CVE-2006-5864
published 2006-11-11CVE-2006-5864: Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv 3.6.2, and possibly earlier versions, allows user-assisted attackers to execute…
PriorityP334medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
14.84%
96.3th percentile
Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv 3.6.2, and possibly earlier versions, allows user-assisted attackers to execute arbitrary code via a PostScript (PS) file with certain headers that contain long comments, as demonstrated using the (1) DocumentMedia, (2) DocumentPaperSizes, and possibly (3) PageMedia and (4) PaperSize headers. NOTE: this issue can be exploited through other products that use gv such as evince.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | evince | < evince 0.4.0-3 (bookworm) | evince 0.4.0-3 (bookworm) |
| debian | gv | < evince 0.4.0-3 (bookworm) | evince 0.4.0-3 (bookworm) |
| gnome | evince | >= 0 < 0.4.0-3 | 0.4.0-3 |
| gnome | evince | >= 0 < 0.4.0-3 | 0.4.0-3 |
| gnome | evince | >= 0 < 0.4.0-3 | 0.4.0-3 |
| gnome | evince | >= 0 < 0.4.0-3 | 0.4.0-3 |
| gnu | gv | — | — |
| gnu | gv | — | — |
| gnu | gv | — | — |
| gnu | gv | — | — |
| gv | gv | >= 0 < 1:3.6.2-3 | 1:3.6.2-3 |
| gv | gv | >= 0 < 1:3.6.2-3 | 1:3.6.2-3 |
| gv | gv | >= 0 < 1:3.6.2-3 | 1:3.6.2-3 |
| gv | gv | >= 0 < 1:3.6.2-3 | 1:3.6.2-3 |
CVSS provenance
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
osv5.1MEDIUM
vendor_debian5.1MEDIUM
vendor_redhat5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c7wv-85x6-hmhm: Stack-based buffer overflow in the ps_gettext function in ps
ghsa_unreviewed·2022-05-01
CVE-2006-5864 [MEDIUM] CWE-119 GHSA-c7wv-85x6-hmhm: Stack-based buffer overflow in the ps_gettext function in ps
Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv 3.6.2, and possibly earlier versions, allows user-assisted attackers to execute arbitrary code via a PostScript (PS) file with certain headers that contain long comments, as demonstrated using the (1) DocumentMedia, (2) DocumentPaperSizes, and possibly (3) PageMedia and (4) PaperSize headers. NOTE: this issue can be exploited through other products that use gv such as evince.
OSV
CVE-2006-5864: Stack-based buffer overflow in the ps_gettext function in ps
osv·2006-11-11·CVSS 5.1
CVE-2006-5864 [MEDIUM] CVE-2006-5864: Stack-based buffer overflow in the ps_gettext function in ps
Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv 3.6.2, and possibly earlier versions, allows user-assisted attackers to execute arbitrary code via a PostScript (PS) file with certain headers that contain long comments, as demonstrated using the (1) DocumentMedia, (2) DocumentPaperSizes, and possibly (3) PageMedia and (4) PaperSize headers. NOTE: this issue can be exploited through other products that use gv such as evince.
Ubuntu
evince-gtk vulnerability
vendor_ubuntu·2006-12-07
CVE-2006-5864 evince-gtk vulnerability
Title: evince-gtk vulnerability
Summary: evince-gtk vulnerability
USN-390-2 fixed vulnerabilities in evince. This update provides the
corresponding update for evince-gtk.
Original advisory details:
A buffer overflow was discovered in the PostScript processor included
in evince. By tricking a user into opening a specially crafted PS
file, an attacker could crash evince or execute arbitrary code with
the user's privileges.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Ubuntu
evince vulnerability
vendor_ubuntu·2006-12-06
CVE-2006-5864 evince vulnerability
Title: evince vulnerability
Summary: evince vulnerability
USN-390-1 fixed a vulnerability in evince. The original fix did not
fully solve the problem, allowing for a denial of service in certain
situations.
Original advisory details:
A buffer overflow was discovered in the PostScript processor included
in evince. By tricking a user into opening a specially crafted PS
file, an attacker could crash evince or execute arbitrary code with
the user's privileges.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Ubuntu
evince vulnerability
vendor_ubuntu·2006-11-30
CVE-2006-5864 evince vulnerability
Title: evince vulnerability
Summary: evince vulnerability
A buffer overflow was discovered in the PostScript processor included in
evince. By tricking a user into opening a specially crafted PS file, an
attacker could crash evince or execute arbitrary code with the user's
privileges.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
CVE-2006-5864 evince contains a buffer overflow in get_next_text()
vendor_redhat·2006-11-29·CVSS 5.1
CVE-2006-5864 [MEDIUM] CVE-2006-5864 evince contains a buffer overflow in get_next_text()
CVE-2006-5864 evince contains a buffer overflow in get_next_text()
Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv 3.6.2, and possibly earlier versions, allows user-assisted attackers to execute arbitrary code via a PostScript (PS) file with certain headers that contain long comments, as demonstrated using the (1) DocumentMedia, (2) DocumentPaperSizes, and possibly (3) PageMedia and (4) PaperSize headers. NOTE: this issue can be exploited through other products that use gv such as evince.
Statement: Red Hat is aware of this issue and is tracking it via the following bug for Red Hat Enterprise Linux 2.1. This issue did not affect Red Hat Enterprise Linux 3 or 4.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215593
The Red Hat Security Response Team has rat
Debian
CVE-2006-5864: evince - Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv 3.6.2,...
vendor_debian·2006·CVSS 5.1
CVE-2006-5864 [MEDIUM] CVE-2006-5864: evince - Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv 3.6.2,...
Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv 3.6.2, and possibly earlier versions, allows user-assisted attackers to execute arbitrary code via a PostScript (PS) file with certain headers that contain long comments, as demonstrated using the (1) DocumentMedia, (2) DocumentPaperSizes, and possibly (3) PageMedia and (4) PaperSize headers. NOTE: this issue can be exploited through other products that use gv such as evince.
Scope: local
bookworm: resolved (fixed in 0.4.0-3)
bullseye: resolved (fixed in 0.4.0-3)
forky: resolved (fixed in 0.4.0-3)
sid: resolved (fixed in 0.4.0-3)
trixie: resolved (fixed in 0.4.0-3)
No detection rules found.
Bugzilla
CVE-2006-5864 evince contains a buffer overflow in get_next_text()
bugzilla·2006-11-29·CVSS 5.1
CVE-2006-5864 [MEDIUM] CVE-2006-5864 evince contains a buffer overflow in get_next_text()
CVE-2006-5864 evince contains a buffer overflow in get_next_text()
+++ This bug was initially created as a clone of Bug #217672 +++
+++ This bug was initially created as a clone of Bug #215593 +++
The original GNU gv issue is described here:
http://www.securityfocus.com/archive/1/archive/1/451057/100/0/threaded
Description of problem:
The function ps_gettext() in ps.c is vulnerable to a buffer overflow condition,
because it copies characters from input file to a fixed-sized array text[].
How reproducible:
With specially crafted files looking like either of those below this paragraph.
(Replace ... with something a bit longer than PSLINELENGTH (256), so it
overwrites stack. It can be potantially malicious code that might get executed
on functio return)
%!PS-Adobe-3.0
%%DocumentMedia:
Bugzilla
CVE-2006-5864 evince contains a buffer overflow in get_next_text()
bugzilla·2006-11-29·CVSS 5.1
CVE-2006-5864 [MEDIUM] CVE-2006-5864 evince contains a buffer overflow in get_next_text()
CVE-2006-5864 evince contains a buffer overflow in get_next_text()
+++ This bug was initially created as a clone of Bug #215593 +++
The original GNU gv issue is described here:
http://www.securityfocus.com/archive/1/archive/1/451057/100/0/threaded
Description of problem:
The function ps_gettext() in ps.c is vulnerable to a buffer overflow condition,
because it copies characters from input file to a fixed-sized array text[].
How reproducible:
With specially crafted files looking like either of those below this paragraph.
(Replace ... with something a bit longer than PSLINELENGTH (256), so it
overwrites stack. It can be potantially malicious code that might get executed
on functio return)
%!PS-Adobe-3.0
%%DocumentMedia: ...
%!PS-Adobe-3.0
%%DocumentPaperSizes: ...
%!PS-Adobe-3.0
%%E
Bugzilla
CVE-2006-5864 GNU gv contains a buffer overflow in gettext()
bugzilla·2006-11-14·CVSS 5.1
CVE-2006-5864 [MEDIUM] CVE-2006-5864 GNU gv contains a buffer overflow in gettext()
CVE-2006-5864 GNU gv contains a buffer overflow in gettext()
Description of problem:
The function gettext() in ps.c is vulnerable to a buffer overflow condition,
because it copies characters from input file to a fixed-sized array text[].
Version-Release number of selected component (if applicable):
gv-3.5.8
How reproducible:
With specially crafted files looking like either of those below this paragraph.
(Replace ... with something a bit longer than PSLINELENGTH (256), so it
overwrites stack. It can be potantially malicious code that might get executed
on functio return)
%!PS-Adobe-3.0
%%DocumentMedia: ...
%!PS-Adobe-3.0
%%DocumentPaperSizes: ...
%!PS-Adobe-3.0
%%EndComments
%%BeginDefaults
%%PageMedia: ...
%!PS-Adobe-3.0
%%EndComments
%%BeginSetup
%%PaperSize: ...
Alternatively
Bugzilla
CVE-2006-5864: gv (ghostview) <= 3.6.2 stack-based buffer overflow
bugzilla·2006-11-13·CVSS 5.1
CVE-2006-5864 [MEDIUM] CVE-2006-5864: gv (ghostview) <= 3.6.2 stack-based buffer overflow
CVE-2006-5864: gv (ghostview) <= 3.6.2 stack-based buffer overflow
+++ This bug was initially created as a clone of Bug #215136 +++
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5864
"Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv
3.6.2, and possibly earlier versions, allows user-assisted attackers to execute
arbitrary code via a PostScript (PS) file with certain headers that contain long
comments, as demonstrated using the DocumentMedia header."
Discussion:
Fedora Legacy project has ended. These will not be fixed by Fedora Legacy.
Bugzilla
CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow
bugzilla·2006-11-11·CVSS 5.1
CVE-2006-5864 [MEDIUM] CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow
CVE-2006-5864: gv <= 3.6.2 stack-based buffer overflow
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5864
"Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv
3.6.2, and possibly earlier versions, allows user-assisted attackers to execute
arbitrary code via a PostScript (PS) file with certain headers that contain long
comments, as demonstrated using the DocumentMedia header."
Discussion:
Mandriva Linux Security Advisory, MDKSA-2006:214-1, says the following:
"The patch used in the previous update still left the possibility of
causing X to consume unusual amounts of memory if gv is used to view a
carefully crafted image designed to exploit CVE-2006-5864. This update
uses an improved patch to address this issue."
For patches see, for example, gv-3.6.1-4.3.20060mdk.
http://secunia.com/advisories/22787http://secunia.com/advisories/22932http://secunia.com/advisories/23006http://secunia.com/advisories/23018http://secunia.com/advisories/23111http://secunia.com/advisories/23118http://secunia.com/advisories/23183http://secunia.com/advisories/23266http://secunia.com/advisories/23306http://secunia.com/advisories/23335http://secunia.com/advisories/23353http://secunia.com/advisories/23409http://secunia.com/advisories/23579http://secunia.com/advisories/24649http://secunia.com/advisories/24787http://security.gentoo.org/glsa/glsa-200611-20.xmlhttp://security.gentoo.org/glsa/glsa-200703-24.xmlhttp://security.gentoo.org/glsa/glsa-200704-06.xmlhttp://www.debian.org/security/2006/dsa-1214http://www.debian.org/security/2006/dsa-1243http://www.kb.cert.org/vuls/id/352825http://www.mandriva.com/security/advisories?name=MDKSA-2006:214http://www.mandriva.com/security/advisories?name=MDKSA-2006:229http://www.novell.com/linux/security/advisories/2006_26_sr.htmlhttp://www.novell.com/linux/security/advisories/2006_28_sr.htmlhttp://www.novell.com/linux/security/advisories/2006_29_sr.htmlhttp://www.securityfocus.com/archive/1/451057/100/0/threadedhttp://www.securityfocus.com/archive/1/451422/100/200/threadedhttp://www.securityfocus.com/archive/1/452868/100/0/threadedhttp://www.securityfocus.com/bid/20978http://www.ubuntu.com/usn/usn-390-1http://www.ubuntu.com/usn/usn-390-2http://www.ubuntu.com/usn/usn-390-3http://www.vupen.com/english/advisories/2006/4424http://www.vupen.com/english/advisories/2006/4747https://exchange.xforce.ibmcloud.com/vulnerabilities/30153https://exchange.xforce.ibmcloud.com/vulnerabilities/30555https://issues.rpath.com/browse/RPL-850https://www.exploit-db.com/exploits/2858http://secunia.com/advisories/22787http://secunia.com/advisories/22932http://secunia.com/advisories/23006http://secunia.com/advisories/23018http://secunia.com/advisories/23111http://secunia.com/advisories/23118http://secunia.com/advisories/23183http://secunia.com/advisories/23266http://secunia.com/advisories/23306http://secunia.com/advisories/23335http://secunia.com/advisories/23353http://secunia.com/advisories/23409http://secunia.com/advisories/23579http://secunia.com/advisories/24649http://secunia.com/advisories/24787http://security.gentoo.org/glsa/glsa-200611-20.xmlhttp://security.gentoo.org/glsa/glsa-200703-24.xmlhttp://security.gentoo.org/glsa/glsa-200704-06.xmlhttp://www.debian.org/security/2006/dsa-1214http://www.debian.org/security/2006/dsa-1243http://www.kb.cert.org/vuls/id/352825http://www.mandriva.com/security/advisories?name=MDKSA-2006:214http://www.mandriva.com/security/advisories?name=MDKSA-2006:229http://www.novell.com/linux/security/advisories/2006_26_sr.htmlhttp://www.novell.com/linux/security/advisories/2006_28_sr.htmlhttp://www.novell.com/linux/security/advisories/2006_29_sr.htmlhttp://www.securityfocus.com/archive/1/451057/100/0/threadedhttp://www.securityfocus.com/archive/1/451422/100/200/threadedhttp://www.securityfocus.com/archive/1/452868/100/0/threadedhttp://www.securityfocus.com/bid/20978http://www.ubuntu.com/usn/usn-390-1http://www.ubuntu.com/usn/usn-390-2http://www.ubuntu.com/usn/usn-390-3http://www.vupen.com/english/advisories/2006/4424http://www.vupen.com/english/advisories/2006/4747https://exchange.xforce.ibmcloud.com/vulnerabilities/30153https://exchange.xforce.ibmcloud.com/vulnerabilities/30555https://issues.rpath.com/browse/RPL-850https://www.exploit-db.com/exploits/2858
2006-11-11
Published