{"id":"MGASA-2018-0378","summary":"Updated ghostscript packages fix security vulnerabilities","details":"Updated ghostscript packages fix several security vulnerabilities\nincluding:\n\nIn Artifex Ghostscript 9.23 before 2018-08-23, attackers are able to supply\nmalicious PostScript files to bypass .tempfile restrictions and write files\n(CVE-2018-15908).\n\nIn Artifex Ghostscript 9.23 before 2018-08-24, a type confusion using the\n.shfill operator could be used by attackers able to supply crafted PostScript\nfiles to crash the interpreter or potentially execute code (CVE-2018-15909).\n\nIn Artifex Ghostscript before 9.24, attackers able to supply crafted\nPostScript files could use a type confusion in the LockDistillerParams\nparameter to crash the interpreter or execute code (CVE-2018-15910).\n\nIn Artifex Ghostscript 9.23 before 2018-08-24, attackers able to supply\ncrafted PostScript could use uninitialized memory access in the aesdecode\noperator to crash the interpreter or potentially execute code\n(CVE-2018-15911).\n\nAn issue was discovered in Artifex Ghostscript before 9.24. Incorrect \n\"restoration of privilege\" checking during handling of /invalidaccess\nexceptions could be used by attackers able to supply crafted PostScript\nto execute code using the \"pipe\" instruction (CVE-2018-16509).\n\nAn issue was discovered in Artifex Ghostscript before 9.24. Incorrect exec\nstack handling in the \"CS\" and \"SC\" PDF primitives could be used by remote\nattackers able to supply crafted PDFs to crash the interpreter or possibly\nhave unspecified other impact (CVE-2018-16510).\n\nAn issue was discovered in Artifex Ghostscript before 9.24. A type\nconfusion in \"ztype\" could be used by remote attackers able to supply\ncrafted PostScript to crash the interpreter or possibly have unspecified\nother impact (CVE-2018-16511).\n\nIn Artifex Ghostscript before 9.24, attackers able to supply crafted\nPostScript files could use a type confusion in the setcolor function to\ncrash the interpreter or possibly have unspecified other impact\n(CVE-2018-16513).\n\nIn Artifex Ghostscript before 9.24, attackers able to supply crafted\nPostScript files could use incorrect access checking in temp file handling\nto disclose contents of files on the system otherwise not readable\n(CVE-2018-16539).\n\nIn Artifex Ghostscript before 9.24, attackers able to supply crafted\nPostScript files to the builtin PDF14 converter could use a use-after-free\nin copydevice handling to crash the interpreter or possibly have unspecified\nother impact (CVE-2018-16540).\n\nIn Artifex Ghostscript before 9.24, attackers able to supply crafted\nPostScript files could use incorrect free logic in pagedevice replacement\nto crash the interpreter (CVE-2018-16541).\n\nIn Artifex Ghostscript before 9.24, attackers able to supply crafted\nPostScript files could use insufficient interpreter stack-size checking\nduring error handling to crash the interpreter (CVE-2018-16542).\n\nIn Artifex Ghostscript before 9.24, gssetresolution and gsgetresolution\nallow attackers to have an unspecified impact (CVE-2018-16543).\n\nAn issue was discovered in Artifex Ghostscript before 9.25. Incorrect\n\"restoration of privilege\" checking when running out of stack during\nexception handling could be used by attackers able to supply crafted\nPostScript to execute code using the \"pipe\" instruction. This is due to\nan incomplete fix for CVE-2018-16509 (CVE-2018-16802).\n\nGS Bug 699663 : .setdistillerkeys memory corruption. (CVE Requested)\n\nGS Bug 699699 : Crash upon bogus input argument\n\nGS Bug 699719: Fix @ files in arg handling\n\nGS Bug 699711: Review arg_next to ensure that NULL arg returns are coped with\n\nGS Bug Fix SEGV seen in all-devices test with plank examples/ridt91.eps\n\nGS Bug 699708 (part 1): 'Hide' non-replaceable error handlers for SAFER\n\nGS Bug 699707: Security review bug - continuation procedures\n","modified":"2026-04-16T01:45:48.758223431Z","published":"2018-09-20T23:17:55Z","upstream":["CVE-2018-15908","CVE-2018-15909","CVE-2018-15910","CVE-2018-15911","CVE-2018-16509","CVE-2018-16510","CVE-2018-16511","CVE-2018-16513","CVE-2018-16539","CVE-2018-16540","CVE-2018-16541","CVE-2018-16542","CVE-2018-16543","CVE-2018-16802"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2018-0378.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=23526"},{"type":"WEB","url":"https://www.ghostscript.com/doc/9.24/History9.htm#Version9.24"},{"type":"WEB","url":"http://openwall.com/lists/oss-security/2018/09/05/3"},{"type":"WEB","url":"http://openwall.com/lists/oss-security/2018/09/06/3"},{"type":"WEB","url":"http://openwall.com/lists/oss-security/2018/09/09/1"},{"type":"WEB","url":"http://openwall.com/lists/oss-security/2018/09/09/2"},{"type":"WEB","url":"http://openwall.com/lists/oss-security/2018/09/11/1"}],"affected":[{"package":{"name":"ghostscript","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/ghostscript?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.24-1.5.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0378.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}