Artifex Ghostscript vulnerabilities

CVE-2024-29511 [HIGH] CWE-489 CVE-2024-29511: Artifex Ghostscript before 10.03.1, when Tesseract is used for OCR, has a directory traversal issue Artifex Ghostscript before 10.03.1, when Tesseract is used for OCR, has a directory traversal issue that allows arbitrary file reading (and writing of error messages to arbitrary files) via OCRLanguage. For example, exploitation can use debug_file /tmp/out and user_patterns_file /etc/passwd.

CVE-2024-33871 [HIGH] CWE-94 CVE-2024-33871: An issue was discovered in Artifex Ghostscript before 10.03.1. contrib/opvp/gdevopvp.c allows arbitr An issue was discovered in Artifex Ghostscript before 10.03.1. contrib/opvp/gdevopvp.c allows arbitrary code execution via a custom Driver library, exploitable via a crafted PostScript document. This occurs because the Driver parameter for opvp (and oprp) devices can have an arbitrary name for a dynamic library; this library is then loaded.

CVE-2024-29506 [HIGH] CWE-787 CVE-2024-29506: Artifex Ghostscript before 10.03.0 has a stack-based buffer overflow in the pdfi_apply_filter() func Artifex Ghostscript before 10.03.0 has a stack-based buffer overflow in the pdfi_apply_filter() function via a long PDF filter name.

CVE-2024-33869 [MEDIUM] CWE-22 CVE-2024-33869: An issue was discovered in Artifex Ghostscript before 10.03.1. Path traversal and command execution An issue was discovered in Artifex Ghostscript before 10.03.1. Path traversal and command execution can occur (via a crafted PostScript document) because of path reduction in base/gpmisc.c. For example, restrictions on use of %pipe% can be bypassed via the aa/../%pipe%command# output filename.

CVE-2024-29507 [MEDIUM] CWE-120 CVE-2024-29507: Artifex Ghostscript before 10.03.0 sometimes has a stack-based buffer overflow via the CIDFSubstPath Artifex Ghostscript before 10.03.0 sometimes has a stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters.

CVE-2024-29510 [MEDIUM] CWE-693 CVE-2024-29510: Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format st Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device.

CVE-2024-33870 [MEDIUM] CWE-22 CVE-2024-33870: An issue was discovered in Artifex Ghostscript before 10.03.1. There is path traversal (via a crafte An issue was discovered in Artifex Ghostscript before 10.03.1. There is path traversal (via a crafted PostScript document) to arbitrary files if the current directory is in the permitted paths. For example, there can be a transformation of ../../foo to ./../../foo and this will grant access if ./ is permitted.

CVE-2024-29508 [LOW] CWE-122 CVE-2024-29508: Artifex Ghostscript before 10.03.0 has a heap-based pointer disclosure (observable in a constructed Artifex Ghostscript before 10.03.0 has a heap-based pointer disclosure (observable in a constructed BaseFont name) in the function pdf_base_font_alloc.

CVE-2023-52722 [MEDIUM] CVE-2023-52722: An issue was discovered in Artifex Ghostscript before 10.03.1. psi/zmisc1.c, when SAFER mode is used An issue was discovered in Artifex Ghostscript before 10.03.1. psi/zmisc1.c, when SAFER mode is used, allows eexec seeds other than the Type 1 standard.

CVE-2020-36773 [CRITICAL] CWE-416 CVE-2020-36773: Artifex Ghostscript before 9.53.0 has an out-of-bounds write and use-after-free in devices/vector/gd Artifex Ghostscript before 9.53.0 has an out-of-bounds write and use-after-free in devices/vector/gdevtxtw.c (for txtwrite) because a single character code in a PDF document can map to more than one Unicode code point (e.g., for a ligature).

CVE-2023-46751 [HIGH] CWE-416 CVE-2023-46751: An issue was discovered in the function gdev_prn_open_printer_seekable() in Artifex Ghostscript thro An issue was discovered in the function gdev_prn_open_printer_seekable() in Artifex Ghostscript through 10.02.0 allows remote attackers to crash the application via a dangling pointer.

CVE-2023-43115 [HIGH] CVE-2023-43115: In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. NOTE: it is a documented risk that the IJS server can be specified on a gs command line (the IJS device inherently must exe

CVE-2023-4042 [MEDIUM] CVE-2023-4042: A flaw was found in ghostscript. The fix for CVE-2020-16305 in ghostscript was not included in RHSA- A flaw was found in ghostscript. The fix for CVE-2020-16305 in ghostscript was not included in RHSA-2021:1852-06 advisory as it was claimed to be. This issue only affects the ghostscript package as shipped with Red Hat Enterprise Linux 8.

CVE-2020-21890 [HIGH] CWE-787 CVE-2020-21890: Buffer Overflow vulnerability in clj_media_size function in devices/gdevclj.c in Artifex Ghostscript Buffer Overflow vulnerability in clj_media_size function in devices/gdevclj.c in Artifex Ghostscript 9.50 allows remote attackers to cause a denial of service or other unspecified impact(s) via opening of crafted PDF document.

CVE-2020-21710 [MEDIUM] CWE-369 CVE-2020-21710: A divide by zero issue discovered in eps_print_page in gdevepsn.c in Artifex Software GhostScript 9. A divide by zero issue discovered in eps_print_page in gdevepsn.c in Artifex Software GhostScript 9.50 allows remote attackers to cause a denial of service via opening of crafted PDF file.

CVE-2023-38559 [MEDIUM] CWE-125 CVE-2023-38559: A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. Thi A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This issue may allow a local attacker to cause a denial of service via outputting a crafted PDF file for a DEVN device with gs.

CVE-2023-36664 [HIGH] CWE-552 CVE-2023-36664: Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pip Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).

CVE-2023-28879 [CRITICAL] CWE-787 CVE-2023-28879: In Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption o In Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode, TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte less than full, and one then tries to write an escaped character, two bytes are w

CVE-2020-27792 [HIGH] CWE-119 CVE-2020-27792: A heap-based buffer overwrite vulnerability was found in GhostScript's lp8000_print_page() function A heap-based buffer overwrite vulnerability was found in GhostScript's lp8000_print_page() function in the gdevlp8k.c file. This flaw allows an attacker to trick a user into opening a crafted PDF file, triggering the heap buffer overflow that could lead to memory corruption or a denial of service.

CVE-2022-2085 [MEDIUM] CWE-476 CVE-2022-2085: A NULL pointer dereference vulnerability was found in Ghostscript, which occurs when it tries to ren A NULL pointer dereference vulnerability was found in Ghostscript, which occurs when it tries to render a large number of bits in memory. When allocating a buffer device, it relies on an init_device_procs defined for the device that uses it as a prototype that depends upon the number of bits per pixel. For bpp > 64, mem_x_device is used and does not h