CVE-2018-15909 – ghostscript: shading_param incomplete type checking (699660)
https://notcve.org/view.php?id=CVE-2018-15909
In Artifex Ghostscript 9.23 before 2018-08-24, a type confusion using the .shfill operator could be used by attackers able to supply crafted PostScript files to crash the interpreter or potentially execute code. En Artifex Ghostscript 9.23 antes del 24/08/2018, los atacantes podrían emplear una confusión de tipos usando el operador .shfill para proporcionar archivos PostScript manipulados para provocar el cierre inesperado del intérprete o ejecutar código. It was discovered that the ghostscript .shfill operator did not properly validate certain types. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document. • http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=0b6cd1918e1ec4ffd087400a754a845180a4522b http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=e01e77a36cbb2e0277bc3a63852244bec41be0f6 http://www.securityfocus.com/bid/105178 https://access.redhat.com/errata/RHSA-2018:3650 https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101 https://lists.debian.org/debian-lts-announce/2018/09/msg00015.html https://security.gentoo.org/glsa/201811-12 https://support.f5.com/csp/article/K24803507?utm • CWE-704: Incorrect Type Conversion or Cast CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVE-2018-15910 – ghostscript: LockDistillerParams type confusion (699656)
https://notcve.org/view.php?id=CVE-2018-15910
In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use a type confusion in the LockDistillerParams parameter to crash the interpreter or execute code. En Artifex Ghostscript en versiones anteriores a la 9.24, los atacantes que puedan proporcionar archivos PostScript manipulados podrían emplear una confusión de tipos en el parámetro LockDistillerParams para provocar el cierre inesperado del intérprete o ejecutar código. It was discovered that the type of the LockDistillerParams parameter is not properly verified. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document. • http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=c3476dde7743761a4e1d39a631716199b696b880 http://www.securityfocus.com/bid/105122 https://access.redhat.com/errata/RHSA-2018:2918 https://bugs.ghostscript.com/show_bug.cgi?id=699656 https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101 https://lists.debian.org/debian-lts-announce/2018/09/msg00015.html https://security.gentoo.org/glsa/201811-12 https://support.f5.com/csp/article/K22141757?utm_source=f5support&%3Butm_medium= • CWE-704: Incorrect Type Conversion or Cast •
CVE-2016-9601
https://notcve.org/view.php?id=CVE-2016-9601
ghostscript before version 9.21 is vulnerable to a heap based buffer overflow that was found in the ghostscript jbig2_decode_gray_scale_image function which is used to decode halftone segments in a JBIG2 image. A document (PostScript or PDF) with an embedded, specially crafted, jbig2 image could trigger a segmentation fault in ghostscript. ghostscript, en versiones anteriores a la 9.21, es vulnerable a un desbordamiento de búfer basado en memoria dinámica (heap) descubierto en la función de ghostscript jbig2_decode_gray_scale_image, que se usa para descifrar segmentos halftone en una imagen JBIG2. Un documento (PostScript o PDF) con una imagen jbig2 embebida y especialmente manipulada podría desencadenar un fallo de segmentación en ghostscript. • http://git.ghostscript.com/?p=jbig2dec.git%3Ba=commit%3Bh=e698d5c11d27212aa1098bc5b1673a3378563092 http://www.securityfocus.com/bid/97095 https://bugs.ghostscript.com/show_bug.cgi?id=697457 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9601 https://security.gentoo.org/glsa/201706-24 https://www.debian.org/security/2017/dsa-3817 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-190: Integer Overflow or Wraparound •
CVE-2013-6629 – libjpeg: information leak (read of uninitialized memory)
https://notcve.org/view.php?id=CVE-2013-6629
The get_sos function in jdmarker.c in (1) libjpeg 6b and (2) libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48, Ghostscript, and other products, does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image. La función get_sos de jdmarker.c en libjpeg 6b y libjpeg-turbo hasta la versión 1.3.0, tal y como se usa en Google Chrome anterior a la versión 31.0.1650.48, Ghostscript y otros productos, no comprueba ciertas duplicaciones de datos de componentes durante la lectura de segmentos que siguen marcadores Start Of Scan (SOS), lo que permite a atacantes remotos obtener información sensible desde localizaciones de memoria sin inicializar a través de una imagen JPEG manipulada. • http://advisories.mageia.org/MGASA-2013-0333.html http://archives.neohapsis.com/archives/fulldisclosure/2013-11/0080.html http://bugs.ghostscript.com/show_bug.cgi?id=686980 http://googlechromereleases.blogspot.com/2013/11/stable-channel-update.html http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123437.html http://lists.fedoraproject.org/pipermail/package-announce/2013-December/124108.html http://lists.fedoraproject.org • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-456: Missing Initialization of a Variable •
CVE-2012-4875
https://notcve.org/view.php?id=CVE-2012-4875
Heap-based buffer overflow in gdevwpr2.c in Ghostscript 9.04, when processing the OutputFile device parameter, allows user-assisted remote attackers to execute arbitrary code via a long file name in a PostScript document. NOTE: as of 20120314, the developer was not able to reproduce the issue and disputed it ** EN DISPUTA ** Un desbordamiento de búfer basado en memoria dinámica (heap) en gdevwpr2.c en Ghostscript v9.04, al procesar el parámetro de dispositivo 'OutputFile', permite ejecutar código de su elección a atacantes remotos con cierta ayuda de un usuario local a través de un nombre de archivo largo en un documento PostScript. NOTA: a partir de 14/03/2012, el desarrollador no ha podido reproducir el problema y por tanto lo pone en duda. • http://bugs.ghostscript.com/show_bug.cgi?id=692856 http://secunia.com/advisories/47855 http://www.securityfocus.com/bid/52864 https://exchange.xforce.ibmcloud.com/vulnerabilities/74554 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •