CVE-2016-10141
https://notcve.org/view.php?id=CVE-2016-10141
An integer overflow vulnerability was observed in the regemit function in regexp.c in Artifex Software, Inc. MuJS before fa3d30fd18c348bb4b1f3858fb860f4fcd4b2045. The attack requires a regular expression with nested repetition. A successful exploitation of this issue can lead to code execution or a denial of service (buffer overflow) condition. Se observó una vulnerabilidad de desbordamiento de enteros en la función regemit en regexp.c en Artifex Software, Inc. • http://git.ghostscript.com/?p=mujs.git%3Bh=fa3d30fd18c348bb4b1f3858fb860f4fcd4b2045 http://www.securityfocus.com/bid/95876 https://bugs.ghostscript.com/show_bug.cgi?id=697448 • CWE-190: Integer Overflow or Wraparound •
CVE-2016-7978 – ghostscript: reference leak in .setdevice allows use-after-free and remote code execution
https://notcve.org/view.php?id=CVE-2016-7978
Use-after-free vulnerability in Ghostscript 9.20 might allow remote attackers to execute arbitrary code via vectors related to a reference leak in .setdevice. Vulnerabilidad de uso después de la liberación de Ghostscript 9.20 podría permitir a atacantes remotos ejecutar código arbitrario a través de vectores relacionados con una fuga de referencia en .setdevice. It was found that the ghostscript function .setdevice suffered a use-after-free vulnerability due to an incorrect reference count. A specially crafted postscript document could trigger code execution in the context of the gs process. • http://rhn.redhat.com/errata/RHSA-2017-0013.html http://www.debian.org/security/2016/dsa-3691 http://www.openwall.com/lists/oss-security/2016/10/05/15 http://www.securityfocus.com/bid/95336 https://bugs.ghostscript.com/show_bug.cgi?id=697179 https://security.gentoo.org/glsa/201702-31 https://access.redhat.com/security/cve/CVE-2016-7978 https://bugzilla.redhat.com/show_bug.cgi?id=1382300 • CWE-416: Use After Free •
CVE-2013-5653 – ghostscript: getenv and filenameforall ignore -dSAFER
https://notcve.org/view.php?id=CVE-2013-5653
The getenv and filenameforall functions in Ghostscript 9.10 ignore the "-dSAFER" argument, which allows remote attackers to read data via a crafted postscript file. Las funciones getenv y filenameforall en Ghostscript 9.10 ignoran el argumento "-dSAFER", lo que permite a atacantes remotos leer datos a través de un archivo postcript manipulado. It was found that the ghostscript functions getenv and filenameforall did not honor the -dSAFER option, usually used when processing untrusted documents, leading to information disclosure. A specially crafted postscript document could read environment variable and list directory respectively, from the target. • http://rhn.redhat.com/errata/RHSA-2017-0013.html http://rhn.redhat.com/errata/RHSA-2017-0014.html http://www.debian.org/security/2016/dsa-3691 http://www.openwall.com/lists/oss-security/2016/09/29/28 http://www.openwall.com/lists/oss-security/2016/09/29/5 http://www.securityfocus.com/bid/96497 https://bugs.ghostscript.com/show_bug.cgi?id=694724 https://bugs.ghostscript.com/show_bug.cgi?id=697169 https://bugzilla.redhat.com/show_bug.cgi?id=1380327 https:& • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2016-8602 – ghostscript: check for sufficient params in .sethalftone5
https://notcve.org/view.php?id=CVE-2016-8602
The .sethalftone5 function in psi/zht2.c in Ghostscript before 9.21 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Postscript document that calls .sethalftone5 with an empty operand stack. La función .sethalftone5 en psi/zht2.c en Ghostscript en versiones anteriores a 9.21 permite a los atacantes remotos provocar una denegación de servicio (caída de la aplicación) o posiblemente ejecutar código arbitrario a través de un documento Postscript que llama a .sethalftone5 con una pila de operandos vacía. It was found that ghostscript did not sufficiently check the validity of parameters given to the .sethalftone5 function. A specially crafted postscript document could cause a crash, or execute arbitrary code in the context of the gs process. • http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=f5c7555c303 http://rhn.redhat.com/errata/RHSA-2017-0013.html http://rhn.redhat.com/errata/RHSA-2017-0014.html http://www.debian.org/security/2016/dsa-3691 http://www.openwall.com/lists/oss-security/2016/10/11/5 http://www.openwall.com/lists/oss-security/2016/10/11/7 http://www.securityfocus.com/bid/95311 https://bugs.ghostscript.com/show_bug.cgi?id=697203 https://bugzilla.redhat.com/show_bug.cgi • CWE-20: Improper Input Validation CWE-704: Incorrect Type Conversion or Cast •
CVE-2016-7979 – ghostscript: Type confusion in .initialize_dsc_parser allows remote code execution
https://notcve.org/view.php?id=CVE-2016-7979
Ghostscript before 9.21 might allow remote attackers to bypass the SAFER mode protection mechanism and consequently execute arbitrary code by leveraging type confusion in .initialize_dsc_parser. Ghostscript versiones anteriores a 9.21 podría permitir que los atacantes remotos pasaran por alto el mecanismo de protección del modo SAFER y, en consecuencia, ejecutar código arbitrario mediante el aprovechamiento de la confusión de tipos en .initialize_dsc_parser. It was found that the ghostscript function .initialize_dsc_parser did not validate its parameter before using it, allowing a type confusion flaw. A specially crafted postscript document could cause a crash code execution in the context of the gs process. • http://git.ghostscript.com/?p=ghostpdl.git%3Bh=875a0095f37626a721c7ff57d606a0f95af03913 http://rhn.redhat.com/errata/RHSA-2017-0013.html http://rhn.redhat.com/errata/RHSA-2017-0014.html http://www.debian.org/security/2016/dsa-3691 http://www.openwall.com/lists/oss-security/2016/10/05/15 http://www.securityfocus.com/bid/95337 https://bugs.ghostscript.com/show_bug.cgi?id=697190 https://security.gentoo.org/glsa/201702-31 https://access.redhat.com/security/cve/CVE-2016-7979 h • CWE-20: Improper Input Validation CWE-704: Incorrect Type Conversion or Cast •