Debian Ghostscript vulnerabilities

CVE-2019-14812 [HIGH] CVE-2019-14812: ghostscript - A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserpar... A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. Scope: local bookworm

CVE-2019-6116 [HIGH] CVE-2019-6116: ghostscript - In Artifex Ghostscript through 9.26, ephemeral or transient procedures can allow... In Artifex Ghostscript through 9.26, ephemeral or transient procedures can allow access to system operators, leading to remote code execution. Scope: local bookworm: resolved (fixed in 9.26a~dfsg-1) bullseye: resolved (fixed in 9.26a~dfsg-1) forky: resolved (fixed in 9.26a~dfsg-1) sid: resolved (fixed in 9.26a~dfsg-1) trixie: resolved (fixed in 9.26a~dfsg-1)

CVE-2019-14869 [HIGH] CVE-2019-14869: ghostscript - A flaw was found in all versions of ghostscript 9.x before 9.50, where the `.cha... A flaw was found in all versions of ghostscript 9.x before 9.50, where the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges within the Ghostscript and access files outside

CVE-2019-3835 [MEDIUM] CVE-2019-3835: ghostscript - It was found that the superexec operator was available in the internal dictionar... It was found that the superexec operator was available in the internal dictionary in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. Scope: local bookworm: resolved (fixed in 9.27~dfsg-1) bullseye: resolved (fixed in 9.27~dfsg-1

CVE-2019-3838 [MEDIUM] CVE-2019-3838: ghostscript - It was found that the forceput operator could be extracted from the DefineResour... It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. Scope: local bookworm: resolved (fixed in 9.27~dfsg-1) bullseye: resolved (fixed in 9.2

CVE-2018-19409 [CRITICAL] CVE-2018-19409: ghostscript - An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is ... An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is not checked correctly if another device is used. Scope: local bookworm: resolved (fixed in 9.26~dfsg-1) bullseye: resolved (fixed in 9.26~dfsg-1) forky: resolved (fixed in 9.26~dfsg-1) sid: resolved (fixed in 9.26~dfsg-1) trixie: resolved (fixed in 9.26~dfsg-1)

CVE-2018-16802 [HIGH] CVE-2018-16802: ghostscript - An issue was discovered in Artifex Ghostscript before 9.25. Incorrect "restorati... An issue was discovered in Artifex Ghostscript before 9.25. Incorrect "restoration of privilege" checking when running out of stack during exception handling could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction. This is due to an incomplete fix for CVE-2018-16509. Scope: local bookworm: resolved (fixed in 9.25

CVE-2018-15910 [HIGH] CVE-2018-15910: ghostscript - In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript ... In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use a type confusion in the LockDistillerParams parameter to crash the interpreter or execute code. Scope: local bookworm: resolved (fixed in 9.22~dfsg-3) bullseye: resolved (fixed in 9.22~dfsg-3) forky: resolved (fixed in 9.22~dfsg-3) sid: resolved (fixed in 9.22~dfsg-3)

CVE-2018-16513 [HIGH] CVE-2018-16513: ghostscript - In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript ... In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use a type confusion in the setcolor function to crash the interpreter or possibly have unspecified other impact. Scope: local bookworm: resolved (fixed in 9.22~dfsg-3) bullseye: resolved (fixed in 9.22~dfsg-3) forky: resolved (fixed in 9.22~dfsg-3) sid: resolved (fixed i

CVE-2018-16510 [HIGH] CVE-2018-16510: ghostscript - An issue was discovered in Artifex Ghostscript before 9.24. Incorrect exec stack... An issue was discovered in Artifex Ghostscript before 9.24. Incorrect exec stack handling in the "CS" and "SC" PDF primitives could be used by remote attackers able to supply crafted PDFs to crash the interpreter or possibly have unspecified other impact. Scope: local bookworm: resolved (fixed in 9.25~dfsg-1) bullseye: resolved (fixed in 9.25~dfsg-1) forky: reso

CVE-2018-18284 [HIGH] CVE-2018-18284: ghostscript - Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protec... Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving the 1Policy operator. Scope: local bookworm: resolved (fixed in 9.25~dfsg-3) bullseye: resolved (fixed in 9.25~dfsg-3) forky: resolved (fixed in 9.25~dfsg-3) sid: resolved (fixed in 9.25~dfsg-3) trixie: resolved (fixed in 9.25~dfsg-3)

CVE-2018-17183 [HIGH] CVE-2018-17183: ghostscript - Artifex Ghostscript before 9.25 allowed a user-writable error exception table, w... Artifex Ghostscript before 9.25 allowed a user-writable error exception table, which could be used by remote attackers able to supply crafted PostScript to potentially overwrite or replace error handlers to inject code. Scope: local bookworm: resolved (fixed in 9.25~dfsg-1) bullseye: resolved (fixed in 9.25~dfsg-1) forky: resolved (fixed in 9.25~dfsg-1) sid: res

CVE-2018-15911 [HIGH] CVE-2018-15911: ghostscript - In Artifex Ghostscript 9.23 before 2018-08-24, attackers able to supply crafted ... In Artifex Ghostscript 9.23 before 2018-08-24, attackers able to supply crafted PostScript could use uninitialized memory access in the aesdecode operator to crash the interpreter or potentially execute code. Scope: local bookworm: resolved (fixed in 9.22~dfsg-3) bullseye: resolved (fixed in 9.22~dfsg-3) forky: resolved (fixed in 9.22~dfsg-3) sid: resolved (fixe

CVE-2018-19475 [HIGH] CVE-2018-19475: ghostscript - psi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to byp... psi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because available stack space is not checked when the device remains the same. Scope: local bookworm: resolved (fixed in 9.26~dfsg-1) bullseye: resolved (fixed in 9.26~dfsg-1) forky: resolved (fixed in 9.26~dfsg-1) sid: resolved (fixed in 9.26~dfsg-1)

CVE-2018-16540 [HIGH] CVE-2018-16540: ghostscript - In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript ... In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files to the builtin PDF14 converter could use a use-after-free in copydevice handling to crash the interpreter or possibly have unspecified other impact. Scope: local bookworm: resolved (fixed in 9.22~dfsg-3) bullseye: resolved (fixed in 9.22~dfsg-3) forky: resolved (fixed in 9.22~d

CVE-2018-17961 [HIGH] CVE-2018-17961: ghostscript - Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protec... Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving errorhandler setup. NOTE: this issue exists because of an incomplete fix for CVE-2018-17183. Scope: local bookworm: resolved (fixed in 9.25~dfsg-3) bullseye: resolved (fixed in 9.25~dfsg-3) forky: resolved (fixed in 9.25~dfsg-3) sid: resolved (fix

CVE-2018-16509 [HIGH] CVE-2018-16509: ghostscript - An issue was discovered in Artifex Ghostscript before 9.24. Incorrect "restorati... An issue was discovered in Artifex Ghostscript before 9.24. Incorrect "restoration of privilege" checking during handling of /invalidaccess exceptions could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction. Scope: local bookworm: resolved (fixed in 9.25~dfsg-1) bullseye: resolved (fixed in 9.25~dfsg-1) forky: re

CVE-2018-15908 [HIGH] CVE-2018-15908: ghostscript - In Artifex Ghostscript 9.23 before 2018-08-23, attackers are able to supply mali... In Artifex Ghostscript 9.23 before 2018-08-23, attackers are able to supply malicious PostScript files to bypass .tempfile restrictions and write files. Scope: local bookworm: resolved (fixed in 9.22~dfsg-3) bullseye: resolved (fixed in 9.22~dfsg-3) forky: resolved (fixed in 9.22~dfsg-3) sid: resolved (fixed in 9.22~dfsg-3) trixie: resolved (fixed in 9.22~dfsg-3

CVE-2018-19477 [HIGH] CVE-2018-19477: ghostscript - psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypa... psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a JBIG2Decode type confusion. Scope: local bookworm: resolved (fixed in 9.26~dfsg-1) bullseye: resolved (fixed in 9.26~dfsg-1) forky: resolved (fixed in 9.26~dfsg-1) sid: resolved (fixed in 9.26~dfsg-1) trixie: resolved (fixed in 9.26~dfsg-1

CVE-2018-10194 [HIGH] CVE-2018-10194: ghostscript - The set_text_distance function in devices/vector/gdevpdts.c in the pdfwrite comp... The set_text_distance function in devices/vector/gdevpdts.c in the pdfwrite component in Artifex Ghostscript through 9.22 does not prevent overflows in text-positioning calculation, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document. Scope: local bookworm: resolved (