by zero (CVE-ID: CVE-2016-10219)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to divide-by-zero error within the intersect() function in base/gxfill.c in Ghostscript 9.20. A remote attacker can perform a denial of service (divide-by-zero error and application crash) via a specially crafted file.
2) NULL pointer dereference (CVE-ID: CVE-2016-10220)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.The vulnerability exists due to NULL pointer dereference error within the gs_makewordimagedevice() function in base/gsdevmem.c. A remote attacker can create a specially crafted PDF file, pass it to the affected application, trigger NULL pointer dereference and crash the application.
3) NULL pointer dereference (CVE-ID: CVE-2017-5951)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.The vulnerability exists due to a NULL pointer dereference error within the mem_get_bits_rectangle() function in base/gdevmem.c in Ghostscript. A remote attacker can create a specially crafted file, pass it to the affected application and crash it.
4) NULL pointer dereference (CVE-ID: CVE-2017-7207)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.The vulnerability exists due to a NULL pointer dereference error within the mem_get_bits_rectangle() function in base/gdevmem.c in Ghostscript. A remote attacker can create a specially crafted PostScript file, pass it to the affected application and crash it.
5) Type confusion (CVE-ID: CVE-2017-8291)
The vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on a targeted system.The weakness exists due to type confusion error when processing user-supplied parameters passed to the .rsdparams and .eqproc functions in ghostscript. A remote attacker can submit a specially crafted .eps document, execute code in the context of the ghostscript process and bypass -dSAFER protection.
Successful exploitation of the vulnerability may result in system compromise.
Note: this vulnerability is being exploited in the wild.
Remediation
Install update from vendor's website.
References
- https://bugs.ghostscript.com/show_bug.cgi?id=697453
- http://www.ghostscript.com/cgi-bin/findgit.cgi?4bef1a1d32e29b68855616020dbff574b9cda08f
- https://patchwork.openembedded.org/patch/139337/
- http://seclists.org/oss-sec/2017/q2/155
- https://bugs.ghostscript.com/show_bug.cgi?id=697799
- https://www.rapid7.com/db/modules/exploit/unix/fileformat/ghostscript_type_confusion