Skip to content

GitLab

aports
aports
Closed
Opened by Alicha CH@alichaReporter

[3.9] ghostscript: Multiple vulnerabilities: (CVE-2018-19409, CVE-2018-19475, CVE-2018-19476, CVE-2018-19477)

CVE-2018-19409: An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is not
checked correctly if another device is used.

Fixed In Version:

ghostscript 9.26

References:

https://www.ghostscript.com/doc/9.26/History9.htm\#Version9.26
https://nvd.nist.gov/vuln/detail/CVE-2018-19409

Patches:

https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=661e8d8fb
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea1b3ef43

CVE-2018-19475: psi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because available stack space is not checked when the device remains the same.

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-19475
https://bugs.ghostscript.com/show\_bug.cgi?id=700153

Patches:

http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3005fcb9bb160af199e761e03bc70a9f249a987e (ghostscript-9.26)
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=aeea342904978c9fe17d85f4906a0f6fcce2d315 (master)

CVE-2018-19476: psi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended
access restrictions because of a setcolorspace type confusion.

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-19476
https://bugs.ghostscript.com/show\_bug.cgi?id=700169

Patches:

http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=67d760ab775dae4efe803b5944b0439aa3c0b04a (ghostscript-9.26)
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=434753adbe8be5534bfb9b7d91746023e8073d16 (master)

CVE-2018-19477: psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a JBIG2Decode type confusion.

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-19477
https://bugs.ghostscript.com/show\_bug.cgi?id=700168

Patches:

http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ef252e7dc214bcbd9a2539216aab9202848602bb (ghostscript-9.26)
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=606a22e77e7f081781e99e44644cd0119f559e03 (master)

(from redmine: issue id 9690, created on 2018-11-26, closed on 2018-12-07)

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information