Project

General

Profile

Bug #9691

Bug #9689: ghostscript: Multiple vulnerabilities: (CVE-2018-19409, CVE-2018-19475, CVE-2018-19476, CVE-2018-19477)

[3.8] ghostscript: Multiple vulnerabilities: (CVE-2018-19409, CVE-2018-19475, CVE-2018-19476, CVE-2018-19477)

Added by Alicha CH 7 months ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
Start date:
11/26/2018
Due date:
% Done:

100%

Estimated time:
Affected versions:
Security IDs:
CVE-2018-19409, CVE-2018-19475, CVE-2018-19476, CVE-2018-19477

Description

CVE-2018-19409: An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is not
checked correctly if another device is used.

Fixed In Version:

ghostscript 9.26

References:

https://www.ghostscript.com/doc/9.26/History9.htm#Version9.26
https://nvd.nist.gov/vuln/detail/CVE-2018-19409

Patches:

https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=661e8d8fb
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea1b3ef43

CVE-2018-19475: psi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because available stack space is not checked when the device remains the same.

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-19475
https://bugs.ghostscript.com/show_bug.cgi?id=700153

Patches:

http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3005fcb9bb160af199e761e03bc70a9f249a987e (ghostscript-9.26)
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=aeea342904978c9fe17d85f4906a0f6fcce2d315 (master)

CVE-2018-19476: psi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended
access restrictions because of a setcolorspace type confusion.

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-19476
https://bugs.ghostscript.com/show_bug.cgi?id=700169

Patches:

http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=67d760ab775dae4efe803b5944b0439aa3c0b04a (ghostscript-9.26)
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=434753adbe8be5534bfb9b7d91746023e8073d16 (master)

CVE-2018-19477: psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a JBIG2Decode type confusion.

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-19477
https://bugs.ghostscript.com/show_bug.cgi?id=700168

Patches:

http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ef252e7dc214bcbd9a2539216aab9202848602bb (ghostscript-9.26)
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=606a22e77e7f081781e99e44644cd0119f559e03 (master)

Associated revisions

Revision 38c2fab4 (diff)
Added by J0WI 7 months ago

main/ghostscript: security fixes (CVE-2018-17961, CVE-2018-18073, CVE-2018-18284)

ref #9691

Revision d58edba2 (diff)
Added by Andy Postnikov 7 months ago

main/ghostscript: security upgrade to 9.26 (CVE-2018-19409)

fixes #9691

History

#1 Updated by Alicha CH 7 months ago

  • Subject changed from [3.8] ghostscript: Improperly implemented security check in zsetdevice function in psi/zdevice.c (CVE-2018-19409) to [3.8] ghostscript: Multiple vulnerabilities: (CVE-2018-19409, CVE-2018-19475, CVE-2018-19476, CVE-2018-19477)
  • Description updated (diff)
  • Security IDs changed from CVE-2018-19409 to CVE-2018-19409, CVE-2018-19475, CVE-2018-19476, CVE-2018-19477

#2 Updated by Andy Postnikov 7 months ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

#3 Updated by Alicha CH 7 months ago

  • Project changed from Alpine Security to Alpine Linux
  • Category set to Security
  • Status changed from Resolved to Closed

Also available in: Atom PDF