Debian Ghostscript vulnerabilities

CVE-2024-46953 [HIGH] CVE-2024-46953: ghostscript - An issue was discovered in base/gsdevice.c in Artifex Ghostscript before 10.04.0... An issue was discovered in base/gsdevice.c in Artifex Ghostscript before 10.04.0. An integer overflow when parsing the filename format string (for the output filename) results in path truncation, and possible path traversal and code execution. Scope: local bookworm: resolved (fixed in 10.0.0~dfsg-11+deb12u6) bullseye: resolved (fixed in 9.53.3~dfsg-7+deb11u9) fo

CVE-2024-29506 [HIGH] CVE-2024-29506: ghostscript - Artifex Ghostscript before 10.03.0 has a stack-based buffer overflow in the pdfi... Artifex Ghostscript before 10.03.0 has a stack-based buffer overflow in the pdfi_apply_filter() function via a long PDF filter name. Scope: local bookworm: resolved (fixed in 10.0.0~dfsg-11+deb12u5) bullseye: resolved forky: resolved (fixed in 10.03.0~dfsg-1) sid: resolved (fixed in 10.03.0~dfsg-1) trixie: resolved (fixed in 10.03.0~dfsg-1)

CVE-2024-29507 [MEDIUM] CVE-2024-29507: ghostscript - Artifex Ghostscript before 10.03.0 sometimes has a stack-based buffer overflow v... Artifex Ghostscript before 10.03.0 sometimes has a stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters. Scope: local bookworm: resolved (fixed in 10.0.0~dfsg-11+deb12u5) bullseye: resolved forky: resolved (fixed in 10.03.0~dfsg-1) sid: resolved (fixed in 10.03.0~dfsg-1) trixie: resolved (fixed in 10.03.0~dfsg-1)

CVE-2024-46955 [MEDIUM] CVE-2024-46955: ghostscript - An issue was discovered in psi/zcolor.c in Artifex Ghostscript before 10.04.0. T... An issue was discovered in psi/zcolor.c in Artifex Ghostscript before 10.04.0. There is an out-of-bounds read when reading color in Indexed color space. Scope: local bookworm: resolved (fixed in 10.0.0~dfsg-11+deb12u6) bullseye: resolved (fixed in 9.53.3~dfsg-7+deb11u9) forky: resolved (fixed in 10.04.0~dfsg-1) sid: resolved (fixed in 10.04.0~dfsg-1) trixie: r

CVE-2024-33870 [MEDIUM] CVE-2024-33870: ghostscript - An issue was discovered in Artifex Ghostscript before 10.03.1. There is path tra... An issue was discovered in Artifex Ghostscript before 10.03.1. There is path traversal (via a crafted PostScript document) to arbitrary files if the current directory is in the permitted paths. For example, there can be a transformation of ../../foo to ./../../foo and this will grant access if ./ is permitted. Scope: local bookworm: resolved (fixed in 10.0.0~d

CVE-2024-33869 [MEDIUM] CVE-2024-33869: ghostscript - An issue was discovered in Artifex Ghostscript before 10.03.1. Path traversal an... An issue was discovered in Artifex Ghostscript before 10.03.1. Path traversal and command execution can occur (via a crafted PostScript document) because of path reduction in base/gpmisc.c. For example, restrictions on use of %pipe% can be bypassed via the aa/../%pipe%command# output filename. Scope: local bookworm: resolved (fixed in 10.0.0~dfsg-11+deb12u4) b

CVE-2024-29510 [MEDIUM] CVE-2024-29510: ghostscript - Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox b... Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device. Scope: local bookworm: resolved (fixed in 10.0.0~dfsg-11+deb12u4) bullseye: resolved (fixed in 9.53.3~dfsg-7+deb11u7) forky: resolved (fixed in 10.03.1~dfsg~git20240518-1) sid: resolved (fixed in 10.03.1~dfsg~git20240518-1)

CVE-2024-46954 [HIGH] CVE-2024-46954: ghostscript - An issue was discovered in decode_utf8 in base/gp_utf8.c in Artifex Ghostscript ... An issue was discovered in decode_utf8 in base/gp_utf8.c in Artifex Ghostscript before 10.04.0. Overlong UTF-8 encoding leads to possible ../ directory traversal. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 10.04.0~dfsg-1) sid: resolved (fixed in 10.04.0~dfsg-1) trixie: resolved (fixed in 10.04.0~dfsg-1)

CVE-2024-29508 [LOW] CVE-2024-29508: ghostscript - Artifex Ghostscript before 10.03.0 has a heap-based pointer disclosure (observab... Artifex Ghostscript before 10.03.0 has a heap-based pointer disclosure (observable in a constructed BaseFont name) in the function pdf_base_font_alloc. Scope: local bookworm: resolved (fixed in 10.0.0~dfsg-11+deb12u5) bullseye: resolved (fixed in 9.53.3~dfsg-7+deb11u8) forky: resolved (fixed in 10.03.0~dfsg-1) sid: resolved (fixed in 10.03.0~dfsg-1) trixie: resol

CVE-2024-29511 [HIGH] CVE-2024-29511: ghostscript - Artifex Ghostscript before 10.03.1, when Tesseract is used for OCR, has a direct... Artifex Ghostscript before 10.03.1, when Tesseract is used for OCR, has a directory traversal issue that allows arbitrary file reading (and writing of error messages to arbitrary files) via OCRLanguage. For example, exploitation can use debug_file /tmp/out and user_patterns_file /etc/passwd. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 10

CVE-2023-28879 [CRITICAL] CVE-2023-28879: ghostscript - In Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to po... In Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode, TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte less than full, and one then tries to write an escaped character, two bytes are written. Sco

CVE-2023-36664 [HIGH] CVE-2023-36664: ghostscript - Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe de... Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix). Scope: local bookworm: resolved (fixed in 10.0.0~dfsg-11+deb12u1) bullseye: resolved (fixed in 9.53.3~dfsg-7+deb11u5) forky: resolved (fixed in 10.01.2~dfsg-1) sid: resolved (fixed in 10.01.2~dfsg-1) trixie: resolved (fix

CVE-2023-46751 [HIGH] CVE-2023-46751: ghostscript - An issue was discovered in the function gdev_prn_open_printer_seekable() in Arti... An issue was discovered in the function gdev_prn_open_printer_seekable() in Artifex Ghostscript through 10.02.0 allows remote attackers to crash the application via a dangling pointer. Scope: local bookworm: resolved (fixed in 10.0.0~dfsg-11+deb12u3) bullseye: resolved forky: resolved (fixed in 10.02.1~dfsg-1) sid: resolved (fixed in 10.02.1~dfsg-1) trixie: reso

CVE-2023-43115 [HIGH] CVE-2023-43115: ghostscript - In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote... In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. NOTE: it is a documented risk that the IJS server can be specified on a gs command line (the IJS device inherently must execu

CVE-2023-38559 [MEDIUM] CVE-2023-38559: ghostscript - A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle()... A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This issue may allow a local attacker to cause a denial of service via outputting a crafted PDF file for a DEVN device with gs. Scope: local bookworm: resolved (fixed in 10.0.0~dfsg-11+deb12u2) bullseye: resolved (fixed in 9.53.3~dfsg-7+deb11u6) forky: resolved (fi

CVE-2023-52722 [MEDIUM] CVE-2023-52722: ghostscript - An issue was discovered in Artifex Ghostscript before 10.03.1. psi/zmisc1.c, whe... An issue was discovered in Artifex Ghostscript before 10.03.1. psi/zmisc1.c, when SAFER mode is used, allows eexec seeds other than the Type 1 standard. Scope: local bookworm: resolved (fixed in 10.0.0~dfsg-11+deb12u4) bullseye: resolved (fixed in 9.53.3~dfsg-7+deb11u7) forky: resolved (fixed in 10.02.0~dfsg-1) sid: resolved (fixed in 10.02.0~dfsg-1) trixie: r

CVE-2023-4042 [MEDIUM] CVE-2023-4042: ghostscript - A flaw was found in ghostscript. The fix for CVE-2020-16305 in ghostscript was n... A flaw was found in ghostscript. The fix for CVE-2020-16305 in ghostscript was not included in RHSA-2021:1852-06 advisory as it was claimed to be. This issue only affects the ghostscript package as shipped with Red Hat Enterprise Linux 8. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2023-38560 [MEDIUM] CVE-2023-38560: ghostscript - An integer overflow flaw was found in pcl/pl/plfont.c:418 in pl_glyph_name in gh... An integer overflow flaw was found in pcl/pl/plfont.c:418 in pl_glyph_name in ghostscript. This issue may allow a local attacker to cause a denial of service via transforming a crafted PCL file to PDF format. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 10.02.0~dfsg-1) sid: resolved (fixed in 10.02.0~dfsg-1) trixie: resolved (fixed in 1

CVE-2022-2085 [MEDIUM] CVE-2022-2085: ghostscript - A NULL pointer dereference vulnerability was found in Ghostscript, which occurs ... A NULL pointer dereference vulnerability was found in Ghostscript, which occurs when it tries to render a large number of bits in memory. When allocating a buffer device, it relies on an init_device_procs defined for the device that uses it as a prototype that depends upon the number of bits per pixel. For bpp > 64, mem_x_device is used and does not have an init

CVE-2022-1350 [MEDIUM] CVE-2022-1350: ghostscript - A vulnerability classified as problematic was found in GhostPCL 9.55.0. This vul... A vulnerability classified as problematic was found in GhostPCL 9.55.0. This vulnerability affects the function chunk_free_object of the file gsmchunk.c. The manipulation with a malicious file leads to a memory corruption. The attack can be initiated remotely but requires user interaction. The exploit has been disclosed to the public as a POC and may be used. It