CVE-2016-7979 — Incorrect Type Conversion or Cast in Ghostscript

CWE-704 — Incorrect Type Conversion or Cast CWE-20 — Improper Input Validation14 documents9 sources

Severity

9.8CRITICALNVD

OSV5.5

EPSS

2.6%

top 14.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Artifex Ghostscript

Timeline

PublishedMay 23

Latest updateMay 14

Description

Ghostscript before 9.21 might allow remote attackers to bypass the SAFER mode protection mechanism and consequently execute arbitrary code by leveraging type confusion in .initialize_dsc_parser.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Debianartifex/ghostscript< 9.19~dfsg-3.1+3

▶Ubuntuartifex/ghostscript< 9.10~dfsg-0ubuntu10.5+1

▶NVDartifex/ghostscript9.20

Patches

Patch: www.openwall.com ↗Patch: bugs.ghostscript.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-vwgm-gwqf-q8px: Ghostscript before 9↗2022-05-14

▶

CVEList

CVE-2016-7979: Ghostscript before 9↗2017-05-23

▶

OSV

CVE-2016-7979: Ghostscript before 9↗2017-05-23

▶

OSV

ghostscript vulnerabilities↗2016-12-02

▶

📋Vendor Advisories

Ubuntu

Ghostscript vulnerabilities↗2016-12-02

▶

Red Hat

ghostscript: Type confusion in .initialize_dsc_parser allows remote code execution↗2016-10-04

▶

Red Hat

ntp: bad authentication demobilizes ephemeral associations↗2016-06-02

▶

Debian

CVE-2016-7979: ghostscript - Ghostscript before 9.21 might allow remote attackers to bypass the SAFER mode pr...↗2016

▶

💬Community

Bugzilla

CVE-2016-7979 ghostscript: Type confusion in .initialize_dsc_parser allows remote code execution [fedora-all]↗2016-11-01

▶

Bugzilla

CVE-2016-7979 ghostscript: Type confusion in .initialize_dsc_parser allows remote code execution↗2016-10-06

▶

Bugzilla

CVE-2016-4953 ntp: bad authentication demobilizes ephemeral associations↗2016-05-30

▶