CVE-2004-1717
published 2004-08-16CVE-2004-1717: Multiple buffer overflows in the psscan function in ps.c for gv (ghostview) allow remote attackers to execute arbitrary code via a Postscript file with a long…
PriorityP333high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
5.38%
91.7th percentile
Multiple buffer overflows in the psscan function in ps.c for gv (ghostview) allow remote attackers to execute arbitrary code via a Postscript file with a long (1) BoundingBox, (2) comment, (3) Orientation, (4) PageOrder, or (5) Pages value.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gv | < gv 1:3.6.1-1 (bookworm) | gv 1:3.6.1-1 (bookworm) |
| gv | gv | — | — |
| gv | gv | — | — |
| gv | gv | — | — |
| gv | gv | — | — |
| gv | gv | — | — |
| gv | gv | — | — |
| gv | gv | — | — |
| gv | gv | — | — |
| gv | gv | — | — |
| gv | gv | — | — |
| gv | gv | — | — |
| gv | gv | — | — |
| gv | gv | — | — |
| gv | gv | — | — |
| gv | gv | — | — |
| gv | gv | — | — |
| gv | gv | — | — |
| gv | gv | — | — |
| gv | gv | >= 0 < 1:3.6.1-1 | 1:3.6.1-1 |
| gv | gv | >= 0 < 1:3.6.1-1 | 1:3.6.1-1 |
| gv | gv | >= 0 < 1:3.6.1-1 | 1:3.6.1-1 |
| gv | gv | >= 0 < 1:3.6.1-1 | 1:3.6.1-1 |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat4.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2004-1717: gv - Multiple buffer overflows in the psscan function in ps.c for gv (ghostview) allo...
vendor_debian·2004·CVSS 7.5
CVE-2004-1717 [HIGH] CVE-2004-1717: gv - Multiple buffer overflows in the psscan function in ps.c for gv (ghostview) allo...
Multiple buffer overflows in the psscan function in ps.c for gv (ghostview) allow remote attackers to execute arbitrary code via a Postscript file with a long (1) BoundingBox, (2) comment, (3) Orientation, (4) PageOrder, or (5) Pages value.
Scope: local
bookworm: resolved (fixed in 1:3.6.1-1)
bullseye: resolved (fixed in 1:3.6.1-1)
forky: resolved (fixed in 1:3.6.1-1)
sid: resolved (fixed in 1:3.6.1-1)
trixie: resolved (fixed in 1:3.6.1-1)
Red Hat
CVE-2004-1717: Multiple buffer overflows in the psscan function in ps
vendor_redhat·CVSS 4.6
CVE-2004-1717 [MEDIUM] CVE-2004-1717: Multiple buffer overflows in the psscan function in ps
Multiple buffer overflows in the psscan function in ps.c for gv (ghostview) allow remote attackers to execute arbitrary code via a Postscript file with a long (1) BoundingBox, (2) comment, (3) Orientation, (4) PageOrder, or (5) Pages value.
Statement: This CVE is a duplicate (rediscovery) of CVE-2002-0838
GHSA
GHSA-xwc7-g658-j4rq: Multiple buffer overflows in the psscan function in ps
ghsa_unreviewed·2022-04-29
CVE-2004-1717 [HIGH] GHSA-xwc7-g658-j4rq: Multiple buffer overflows in the psscan function in ps
Multiple buffer overflows in the psscan function in ps.c for gv (ghostview) allow remote attackers to execute arbitrary code via a Postscript file with a long (1) BoundingBox, (2) comment, (3) Orientation, (4) PageOrder, or (5) Pages value.
OSV
CVE-2004-1717: Multiple buffer overflows in the psscan function in ps
osv·2004-08-16·CVSS 7.5
CVE-2004-1717 [HIGH] CVE-2004-1717: Multiple buffer overflows in the psscan function in ps
Multiple buffer overflows in the psscan function in ps.c for gv (ghostview) allow remote attackers to execute arbitrary code via a Postscript file with a long (1) BoundingBox, (2) comment, (3) Orientation, (4) PageOrder, or (5) Pages value.
No detection rules found.
Exploit-DB
GV PostScript Viewer - Remote Buffer Overflow (2)
exploitdb·2004-08-18
CVE-2004-1717 GV PostScript Viewer - Remote Buffer Overflow (2)
GV PostScript Viewer - Remote Buffer Overflow (2)
---
/* there are at least 4 other stack buffer overflows, and 2 heap overflows.
* the first exploit i wrote exploited the one in the GLSA, and this one exploits
* that hole and four other ones as well. all of these are in the psscan() function
* located in the ps.c file: 'grep -nP 'sscanf\(.*?%%.*?%s' ps.c'
*
* gv postscript viewer exploit part deux, infamous42md AT hotpop DOT com
*
* ok kiddies you've got choices here! we can overflow the text buffer at 5
* different places, we can also overflow the heap at 2 places, and ooh i
* bet if you look around there are tons of other places as well!
*
*/
#include
#include
#include
#include
#include
#include
#define NOP 0x90
#define NNOPS 512
#define die(x) do{perror(x); exit(EXIT_FAILURE);}while
Exploit-DB
GV PostScript Viewer - Remote Buffer Overflow (1)
exploitdb·2004-08-13
CVE-2004-1717 GV PostScript Viewer - Remote Buffer Overflow (1)
GV PostScript Viewer - Remote Buffer Overflow (1)
---
/*
* gv postscript viewer exploit , infamous42md AT hotpop DOT com
*
* run of the mill bof. spawns a remote shell on port 7000. woopty doo. if
* someone has been able to exploit the heap overflow in cfengine, please email
* me and teach me something. after days of pain i've concluded it's not
* possible b/c you can't manipulate the heap enough to get anything good in
* front of you. please prove me wrong so i can learn.
*
* shouts to mitakeet
*
* [n00b localho outernet] netstat -ant | grep 7000
* [n00b localho outernet] gcc -Wall -o gvown gvown.c
* [n00b localho outernet] ./gvown 0xbffff350
* [n00b localho outernet] ./gv h4x0ring_sacr3ts_uncuv3red.ps
* [n00b localho outernet] netstat -ant | grep 7000
* tcp 0 0 0.0.0.0:7000 0.0.0.0:* L
No writeups or analysis indexed.
2004-08-16
Published