{"id": "CVE-2018-16585", "bulletinFamily": "NVD", "title": "CVE-2018-16585", "description": "** DISPUTED ** An issue was discovered in Artifex Ghostscript before 9.24. The .setdistillerkeys PostScript command is accepted even though it is not intended for use during document processing (e.g., after the startup phase). This leads to memory corruption, allowing remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact. Note: A reputable source believes that the CVE is potentially a duplicate of CVE-2018-15910 as explained in Red Hat bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1626193).", "published": "2018-09-06T14:29:00", "modified": "2019-10-09T21:15:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16585", "reporter": "cve@mitre.org", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=1626193", "https://www.debian.org/security/2018/dsa-4288", "https://security.gentoo.org/glsa/201811-12", "https://seclists.org/oss-sec/2018/q3/182", "http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=1497d65039885a52b598b137dd8622bd4672f9be", "https://lists.debian.org/debian-lts-announce/2018/09/msg00015.html", "http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=971472c83a345a16dac9f90f91258bb22dd77f22", "https://usn.ubuntu.com/3768-1/"], "cvelist": ["CVE-2018-16585"], "type": "cve", "lastseen": "2020-12-09T20:25:37", "edition": 9, "viewCount": 11, "enchantments": {"dependencies": {"references": [{"type": "debian", "idList": ["DEBIAN:DSA-4288-1:7D925", "DEBIAN:DLA-1504-1:6A483"]}, {"type": "nessus", "idList": ["AL2_ALAS-2018-1088.NASL", "DEBIAN_DLA-1504.NASL", "OPENSUSE-2018-1123.NASL", "OPENSUSE-2019-759.NASL", "GHOSTSCRIPT_9_24.NASL", "SUSE_SU-2018-2975-1.NASL", "OPENSUSE-2018-1122.NASL", "UBUNTU_USN-3768-1.NASL", "SUSE_SU-2018-2976-1.NASL", "DEBIAN_DSA-4288.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891504", "OPENVAS:1361412562310851986", "OPENVAS:1361412562310704288", "OPENVAS:1361412562310843638", "OPENVAS:1361412562310851926"]}, {"type": "amazon", "idList": ["ALAS2-2018-1088"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:3038-1", "OPENSUSE-SU-2018:3036-1"]}, {"type": "ubuntu", "idList": ["USN-3768-1"]}, {"type": "gentoo", "idList": ["GLSA-201811-12"]}], "modified": "2020-12-09T20:25:37", "rev": 2}, "score": {"value": 4.2, "vector": "NONE", "modified": "2020-12-09T20:25:37", "rev": 2}, "vulnersScore": 4.2}, "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:9.0"], "affectedSoftware": [{"cpeName": "debian:debian_linux", "name": "debian debian linux", "operator": "eq", "version": "8.0"}, {"cpeName": "canonical:ubuntu_linux", "name": "canonical ubuntu linux", "operator": "eq", "version": "16.04"}, {"cpeName": "canonical:ubuntu_linux", "name": "canonical ubuntu linux", "operator": "eq", "version": "14.04"}, {"cpeName": "canonical:ubuntu_linux", "name": "canonical ubuntu linux", "operator": "eq", "version": "18.04"}, {"cpeName": "artifex:ghostscript", "name": "artifex ghostscript", "operator": "lt", "version": "9.24"}, {"cpeName": "debian:debian_linux", "name": "debian debian linux", "operator": "eq", "version": "9.0"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"], "cwe": ["CWE-119"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:artifex:ghostscript:9.24:*:*:*:*:*:*:*", "versionEndExcluding": "9.24", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}}

{"debian": [{"lastseen": "2020-08-12T00:57:03", "bulletinFamily": "unix", "cvelist": ["CVE-2018-15910", "CVE-2018-15908", "CVE-2018-16585", "CVE-2018-16540", "CVE-2018-15911", "CVE-2018-16511", "CVE-2018-16541", "CVE-2018-16539", "CVE-2018-16543", "CVE-2018-16542", "CVE-2018-16513"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4288-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nSeptember 07, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : ghostscript\nCVE ID : CVE-2018-15908 CVE-2018-15910 CVE-2018-15911\n CVE-2018-16511 CVE-2018-16513 CVE-2018-16539\n\t\t CVE-2018-16540 CVE-2018-16541 CVE-2018-16542\n\t\t CVE-2018-16543 CVE-2018-16585\n\nTavis Ormandy discovered multiple vulnerabilites in Ghostscript, an\ninterpreter for the PostScript language, which could result in denial of\nservice, the creation of files or the execution of arbitrary code if a\nmalformed Postscript file is processed (despite the dSAFER sandbox being\nenabled).\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 9.20~dfsg-3.2+deb9u4.\n\nWe recommend that you upgrade your ghostscript packages.\n\nFor the detailed security status of ghostscript please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/ghostscript\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 11, "modified": "2018-09-07T21:23:53", "published": "2018-09-07T21:23:53", "id": "DEBIAN:DSA-4288-1:7D925", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00218.html", "title": "[SECURITY] [DSA 4288-1] ghostscript security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-12T00:51:23", "bulletinFamily": "unix", "cvelist": ["CVE-2018-15910", "CVE-2018-15908", "CVE-2018-16585", "CVE-2018-16540", "CVE-2018-15911", "CVE-2018-11645", "CVE-2018-16802", "CVE-2018-16511", "CVE-2018-16541", "CVE-2018-16539", "CVE-2018-16509", "CVE-2018-15909", "CVE-2018-16542", "CVE-2018-16513"], "description": "Package : ghostscript\nVersion : 9.06~dfsg-2+deb8u8\nCVE ID : CVE-2018-11645 CVE-2018-15908 CVE-2018-15909\n CVE-2018-15910 CVE-2018-15911 CVE-2018-16509\n CVE-2018-16511 CVE-2018-16513 CVE-2018-16539\n CVE-2018-16540 CVE-2018-16541 CVE-2018-16542\n CVE-2018-16585 CVE-2018-16802\nDebian Bug : 907332 908305 907703\n\nTavis Ormandy discovered multiple vulnerabilities in Ghostscript, an\ninterpreter for the PostScript language, which could result in denial of\nservice, the creation of files or the execution of arbitrary code if a\nmalformed Postscript file is processed (despite the dSAFER sandbox being\nenabled).\n\nFor Debian 8 &quot;Jessie&quot;, these problems have been fixed in version\n9.06~dfsg-2+deb8u8.\n\nWe recommend that you upgrade your ghostscript packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 10, "modified": "2018-09-13T12:24:09", "published": "2018-09-13T12:24:09", "id": "DEBIAN:DLA-1504-1:6A483", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201809/msg00015.html", "title": "[SECURITY] [DLA 1504-1] ghostscript security update", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T01:48:02", "description": "Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an\ninterpreter for the PostScript language, which could result in denial\nof service, the creation of files or the execution of arbitrary code\nif a malformed Postscript file is processed (despite the dSAFER\nsandbox being enabled).", "edition": 23, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-09-10T00:00:00", "title": "Debian DSA-4288-1 : ghostscript - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-15910", "CVE-2018-15908", "CVE-2018-16585", "CVE-2018-16540", "CVE-2018-15911", "CVE-2018-16511", "CVE-2018-16541", "CVE-2018-16539", "CVE-2018-16543", "CVE-2018-16542", "CVE-2018-16513"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:ghostscript", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4288.NASL", "href": "https://www.tenable.com/plugins/nessus/117369", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4288. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117369);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/11/13 12:30:47\");\n\n script_cve_id(\"CVE-2018-15908\", \"CVE-2018-15910\", \"CVE-2018-15911\", \"CVE-2018-16511\", \"CVE-2018-16513\", \"CVE-2018-16539\", \"CVE-2018-16540\", \"CVE-2018-16541\", \"CVE-2018-16542\", \"CVE-2018-16543\", \"CVE-2018-16585\");\n script_xref(name:\"DSA\", value:\"4288\");\n\n script_name(english:\"Debian DSA-4288-1 : ghostscript - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an\ninterpreter for the PostScript language, which could result in denial\nof service, the creation of files or the execution of arbitrary code\nif a malformed Postscript file is processed (despite the dSAFER\nsandbox being enabled).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/ghostscript\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/ghostscript\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2018/dsa-4288\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the ghostscript packages.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 9.20~dfsg-3.2+deb9u4.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ghostscript\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"ghostscript\", reference:\"9.20~dfsg-3.2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ghostscript-dbg\", reference:\"9.20~dfsg-3.2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ghostscript-doc\", reference:\"9.20~dfsg-3.2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ghostscript-x\", reference:\"9.20~dfsg-3.2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libgs-dev\", reference:\"9.20~dfsg-3.2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libgs9\", reference:\"9.20~dfsg-3.2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libgs9-common\", reference:\"9.20~dfsg-3.2+deb9u4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-30T08:48:35", "description": "The version of Artifex Ghostscript installed on the remote Windows\nhost is prior to 9.24. It is, therefore, affected by multiple \nvulnerabilities due to improperly handling PostScript data. A\ncontext-dependent attacker could cause a buffer overflow,\npotentially crashing the service.", "edition": 14, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-09-12T00:00:00", "title": "Artifex Ghostscript Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-15910", "CVE-2018-15908", "CVE-2018-16585", "CVE-2018-16540", "CVE-2018-15911", "CVE-2018-16511", "CVE-2018-16541", "CVE-2018-16539", "CVE-2018-16543", "CVE-2018-15909", "CVE-2018-16542", "CVE-2018-16513"], "modified": "2018-09-12T00:00:00", "cpe": ["cpe:/a:artifex:ghostscript", "cpe:/a:artifex:gpl_ghostscript"], "id": "GHOSTSCRIPT_9_24.NASL", "href": "https://www.tenable.com/plugins/nessus/117459", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117459);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/04/27\");\n\n script_cve_id(\n \"CVE-2018-15908\",\n \"CVE-2018-15909\",\n \"CVE-2018-15910\",\n \"CVE-2018-15911\",\n \"CVE-2018-16511\",\n \"CVE-2018-16513\",\n \"CVE-2018-16539\",\n \"CVE-2018-16540\",\n \"CVE-2018-16541\",\n \"CVE-2018-16542\",\n \"CVE-2018-16543\",\n \"CVE-2018-16585\"\n );\n\n script_name(english:\"Artifex Ghostscript Multiple Vulnerabilities\");\n script_summary(english:\"Checks the Ghostscript version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a library that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Artifex Ghostscript installed on the remote Windows\nhost is prior to 9.24. It is, therefore, affected by multiple \nvulnerabilities due to improperly handling PostScript data. A\ncontext-dependent attacker could cause a buffer overflow,\npotentially crashing the service.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ghostscript.com/doc/9.24/History9.htm\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/security/2018/dsa-4288\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.artifex.com/news/ghostscript-security-resolved/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.chromium.org/p/project-zero/issues/detail?id=1640\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.ghostscript.com/show_bug.cgi?id=699654\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to 9.24.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-16585\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/09/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:artifex:ghostscript\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:artifex:gpl_ghostscript\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ghostscript_detect.nbin\");\n script_require_keys(\"installed_sw/Ghostscript\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp = \"Ghostscript\";\nconstraints = [{\"fixed_version\" : \"9.24\"}];\n\napp_info = vcf::get_app_info(app:app, win_local:TRUE);\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T01:16:40", "description": "It was discovered that the ghostscript .shfill operator did not\nproperly validate certain types. An attacker could possibly exploit\nthis to bypass the -dSAFER protection and crash ghostscript or,\npossibly, execute arbitrary code in the ghostscript context via a\nspecially crafted PostScript document.(CVE-2018-15909)\n\nAn issue was discovered in Artifex Ghostscript before 9.24. A type\nconfusion in 'ztype' could be used by remote attackers able to supply\ncrafted PostScript to crash the interpreter or possibly have\nunspecified other impact.(CVE-2018-16511)\n\nAn issue was discovered in Artifex Ghostscript before 9.24. The\n.setdistillerkeys PostScript command is accepted even though it is not\nintended for use during document processing (e.g., after the startup\nphase). This leads to memory corruption, allowing remote attackers\nable to supply crafted PostScript to crash the interpreter or possibly\nhave unspecified other impact.(CVE-2018-16585)\n\nIt was discovered that the ghostscript PDF14 compositor did not\nproperly handle the copying of a device. An attacker could possibly\nexploit this to bypass the -dSAFER protection and crash ghostscript\nor, possibly, execute arbitrary code in the ghostscript context via a\nspecially crafted PostScript document.(CVE-2018-16540)\n\nIt was discovered that the ghostscript device cleanup did not properly\nhandle devices replaced with a null device. An attacker could possibly\nexploit this to bypass the -dSAFER protection and crash ghostscript\nor, possibly, execute arbitrary code in the ghostscript context via a\nspecially crafted PostScript document.(CVE-2018-16541)\n\nIt was discovered that the ghostscript did not properly restrict\naccess to files open prior to enabling the -dSAFER mode. An attacker\ncould possibly exploit this to bypass the -dSAFER protection and\ndisclose the content of affected files via a specially crafted\nPostScript document.(CVE-2018-16539)\n\nAn issue was discovered in Artifex Ghostscript before 9.25. Incorrect\n'restoration of privilege' checking when running out of stack during\nexception handling could be used by attackers able to supply crafted\nPostScript to execute code using the 'pipe' instruction. This is due\nto an incomplete fix for CVE-2018-16509 .(CVE-2018-16802)\n\nIt was discovered that ghostscript did not properly handle certain\nstack overflow error conditions. An attacker could possibly exploit\nthis to bypass the -dSAFER protection and crash ghostscript or,\npossibly, execute arbitrary code in the ghostscript context via a\nspecially crafted PostScript document.(CVE-2018-16542)\n\nGhostscript did not honor the -dSAFER option when executing the\n'status' instruction, which can be used to retrieve information such\nas a file's existence and size. A specially crafted postscript\ndocument could use this flow to gain information on the targeted\nsystem's filesystem content.(CVE-2018-11645)\n\nIt was discovered that the ghostscript did not properly validate the\noperands passed to the setcolor function. An attacker could possibly\nexploit this to bypass the -dSAFER protection and crash ghostscript\nor, possibly, execute arbitrary code in the ghostscript context via a\nspecially crafted PostScript document.(CVE-2018-16513)\n\nIt was discovered that the type of the LockDistillerParams parameter\nis not properly verified. An attacker could possibly exploit this to\nbypass the -dSAFER protection and crash ghostscript or, possibly,\nexecute arbitrary code in the ghostscript context via a specially\ncrafted PostScript document.(CVE-2018-15910)\n\nIt was discovered that the ghostscript /invalidaccess checks fail\nunder certain conditions. An attacker could possibly exploit this to\nbypass the -dSAFER protection and, for example, execute arbitrary\nshell commands via a specially crafted PostScript\ndocument.(CVE-2018-16509)\n\nIt was discovered that ghostscript did not properly verify the key\nused in aesdecode. An attacker could possibly exploit this to bypass\nthe -dSAFER protection and crash ghostscript or, possibly, execute\narbitrary code in the ghostscript context via a specially crafted\nPostScript document.(CVE-2018-15911)\n\nIt was discovered that the ghostscript .tempfile function did not\nproperly handle file permissions. An attacker could possibly exploit\nthis to exploit this to bypass the -dSAFER protection and delete files\nor disclose their content via a specially crafted PostScript\ndocument.(CVE-2018-15908)", "edition": 24, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-10-11T00:00:00", "title": "Amazon Linux 2 : ghostscript (ALAS-2018-1088)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-15910", "CVE-2018-15908", "CVE-2018-16585", "CVE-2018-16540", "CVE-2018-15911", "CVE-2018-11645", "CVE-2018-16802", "CVE-2018-16511", "CVE-2018-16541", "CVE-2018-16539", "CVE-2018-16509", "CVE-2018-15909", "CVE-2018-16542", "CVE-2018-16513"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:ghostscript", "cpe:/o:amazon:linux:2", "p-cpe:/a:amazon:linux:ghostscript-cups", "p-cpe:/a:amazon:linux:ghostscript-debuginfo", "p-cpe:/a:amazon:linux:ghostscript-doc", "p-cpe:/a:amazon:linux:ghostscript-devel", "p-cpe:/a:amazon:linux:ghostscript-gtk"], "id": "AL2_ALAS-2018-1088.NASL", "href": "https://www.tenable.com/plugins/nessus/118043", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2018-1088.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118043);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/07/10 16:04:12\");\n\n script_cve_id(\"CVE-2018-11645\", \"CVE-2018-15908\", \"CVE-2018-15909\", \"CVE-2018-15910\", \"CVE-2018-15911\", \"CVE-2018-16509\", \"CVE-2018-16511\", \"CVE-2018-16513\", \"CVE-2018-16539\", \"CVE-2018-16540\", \"CVE-2018-16541\", \"CVE-2018-16542\", \"CVE-2018-16585\", \"CVE-2018-16802\");\n script_xref(name:\"ALAS\", value:\"2018-1088\");\n\n script_name(english:\"Amazon Linux 2 : ghostscript (ALAS-2018-1088)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux 2 host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the ghostscript .shfill operator did not\nproperly validate certain types. An attacker could possibly exploit\nthis to bypass the -dSAFER protection and crash ghostscript or,\npossibly, execute arbitrary code in the ghostscript context via a\nspecially crafted PostScript document.(CVE-2018-15909)\n\nAn issue was discovered in Artifex Ghostscript before 9.24. A type\nconfusion in 'ztype' could be used by remote attackers able to supply\ncrafted PostScript to crash the interpreter or possibly have\nunspecified other impact.(CVE-2018-16511)\n\nAn issue was discovered in Artifex Ghostscript before 9.24. The\n.setdistillerkeys PostScript command is accepted even though it is not\nintended for use during document processing (e.g., after the startup\nphase). This leads to memory corruption, allowing remote attackers\nable to supply crafted PostScript to crash the interpreter or possibly\nhave unspecified other impact.(CVE-2018-16585)\n\nIt was discovered that the ghostscript PDF14 compositor did not\nproperly handle the copying of a device. An attacker could possibly\nexploit this to bypass the -dSAFER protection and crash ghostscript\nor, possibly, execute arbitrary code in the ghostscript context via a\nspecially crafted PostScript document.(CVE-2018-16540)\n\nIt was discovered that the ghostscript device cleanup did not properly\nhandle devices replaced with a null device. An attacker could possibly\nexploit this to bypass the -dSAFER protection and crash ghostscript\nor, possibly, execute arbitrary code in the ghostscript context via a\nspecially crafted PostScript document.(CVE-2018-16541)\n\nIt was discovered that the ghostscript did not properly restrict\naccess to files open prior to enabling the -dSAFER mode. An attacker\ncould possibly exploit this to bypass the -dSAFER protection and\ndisclose the content of affected files via a specially crafted\nPostScript document.(CVE-2018-16539)\n\nAn issue was discovered in Artifex Ghostscript before 9.25. Incorrect\n'restoration of privilege' checking when running out of stack during\nexception handling could be used by attackers able to supply crafted\nPostScript to execute code using the 'pipe' instruction. This is due\nto an incomplete fix for CVE-2018-16509 .(CVE-2018-16802)\n\nIt was discovered that ghostscript did not properly handle certain\nstack overflow error conditions. An attacker could possibly exploit\nthis to bypass the -dSAFER protection and crash ghostscript or,\npossibly, execute arbitrary code in the ghostscript context via a\nspecially crafted PostScript document.(CVE-2018-16542)\n\nGhostscript did not honor the -dSAFER option when executing the\n'status' instruction, which can be used to retrieve information such\nas a file's existence and size. A specially crafted postscript\ndocument could use this flow to gain information on the targeted\nsystem's filesystem content.(CVE-2018-11645)\n\nIt was discovered that the ghostscript did not properly validate the\noperands passed to the setcolor function. An attacker could possibly\nexploit this to bypass the -dSAFER protection and crash ghostscript\nor, possibly, execute arbitrary code in the ghostscript context via a\nspecially crafted PostScript document.(CVE-2018-16513)\n\nIt was discovered that the type of the LockDistillerParams parameter\nis not properly verified. An attacker could possibly exploit this to\nbypass the -dSAFER protection and crash ghostscript or, possibly,\nexecute arbitrary code in the ghostscript context via a specially\ncrafted PostScript document.(CVE-2018-15910)\n\nIt was discovered that the ghostscript /invalidaccess checks fail\nunder certain conditions. An attacker could possibly exploit this to\nbypass the -dSAFER protection and, for example, execute arbitrary\nshell commands via a specially crafted PostScript\ndocument.(CVE-2018-16509)\n\nIt was discovered that ghostscript did not properly verify the key\nused in aesdecode. An attacker could possibly exploit this to bypass\nthe -dSAFER protection and crash ghostscript or, possibly, execute\narbitrary code in the ghostscript context via a specially crafted\nPostScript document.(CVE-2018-15911)\n\nIt was discovered that the ghostscript .tempfile function did not\nproperly handle file permissions. An attacker could possibly exploit\nthis to exploit this to bypass the -dSAFER protection and delete files\nor disclose their content via a specially crafted PostScript\ndocument.(CVE-2018-15908)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/AL2/ALAS-2018-1088.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update ghostscript' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Ghostscript Failed Restore Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ghostscript\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ghostscript-cups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ghostscript-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ghostscript-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ghostscript-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ghostscript-gtk\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"AL2\", reference:\"ghostscript-9.06-8.amzn2.0.5\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"ghostscript-cups-9.06-8.amzn2.0.5\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"ghostscript-debuginfo-9.06-8.amzn2.0.5\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"ghostscript-devel-9.06-8.amzn2.0.5\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"ghostscript-doc-9.06-8.amzn2.0.5\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"ghostscript-gtk-9.06-8.amzn2.0.5\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ghostscript / ghostscript-cups / ghostscript-debuginfo / etc\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T09:39:49", "description": "Tavis Ormandy discovered multiple vulnerabilities in Ghostscript, an\ninterpreter for the PostScript language, which could result in denial\nof service, the creation of files or the execution of arbitrary code\nif a malformed Postscript file is processed (despite the dSAFER\nsandbox being enabled).\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n9.06~dfsg-2+deb8u8.\n\nWe recommend that you upgrade your ghostscript packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 22, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-09-14T00:00:00", "title": "Debian DLA-1504-1 : ghostscript security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-15910", "CVE-2018-15908", "CVE-2018-16585", "CVE-2018-16540", "CVE-2018-15911", "CVE-2018-11645", "CVE-2018-16802", "CVE-2018-16511", "CVE-2018-16541", "CVE-2018-16539", "CVE-2018-16509", "CVE-2018-15909", "CVE-2018-16542", "CVE-2018-16513"], "modified": "2018-09-14T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libgs9", "cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:ghostscript", "p-cpe:/a:debian:debian_linux:ghostscript-x", "p-cpe:/a:debian:debian_linux:ghostscript-doc", "p-cpe:/a:debian:debian_linux:ghostscript-dbg", "p-cpe:/a:debian:debian_linux:libgs-dev", "p-cpe:/a:debian:debian_linux:libgs9-common"], "id": "DEBIAN_DLA-1504.NASL", "href": "https://www.tenable.com/plugins/nessus/117487", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1504-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(117487);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2018-11645\", \"CVE-2018-15908\", \"CVE-2018-15909\", \"CVE-2018-15910\", \"CVE-2018-15911\", \"CVE-2018-16509\", \"CVE-2018-16511\", \"CVE-2018-16513\", \"CVE-2018-16539\", \"CVE-2018-16540\", \"CVE-2018-16541\", \"CVE-2018-16542\", \"CVE-2018-16585\", \"CVE-2018-16802\");\n\n script_name(english:\"Debian DLA-1504-1 : ghostscript security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Tavis Ormandy discovered multiple vulnerabilities in Ghostscript, an\ninterpreter for the PostScript language, which could result in denial\nof service, the creation of files or the execution of arbitrary code\nif a malformed Postscript file is processed (despite the dSAFER\nsandbox being enabled).\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n9.06~dfsg-2+deb8u8.\n\nWe recommend that you upgrade your ghostscript packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2018/09/msg00015.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/ghostscript\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Ghostscript Failed Restore Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ghostscript\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ghostscript-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ghostscript-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ghostscript-x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libgs-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libgs9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libgs9-common\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"ghostscript\", reference:\"9.06~dfsg-2+deb8u8\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"ghostscript-dbg\", reference:\"9.06~dfsg-2+deb8u8\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"ghostscript-doc\", reference:\"9.06~dfsg-2+deb8u8\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"ghostscript-x\", reference:\"9.06~dfsg-2+deb8u8\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libgs-dev\", reference:\"9.06~dfsg-2+deb8u8\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libgs9\", reference:\"9.06~dfsg-2+deb8u8\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libgs9-common\", reference:\"9.06~dfsg-2+deb8u8\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-14T06:15:32", "description": "This update for ghostscript to version 9.25 fixes the following \nissues :\n\nThese security issues were fixed :\n\nCVE-2018-17183: Remote attackers were be able to supply crafted\nPostScript to potentially overwrite or replace error handlers to\ninject code (bsc#1109105)\n\nCVE-2018-15909: Prevent type confusion using the .shfill operator that\ncould have been used by attackers able to supply crafted PostScript\nfiles to crash the interpreter or potentially execute code\n(bsc#1106172).\n\nCVE-2018-15908: Prevent attackers that are able to supply malicious\nPostScript files to bypass .tempfile restrictions and write files\n(bsc#1106171).\n\nCVE-2018-15910: Prevent a type confusion in the LockDistillerParams\nparameter that could have been used to crash the interpreter or\nexecute code (bsc#1106173).\n\nCVE-2018-15911: Prevent use uninitialized memory access in the\naesdecode operator that could have been used to crash the interpreter\nor potentially execute code (bsc#1106195).\n\nCVE-2018-16513: Prevent a type confusion in the setcolor function that\ncould have been used to crash the interpreter or possibly have\nunspecified other impact (bsc#1107412).\n\nCVE-2018-16509: Incorrect 'restoration of privilege' checking during\nhandling of /invalidaccess exceptions could be have been used by\nattackers able to supply crafted PostScript to execute code using the\n'pipe' instruction (bsc#1107410).\n\nCVE-2018-16510: Incorrect exec stack handling in the 'CS' and 'SC' PDF\nprimitives could have been used by remote attackers able to supply\ncrafted PDFs to crash the interpreter or possibly have unspecified\nother impact (bsc#1107411).\n\nCVE-2018-16542: Prevent attackers able to supply crafted PostScript\nfiles from using insufficient interpreter stack-size checking during\nerror handling to crash the interpreter (bsc#1107413).\n\nCVE-2018-16541: Prevent attackers able to supply crafted PostScript\nfiles from using incorrect free logic in pagedevice replacement to\ncrash the interpreter (bsc#1107421).\n\nCVE-2018-16540: Prevent use-after-free in copydevice handling that\ncould have been used to crash the interpreter or possibly have\nunspecified other impact (bsc#1107420).\n\nCVE-2018-16539: Prevent attackers able to supply crafted PostScript\nfiles from using incorrect access checking in temp file handling to\ndisclose contents of files on the system otherwise not readable\n(bsc#1107422).\n\nCVE-2018-16543: gssetresolution and gsgetresolution allowed attackers\nto have an unspecified impact (bsc#1107423).\n\nCVE-2018-16511: A type confusion in 'ztype' could have been used by\nremote attackers able to supply crafted PostScript to crash the\ninterpreter or possibly have unspecified other impact (bsc#1107426).\n\nCVE-2018-16585: The .setdistillerkeys PostScript command was accepted\neven though it is not intended for use during document processing\n(e.g., after the startup phase). This lead to memory corruption,\nallowing remote attackers able to supply crafted PostScript to crash\nthe interpreter or possibly have unspecified other impact\n(bsc#1107581).\n\nCVE-2018-16802: Incorrect 'restoration of privilege' checking when\nrunning out of stack during exception handling could have been used by\nattackers able to supply crafted PostScript to execute code using the\n'pipe' instruction. This is due to an incomplete fix for\nCVE-2018-16509 (bsc#1108027).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 21, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-01-02T00:00:00", "title": "SUSE SLED15 / SLES15 Security Update : ghostscript (SUSE-SU-2018:2976-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-15910", "CVE-2018-15908", "CVE-2018-17183", "CVE-2018-16585", "CVE-2018-16540", "CVE-2018-15911", "CVE-2018-16802", "CVE-2018-16510", "CVE-2018-16511", "CVE-2018-16541", "CVE-2018-16539", "CVE-2018-16509", "CVE-2018-16543", "CVE-2018-15909", "CVE-2018-16542", "CVE-2018-16513"], "modified": "2019-01-02T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libspectre1-debuginfo", "p-cpe:/a:novell:suse_linux:ghostscript-debuginfo", "p-cpe:/a:novell:suse_linux:ghostscript-x11-debuginfo", "p-cpe:/a:novell:suse_linux:ghostscript-devel", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:ghostscript-x11", "p-cpe:/a:novell:suse_linux:libspectre1", "p-cpe:/a:novell:suse_linux:ghostscript-debugsource", "p-cpe:/a:novell:suse_linux:libspectre-debugsource", "p-cpe:/a:novell:suse_linux:ghostscript", "p-cpe:/a:novell:suse_linux:libspectre-devel"], "id": "SUSE_SU-2018-2976-1.NASL", "href": "https://www.tenable.com/plugins/nessus/120116", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:2976-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(120116);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2018-15908\", \"CVE-2018-15909\", \"CVE-2018-15910\", \"CVE-2018-15911\", \"CVE-2018-16509\", \"CVE-2018-16510\", \"CVE-2018-16511\", \"CVE-2018-16513\", \"CVE-2018-16539\", \"CVE-2018-16540\", \"CVE-2018-16541\", \"CVE-2018-16542\", \"CVE-2018-16543\", \"CVE-2018-16585\", \"CVE-2018-16802\", \"CVE-2018-17183\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : ghostscript (SUSE-SU-2018:2976-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for ghostscript to version 9.25 fixes the following \nissues :\n\nThese security issues were fixed :\n\nCVE-2018-17183: Remote attackers were be able to supply crafted\nPostScript to potentially overwrite or replace error handlers to\ninject code (bsc#1109105)\n\nCVE-2018-15909: Prevent type confusion using the .shfill operator that\ncould have been used by attackers able to supply crafted PostScript\nfiles to crash the interpreter or potentially execute code\n(bsc#1106172).\n\nCVE-2018-15908: Prevent attackers that are able to supply malicious\nPostScript files to bypass .tempfile restrictions and write files\n(bsc#1106171).\n\nCVE-2018-15910: Prevent a type confusion in the LockDistillerParams\nparameter that could have been used to crash the interpreter or\nexecute code (bsc#1106173).\n\nCVE-2018-15911: Prevent use uninitialized memory access in the\naesdecode operator that could have been used to crash the interpreter\nor potentially execute code (bsc#1106195).\n\nCVE-2018-16513: Prevent a type confusion in the setcolor function that\ncould have been used to crash the interpreter or possibly have\nunspecified other impact (bsc#1107412).\n\nCVE-2018-16509: Incorrect 'restoration of privilege' checking during\nhandling of /invalidaccess exceptions could be have been used by\nattackers able to supply crafted PostScript to execute code using the\n'pipe' instruction (bsc#1107410).\n\nCVE-2018-16510: Incorrect exec stack handling in the 'CS' and 'SC' PDF\nprimitives could have been used by remote attackers able to supply\ncrafted PDFs to crash the interpreter or possibly have unspecified\nother impact (bsc#1107411).\n\nCVE-2018-16542: Prevent attackers able to supply crafted PostScript\nfiles from using insufficient interpreter stack-size checking during\nerror handling to crash the interpreter (bsc#1107413).\n\nCVE-2018-16541: Prevent attackers able to supply crafted PostScript\nfiles from using incorrect free logic in pagedevice replacement to\ncrash the interpreter (bsc#1107421).\n\nCVE-2018-16540: Prevent use-after-free in copydevice handling that\ncould have been used to crash the interpreter or possibly have\nunspecified other impact (bsc#1107420).\n\nCVE-2018-16539: Prevent attackers able to supply crafted PostScript\nfiles from using incorrect access checking in temp file handling to\ndisclose contents of files on the system otherwise not readable\n(bsc#1107422).\n\nCVE-2018-16543: gssetresolution and gsgetresolution allowed attackers\nto have an unspecified impact (bsc#1107423).\n\nCVE-2018-16511: A type confusion in 'ztype' could have been used by\nremote attackers able to supply crafted PostScript to crash the\ninterpreter or possibly have unspecified other impact (bsc#1107426).\n\nCVE-2018-16585: The .setdistillerkeys PostScript command was accepted\neven though it is not intended for use during document processing\n(e.g., after the startup phase). This lead to memory corruption,\nallowing remote attackers able to supply crafted PostScript to crash\nthe interpreter or possibly have unspecified other impact\n(bsc#1107581).\n\nCVE-2018-16802: Incorrect 'restoration of privilege' checking when\nrunning out of stack during exception handling could have been used by\nattackers able to supply crafted PostScript to execute code using the\n'pipe' instruction. This is due to an incomplete fix for\nCVE-2018-16509 (bsc#1108027).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1106171\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1106172\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1106173\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1106195\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107410\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107411\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107412\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107413\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107420\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107421\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107422\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107423\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107426\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107581\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1108027\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1109105\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-15908/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-15909/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-15910/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-15911/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16509/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16510/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16511/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16513/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16539/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16540/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16541/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16542/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16543/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16585/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16802/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-17183/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20182976-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8e208efb\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Desktop Applications 15:zypper in -t\npatch SUSE-SLE-Module-Desktop-Applications-15-2018-2119=1\n\nSUSE Linux Enterprise Module for Basesystem 15:zypper in -t patch\nSUSE-SLE-Module-Basesystem-15-2018-2119=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Ghostscript Failed Restore Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ghostscript\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ghostscript-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ghostscript-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ghostscript-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ghostscript-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ghostscript-x11-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libspectre-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libspectre-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libspectre1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libspectre1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"ghostscript-9.25-3.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"ghostscript-debuginfo-9.25-3.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"ghostscript-debugsource-9.25-3.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"ghostscript-devel-9.25-3.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"ghostscript-x11-9.25-3.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"ghostscript-x11-debuginfo-9.25-3.6.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libspectre-debugsource-0.2.8-3.2.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libspectre-devel-0.2.8-3.2.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libspectre1-0.2.8-3.2.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libspectre1-debuginfo-0.2.8-3.2.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"ghostscript-9.25-3.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"ghostscript-debuginfo-9.25-3.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"ghostscript-debugsource-9.25-3.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"ghostscript-devel-9.25-3.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"ghostscript-x11-9.25-3.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"ghostscript-x11-debuginfo-9.25-3.6.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libspectre-debugsource-0.2.8-3.2.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libspectre-devel-0.2.8-3.2.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libspectre1-0.2.8-3.2.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libspectre1-debuginfo-0.2.8-3.2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ghostscript\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T06:14:11", "description": "This update for ghostscript to version 9.25 fixes the following \nissues :\n\nThese security issues were fixed :\n\nCVE-2018-17183: Remote attackers were be able to supply crafted\nPostScript to potentially overwrite or replace error handlers to\ninject code (bsc#1109105)\n\nCVE-2018-15909: Prevent type confusion using the .shfill operator that\ncould have been used by attackers able to supply crafted PostScript\nfiles to crash the interpreter or potentially execute code\n(bsc#1106172).\n\nCVE-2018-15908: Prevent attackers that are able to supply malicious\nPostScript files to bypass .tempfile restrictions and write files\n(bsc#1106171).\n\nCVE-2018-15910: Prevent a type confusion in the LockDistillerParams\nparameter that could have been used to crash the interpreter or\nexecute code (bsc#1106173).\n\nCVE-2018-15911: Prevent use uninitialized memory access in the\naesdecode operator that could have been used to crash the interpreter\nor potentially execute code (bsc#1106195).\n\nCVE-2018-16513: Prevent a type confusion in the setcolor function that\ncould have been used to crash the interpreter or possibly have\nunspecified other impact (bsc#1107412).\n\nCVE-2018-16509: Incorrect 'restoration of privilege' checking during\nhandling of /invalidaccess exceptions could be have been used by\nattackers able to supply crafted PostScript to execute code using the\n'pipe' instruction (bsc#1107410).\n\nCVE-2018-16510: Incorrect exec stack handling in the 'CS' and 'SC' PDF\nprimitives could have been used by remote attackers able to supply\ncrafted PDFs to crash the interpreter or possibly have unspecified\nother impact (bsc#1107411).\n\nCVE-2018-16542: Prevent attackers able to supply crafted PostScript\nfiles from using insufficient interpreter stack-size checking during\nerror handling to crash the interpreter (bsc#1107413).\n\nCVE-2018-16541: Prevent attackers able to supply crafted PostScript\nfiles from using incorrect free logic in pagedevice replacement to\ncrash the interpreter (bsc#1107421).\n\nCVE-2018-16540: Prevent use-after-free in copydevice handling that\ncould have been used to crash the interpreter or possibly have\nunspecified other impact (bsc#1107420).\n\nCVE-2018-16539: Prevent attackers able to supply crafted PostScript\nfiles from using incorrect access checking in temp file handling to\ndisclose contents of files on the system otherwise not readable\n(bsc#1107422).\n\nCVE-2018-16543: gssetresolution and gsgetresolution allowed attackers\nto have an unspecified impact (bsc#1107423).\n\nCVE-2018-16511: A type confusion in 'ztype' could have been used by\nremote attackers able to supply crafted PostScript to crash the\ninterpreter or possibly have unspecified other impact (bsc#1107426).\n\nCVE-2018-16585: The .setdistillerkeys PostScript command was accepted\neven though it is not intended for use during document processing\n(e.g., after the startup phase). This lead to memory corruption,\nallowing remote attackers able to supply crafted PostScript to crash\nthe interpreter or possibly have unspecified other impact\n(bsc#1107581).\n\nCVE-2018-16802: Incorrect 'restoration of privilege' checking when\nrunning out of stack during exception handling could have been used by\nattackers able to supply crafted PostScript to execute code using the\n'pipe' instruction. This is due to an incomplete fix for\nCVE-2018-16509 (bsc#1108027).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-10-03T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : ghostscript (SUSE-SU-2018:2975-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-15910", "CVE-2018-15908", "CVE-2018-17183", "CVE-2018-16585", "CVE-2018-16540", "CVE-2018-15911", "CVE-2018-16802", "CVE-2018-16510", "CVE-2018-16511", "CVE-2018-16541", "CVE-2018-16539", "CVE-2018-16509", "CVE-2018-16543", "CVE-2018-15909", "CVE-2018-16542", "CVE-2018-16513"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:ghostscript-debuginfo", "p-cpe:/a:novell:suse_linux:ghostscript-x11-debuginfo", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:ghostscript-x11", "p-cpe:/a:novell:suse_linux:ghostscript-debugsource", "p-cpe:/a:novell:suse_linux:ghostscript"], "id": "SUSE_SU-2018-2975-1.NASL", "href": "https://www.tenable.com/plugins/nessus/117901", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:2975-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117901);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/09/10 13:51:49\");\n\n script_cve_id(\"CVE-2018-15908\", \"CVE-2018-15909\", \"CVE-2018-15910\", \"CVE-2018-15911\", \"CVE-2018-16509\", \"CVE-2018-16510\", \"CVE-2018-16511\", \"CVE-2018-16513\", \"CVE-2018-16539\", \"CVE-2018-16540\", \"CVE-2018-16541\", \"CVE-2018-16542\", \"CVE-2018-16543\", \"CVE-2018-16585\", \"CVE-2018-16802\", \"CVE-2018-17183\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : ghostscript (SUSE-SU-2018:2975-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for ghostscript to version 9.25 fixes the following \nissues :\n\nThese security issues were fixed :\n\nCVE-2018-17183: Remote attackers were be able to supply crafted\nPostScript to potentially overwrite or replace error handlers to\ninject code (bsc#1109105)\n\nCVE-2018-15909: Prevent type confusion using the .shfill operator that\ncould have been used by attackers able to supply crafted PostScript\nfiles to crash the interpreter or potentially execute code\n(bsc#1106172).\n\nCVE-2018-15908: Prevent attackers that are able to supply malicious\nPostScript files to bypass .tempfile restrictions and write files\n(bsc#1106171).\n\nCVE-2018-15910: Prevent a type confusion in the LockDistillerParams\nparameter that could have been used to crash the interpreter or\nexecute code (bsc#1106173).\n\nCVE-2018-15911: Prevent use uninitialized memory access in the\naesdecode operator that could have been used to crash the interpreter\nor potentially execute code (bsc#1106195).\n\nCVE-2018-16513: Prevent a type confusion in the setcolor function that\ncould have been used to crash the interpreter or possibly have\nunspecified other impact (bsc#1107412).\n\nCVE-2018-16509: Incorrect 'restoration of privilege' checking during\nhandling of /invalidaccess exceptions could be have been used by\nattackers able to supply crafted PostScript to execute code using the\n'pipe' instruction (bsc#1107410).\n\nCVE-2018-16510: Incorrect exec stack handling in the 'CS' and 'SC' PDF\nprimitives could have been used by remote attackers able to supply\ncrafted PDFs to crash the interpreter or possibly have unspecified\nother impact (bsc#1107411).\n\nCVE-2018-16542: Prevent attackers able to supply crafted PostScript\nfiles from using insufficient interpreter stack-size checking during\nerror handling to crash the interpreter (bsc#1107413).\n\nCVE-2018-16541: Prevent attackers able to supply crafted PostScript\nfiles from using incorrect free logic in pagedevice replacement to\ncrash the interpreter (bsc#1107421).\n\nCVE-2018-16540: Prevent use-after-free in copydevice handling that\ncould have been used to crash the interpreter or possibly have\nunspecified other impact (bsc#1107420).\n\nCVE-2018-16539: Prevent attackers able to supply crafted PostScript\nfiles from using incorrect access checking in temp file handling to\ndisclose contents of files on the system otherwise not readable\n(bsc#1107422).\n\nCVE-2018-16543: gssetresolution and gsgetresolution allowed attackers\nto have an unspecified impact (bsc#1107423).\n\nCVE-2018-16511: A type confusion in 'ztype' could have been used by\nremote attackers able to supply crafted PostScript to crash the\ninterpreter or possibly have unspecified other impact (bsc#1107426).\n\nCVE-2018-16585: The .setdistillerkeys PostScript command was accepted\neven though it is not intended for use during document processing\n(e.g., after the startup phase). This lead to memory corruption,\nallowing remote attackers able to supply crafted PostScript to crash\nthe interpreter or possibly have unspecified other impact\n(bsc#1107581).\n\nCVE-2018-16802: Incorrect 'restoration of privilege' checking when\nrunning out of stack during exception handling could have been used by\nattackers able to supply crafted PostScript to execute code using the\n'pipe' instruction. This is due to an incomplete fix for\nCVE-2018-16509 (bsc#1108027).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1106171\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1106172\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1106173\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1106195\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107410\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107411\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107412\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107413\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107420\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107421\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107422\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107423\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107426\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107581\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1108027\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1109105\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-15908/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-15909/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-15910/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-15911/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16509/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16510/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16511/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16513/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16539/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16540/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16541/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16542/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16543/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16585/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16802/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-17183/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20182975-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8d3f27e4\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 7:zypper in -t patch\nSUSE-OpenStack-Cloud-7-2018-2121=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t\npatch SUSE-SLE-SDK-12-SP3-2018-2121=1\n\nSUSE Linux Enterprise Server for SAP 12-SP2:zypper in -t patch\nSUSE-SLE-SAP-12-SP2-2018-2121=1\n\nSUSE Linux Enterprise Server 12-SP3:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2018-2121=1\n\nSUSE Linux Enterprise Server 12-SP2-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2018-2121=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2018-2121=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2018-2121=1\n\nSUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP3-2018-2121=1\n\nSUSE Enterprise Storage 4:zypper in -t patch\nSUSE-Storage-4-2018-2121=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Ghostscript Failed Restore Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ghostscript\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ghostscript-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ghostscript-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ghostscript-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ghostscript-x11-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0|1|2|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0/1/2/3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"ghostscript-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"ghostscript-debuginfo-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"ghostscript-debugsource-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"ghostscript-x11-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"ghostscript-x11-debuginfo-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"ghostscript-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"ghostscript-debuginfo-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"ghostscript-debugsource-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"ghostscript-x11-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"ghostscript-x11-debuginfo-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"ghostscript-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"ghostscript-debuginfo-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"ghostscript-debugsource-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"ghostscript-x11-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"ghostscript-x11-debuginfo-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"ghostscript-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"ghostscript-debuginfo-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"ghostscript-debugsource-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"ghostscript-x11-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"ghostscript-x11-debuginfo-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"ghostscript-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"ghostscript-debuginfo-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"ghostscript-debugsource-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"ghostscript-x11-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"ghostscript-x11-debuginfo-9.25-23.13.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ghostscript\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T06:14:14", "description": "This update for ghostscript to version 9.25 fixes the following \nissues :\n\nThese security issues were fixed :\n\nCVE-2018-17183: Remote attackers were be able to supply crafted\nPostScript to potentially overwrite or replace error handlers to\ninject code (bsc#1109105)\n\nCVE-2018-15909: Prevent type confusion using the .shfill operator that\ncould have been used by attackers able to supply crafted PostScript\nfiles to crash the interpreter or potentially execute code\n(bsc#1106172).\n\nCVE-2018-15908: Prevent attackers that are able to supply malicious\nPostScript files to bypass .tempfile restrictions and write files\n(bsc#1106171).\n\nCVE-2018-15910: Prevent a type confusion in the LockDistillerParams\nparameter that could have been used to crash the interpreter or\nexecute code (bsc#1106173).\n\nCVE-2018-15911: Prevent use uninitialized memory access in the\naesdecode operator that could have been used to crash the interpreter\nor potentially execute code (bsc#1106195).\n\nCVE-2018-16513: Prevent a type confusion in the setcolor function that\ncould have been used to crash the interpreter or possibly have\nunspecified other impact (bsc#1107412).\n\nCVE-2018-16509: Incorrect 'restoration of privilege' checking during\nhandling of /invalidaccess exceptions could be have been used by\nattackers able to supply crafted PostScript to execute code using the\n'pipe' instruction (bsc#1107410).\n\nCVE-2018-16510: Incorrect exec stack handling in the 'CS' and 'SC' PDF\nprimitives could have been used by remote attackers able to supply\ncrafted PDFs to crash the interpreter or possibly have unspecified\nother impact (bsc#1107411).\n\nCVE-2018-16542: Prevent attackers able to supply crafted PostScript\nfiles from using insufficient interpreter stack-size checking during\nerror handling to crash the interpreter (bsc#1107413).\n\nCVE-2018-16541: Prevent attackers able to supply crafted PostScript\nfiles from using incorrect free logic in pagedevice replacement to\ncrash the interpreter (bsc#1107421).\n\nCVE-2018-16540: Prevent use-after-free in copydevice handling that\ncould have been used to crash the interpreter or possibly have\nunspecified other impact (bsc#1107420).\n\nCVE-2018-16539: Prevent attackers able to supply crafted PostScript\nfiles from using incorrect access checking in temp file handling to\ndisclose contents of files on the system otherwise not readable\n(bsc#1107422).\n\nCVE-2018-16543: gssetresolution and gsgetresolution allowed attackers\nto have an unspecified impact (bsc#1107423).\n\nCVE-2018-16511: A type confusion in 'ztype' could have been used by\nremote attackers able to supply crafted PostScript to crash the\ninterpreter or possibly have unspecified other impact (bsc#1107426).\n\nCVE-2018-16585: The .setdistillerkeys PostScript command was accepted\neven though it is not intended for use during document processing\n(e.g., after the startup phase). This lead to memory corruption,\nallowing remote attackers able to supply crafted PostScript to crash\nthe interpreter or possibly have unspecified other impact\n(bsc#1107581).\n\nCVE-2018-16802: Incorrect 'restoration of privilege' checking when\nrunning out of stack during exception handling could have been used by\nattackers able to supply crafted PostScript to execute code using the\n'pipe' instruction. This is due to an incomplete fix for\nCVE-2018-16509 (bsc#1108027).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-10-22T00:00:00", "title": "SUSE SLES12 Security Update : ghostscript (SUSE-SU-2018:2975-2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-15910", "CVE-2018-15908", "CVE-2018-17183", "CVE-2018-16585", "CVE-2018-16540", "CVE-2018-15911", "CVE-2018-16802", "CVE-2018-16510", "CVE-2018-16511", "CVE-2018-16541", "CVE-2018-16539", "CVE-2018-16509", "CVE-2018-16543", "CVE-2018-15909", "CVE-2018-16542", "CVE-2018-16513"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:ghostscript-debuginfo", "p-cpe:/a:novell:suse_linux:ghostscript-x11-debuginfo", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:ghostscript-x11", "p-cpe:/a:novell:suse_linux:ghostscript-debugsource", "p-cpe:/a:novell:suse_linux:ghostscript"], "id": "SUSE_SU-2018-2975-2.NASL", "href": "https://www.tenable.com/plugins/nessus/118298", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:2975-2.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118298);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/09/10 13:51:49\");\n\n script_cve_id(\"CVE-2018-15908\", \"CVE-2018-15909\", \"CVE-2018-15910\", \"CVE-2018-15911\", \"CVE-2018-16509\", \"CVE-2018-16510\", \"CVE-2018-16511\", \"CVE-2018-16513\", \"CVE-2018-16539\", \"CVE-2018-16540\", \"CVE-2018-16541\", \"CVE-2018-16542\", \"CVE-2018-16543\", \"CVE-2018-16585\", \"CVE-2018-16802\", \"CVE-2018-17183\");\n\n script_name(english:\"SUSE SLES12 Security Update : ghostscript (SUSE-SU-2018:2975-2)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for ghostscript to version 9.25 fixes the following \nissues :\n\nThese security issues were fixed :\n\nCVE-2018-17183: Remote attackers were be able to supply crafted\nPostScript to potentially overwrite or replace error handlers to\ninject code (bsc#1109105)\n\nCVE-2018-15909: Prevent type confusion using the .shfill operator that\ncould have been used by attackers able to supply crafted PostScript\nfiles to crash the interpreter or potentially execute code\n(bsc#1106172).\n\nCVE-2018-15908: Prevent attackers that are able to supply malicious\nPostScript files to bypass .tempfile restrictions and write files\n(bsc#1106171).\n\nCVE-2018-15910: Prevent a type confusion in the LockDistillerParams\nparameter that could have been used to crash the interpreter or\nexecute code (bsc#1106173).\n\nCVE-2018-15911: Prevent use uninitialized memory access in the\naesdecode operator that could have been used to crash the interpreter\nor potentially execute code (bsc#1106195).\n\nCVE-2018-16513: Prevent a type confusion in the setcolor function that\ncould have been used to crash the interpreter or possibly have\nunspecified other impact (bsc#1107412).\n\nCVE-2018-16509: Incorrect 'restoration of privilege' checking during\nhandling of /invalidaccess exceptions could be have been used by\nattackers able to supply crafted PostScript to execute code using the\n'pipe' instruction (bsc#1107410).\n\nCVE-2018-16510: Incorrect exec stack handling in the 'CS' and 'SC' PDF\nprimitives could have been used by remote attackers able to supply\ncrafted PDFs to crash the interpreter or possibly have unspecified\nother impact (bsc#1107411).\n\nCVE-2018-16542: Prevent attackers able to supply crafted PostScript\nfiles from using insufficient interpreter stack-size checking during\nerror handling to crash the interpreter (bsc#1107413).\n\nCVE-2018-16541: Prevent attackers able to supply crafted PostScript\nfiles from using incorrect free logic in pagedevice replacement to\ncrash the interpreter (bsc#1107421).\n\nCVE-2018-16540: Prevent use-after-free in copydevice handling that\ncould have been used to crash the interpreter or possibly have\nunspecified other impact (bsc#1107420).\n\nCVE-2018-16539: Prevent attackers able to supply crafted PostScript\nfiles from using incorrect access checking in temp file handling to\ndisclose contents of files on the system otherwise not readable\n(bsc#1107422).\n\nCVE-2018-16543: gssetresolution and gsgetresolution allowed attackers\nto have an unspecified impact (bsc#1107423).\n\nCVE-2018-16511: A type confusion in 'ztype' could have been used by\nremote attackers able to supply crafted PostScript to crash the\ninterpreter or possibly have unspecified other impact (bsc#1107426).\n\nCVE-2018-16585: The .setdistillerkeys PostScript command was accepted\neven though it is not intended for use during document processing\n(e.g., after the startup phase). This lead to memory corruption,\nallowing remote attackers able to supply crafted PostScript to crash\nthe interpreter or possibly have unspecified other impact\n(bsc#1107581).\n\nCVE-2018-16802: Incorrect 'restoration of privilege' checking when\nrunning out of stack during exception handling could have been used by\nattackers able to supply crafted PostScript to execute code using the\n'pipe' instruction. This is due to an incomplete fix for\nCVE-2018-16509 (bsc#1108027).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1106171\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1106172\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1106173\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1106195\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107410\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107411\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107412\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107413\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107420\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107421\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107422\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107423\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107426\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107581\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1108027\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1109105\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-15908/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-15909/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-15910/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-15911/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16509/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16510/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16511/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16513/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16539/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16540/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16541/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16542/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16543/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16585/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16802/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-17183/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20182975-2/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3b533236\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-SP2-BCL:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-BCL-2018-2121=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Ghostscript Failed Restore Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ghostscript\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ghostscript-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ghostscript-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ghostscript-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ghostscript-x11-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"ghostscript-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"ghostscript-debuginfo-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"ghostscript-debugsource-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"ghostscript-x11-9.25-23.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"ghostscript-x11-debuginfo-9.25-23.13.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ghostscript\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-18T10:56:50", "description": "Tavis Ormandy discovered multiple security issues in Ghostscript. If a\nuser or automated system were tricked into processing a specially\ncrafted file, a remote attacker could possibly use these issues to\naccess arbitrary files, execute arbitrary code, or cause a denial of\nservice.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 21, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-09-19T00:00:00", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : Ghostscript vulnerabilities (USN-3768-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-15910", "CVE-2018-15908", "CVE-2018-16585", "CVE-2018-16540", "CVE-2018-15911", "CVE-2018-11645", "CVE-2018-16802", "CVE-2018-16510", "CVE-2018-16511", "CVE-2018-16541", "CVE-2018-16539", "CVE-2018-16509", "CVE-2018-16543", "CVE-2018-15909", "CVE-2018-16542", "CVE-2018-16513"], "modified": "2018-09-19T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:libgs9", "p-cpe:/a:canonical:ubuntu_linux:ghostscript", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3768-1.NASL", "href": "https://www.tenable.com/plugins/nessus/117595", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3768-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117595);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/17\");\n\n script_cve_id(\"CVE-2018-11645\", \"CVE-2018-15908\", \"CVE-2018-15909\", \"CVE-2018-15910\", \"CVE-2018-15911\", \"CVE-2018-16509\", \"CVE-2018-16510\", \"CVE-2018-16511\", \"CVE-2018-16513\", \"CVE-2018-16539\", \"CVE-2018-16540\", \"CVE-2018-16541\", \"CVE-2018-16542\", \"CVE-2018-16543\", \"CVE-2018-16585\", \"CVE-2018-16802\");\n script_xref(name:\"USN\", value:\"3768-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : Ghostscript vulnerabilities (USN-3768-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Tavis Ormandy discovered multiple security issues in Ghostscript. If a\nuser or automated system were tricked into processing a specially\ncrafted file, a remote attacker could possibly use these issues to\naccess arbitrary files, execute arbitrary code, or cause a denial of\nservice.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3768-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected ghostscript and / or libgs9 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Ghostscript Failed Restore Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:ghostscript\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libgs9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04|16\\.04|18\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 18.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"ghostscript\", pkgver:\"9.10~dfsg-0ubuntu10.13\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"libgs9\", pkgver:\"9.10~dfsg-0ubuntu10.13\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"ghostscript\", pkgver:\"9.18~dfsg~0-0ubuntu2.9\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libgs9\", pkgver:\"9.18~dfsg~0-0ubuntu2.9\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"ghostscript\", pkgver:\"9.22~dfsg+1-0ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"libgs9\", pkgver:\"9.22~dfsg+1-0ubuntu1.2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ghostscript / libgs9\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T16:39:26", "description": "This update for ghostscript to version 9.25 fixes the following \nissues :\n\nThese security issues were fixed :\n\n - CVE-2018-17183: Remote attackers were be able to supply\n crafted PostScript to potentially overwrite or replace\n error handlers to inject code (bsc#1109105)\n\n - CVE-2018-15909: Prevent type confusion using the .shfill\n operator that could have been used by attackers able to\n supply crafted PostScript files to crash the interpreter\n or potentially execute code (bsc#1106172).\n\n - CVE-2018-15908: Prevent attackers that are able to\n supply malicious PostScript files to bypass .tempfile\n restrictions and write files (bsc#1106171).\n\n - CVE-2018-15910: Prevent a type confusion in the\n LockDistillerParams parameter that could have been used\n to crash the interpreter or execute code (bsc#1106173).\n\n - CVE-2018-15911: Prevent use uninitialized memory access\n in the aesdecode operator that could have been used to\n crash the interpreter or potentially execute code\n (bsc#1106195).\n\n - CVE-2018-16513: Prevent a type confusion in the setcolor\n function that could have been used to crash the\n interpreter or possibly have unspecified other impact\n (bsc#1107412).\n\n - CVE-2018-16509: Incorrect 'restoration of privilege'\n checking during handling of /invalidaccess exceptions\n could be have been used by attackers able to supply\n crafted PostScript to execute code using the 'pipe'\n instruction (bsc#1107410).\n\n - CVE-2018-16510: Incorrect exec stack handling in the\n 'CS' and 'SC' PDF primitives could have been used by\n remote attackers able to supply crafted PDFs to crash\n the interpreter or possibly have unspecified other\n impact (bsc#1107411).\n\n - CVE-2018-16542: Prevent attackers able to supply crafted\n PostScript files from using insufficient interpreter\n stack-size checking during error handling to crash the\n interpreter (bsc#1107413).\n\n - CVE-2018-16541: Prevent attackers able to supply crafted\n PostScript files from using incorrect free logic in\n pagedevice replacement to crash the interpreter\n (bsc#1107421).\n\n - CVE-2018-16540: Prevent use-after-free in copydevice\n handling that could have been used to crash the\n interpreter or possibly have unspecified other impact\n (bsc#1107420).\n\n - CVE-2018-16539: Prevent attackers able to supply crafted\n PostScript files from using incorrect access checking in\n temp file handling to disclose contents of files on the\n system otherwise not readable (bsc#1107422).\n\n - CVE-2018-16543: gssetresolution and gsgetresolution\n allowed attackers to have an unspecified impact\n (bsc#1107423).\n\n - CVE-2018-16511: A type confusion in 'ztype' could have\n been used by remote attackers able to supply crafted\n PostScript to crash the interpreter or possibly have\n unspecified other impact (bsc#1107426).\n\n - CVE-2018-16585: The .setdistillerkeys PostScript command\n was accepted even though it is not intended for use\n during document processing (e.g., after the startup\n phase). This lead to memory corruption, allowing remote\n attackers able to supply crafted PostScript to crash the\n interpreter or possibly have unspecified other impact\n (bsc#1107581).\n\n - CVE-2018-16802: Incorrect 'restoration of privilege'\n checking when running out of stack during exception\n handling could have been used by attackers able to\n supply crafted PostScript to execute code using the\n 'pipe' instruction. This is due to an incomplete fix for\n CVE-2018-16509 (bsc#1108027).\n\nThese non-security issues were fixed :\n\n - Fixes problems with argument handling, some unintended\n results of the security fixes to the SAFER file access\n restrictions (specifically accessing ICC profile files).\n\n - Avoid that ps2epsi fails with 'Error: /undefined in\n --setpagedevice--'\n\nFor additional changes please check\nhttp://www.ghostscript.com/doc/9.25/News.htm\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "edition": 19, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-10-09T00:00:00", "title": "openSUSE Security Update : ghostscript (openSUSE-2018-1123)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-15910", "CVE-2018-15908", "CVE-2018-17183", "CVE-2018-16585", "CVE-2018-16540", "CVE-2018-15911", "CVE-2018-16802", "CVE-2018-16510", "CVE-2018-16511", "CVE-2018-16541", "CVE-2018-16539", "CVE-2018-16509", "CVE-2018-16543", "CVE-2018-15909", "CVE-2018-16542", "CVE-2018-16513"], "modified": "2018-10-09T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:ghostscript-mini-debuginfo", "p-cpe:/a:novell:opensuse:ghostscript-x11", "p-cpe:/a:novell:opensuse:ghostscript", "p-cpe:/a:novell:opensuse:ghostscript-mini", "p-cpe:/a:novell:opensuse:libspectre1", "cpe:/o:novell:opensuse:15.0", "p-cpe:/a:novell:opensuse:libspectre-debugsource", "p-cpe:/a:novell:opensuse:ghostscript-x11-debuginfo", "p-cpe:/a:novell:opensuse:ghostscript-devel", "p-cpe:/a:novell:opensuse:ghostscript-debugsource", "p-cpe:/a:novell:opensuse:libspectre-devel", "p-cpe:/a:novell:opensuse:libspectre1-debuginfo", "p-cpe:/a:novell:opensuse:ghostscript-mini-devel", "p-cpe:/a:novell:opensuse:ghostscript-debuginfo", "p-cpe:/a:novell:opensuse:ghostscript-mini-debugsource"], "id": "OPENSUSE-2018-1123.NASL", "href": "https://www.tenable.com/plugins/nessus/117980", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-1123.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117980);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2018-15908\", \"CVE-2018-15909\", \"CVE-2018-15910\", \"CVE-2018-15911\", \"CVE-2018-16509\", \"CVE-2018-16510\", \"CVE-2018-16511\", \"CVE-2018-16513\", \"CVE-2018-16539\", \"CVE-2018-16540\", \"CVE-2018-16541\", \"CVE-2018-16542\", \"CVE-2018-16543\", \"CVE-2018-16585\", \"CVE-2018-16802\", \"CVE-2018-17183\");\n\n script_name(english:\"openSUSE Security Update : ghostscript (openSUSE-2018-1123)\");\n script_summary(english:\"Check for the openSUSE-2018-1123 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for ghostscript to version 9.25 fixes the following \nissues :\n\nThese security issues were fixed :\n\n - CVE-2018-17183: Remote attackers were be able to supply\n crafted PostScript to potentially overwrite or replace\n error handlers to inject code (bsc#1109105)\n\n - CVE-2018-15909: Prevent type confusion using the .shfill\n operator that could have been used by attackers able to\n supply crafted PostScript files to crash the interpreter\n or potentially execute code (bsc#1106172).\n\n - CVE-2018-15908: Prevent attackers that are able to\n supply malicious PostScript files to bypass .tempfile\n restrictions and write files (bsc#1106171).\n\n - CVE-2018-15910: Prevent a type confusion in the\n LockDistillerParams parameter that could have been used\n to crash the interpreter or execute code (bsc#1106173).\n\n - CVE-2018-15911: Prevent use uninitialized memory access\n in the aesdecode operator that could have been used to\n crash the interpreter or potentially execute code\n (bsc#1106195).\n\n - CVE-2018-16513: Prevent a type confusion in the setcolor\n function that could have been used to crash the\n interpreter or possibly have unspecified other impact\n (bsc#1107412).\n\n - CVE-2018-16509: Incorrect 'restoration of privilege'\n checking during handling of /invalidaccess exceptions\n could be have been used by attackers able to supply\n crafted PostScript to execute code using the 'pipe'\n instruction (bsc#1107410).\n\n - CVE-2018-16510: Incorrect exec stack handling in the\n 'CS' and 'SC' PDF primitives could have been used by\n remote attackers able to supply crafted PDFs to crash\n the interpreter or possibly have unspecified other\n impact (bsc#1107411).\n\n - CVE-2018-16542: Prevent attackers able to supply crafted\n PostScript files from using insufficient interpreter\n stack-size checking during error handling to crash the\n interpreter (bsc#1107413).\n\n - CVE-2018-16541: Prevent attackers able to supply crafted\n PostScript files from using incorrect free logic in\n pagedevice replacement to crash the interpreter\n (bsc#1107421).\n\n - CVE-2018-16540: Prevent use-after-free in copydevice\n handling that could have been used to crash the\n interpreter or possibly have unspecified other impact\n (bsc#1107420).\n\n - CVE-2018-16539: Prevent attackers able to supply crafted\n PostScript files from using incorrect access checking in\n temp file handling to disclose contents of files on the\n system otherwise not readable (bsc#1107422).\n\n - CVE-2018-16543: gssetresolution and gsgetresolution\n allowed attackers to have an unspecified impact\n (bsc#1107423).\n\n - CVE-2018-16511: A type confusion in 'ztype' could have\n been used by remote attackers able to supply crafted\n PostScript to crash the interpreter or possibly have\n unspecified other impact (bsc#1107426).\n\n - CVE-2018-16585: The .setdistillerkeys PostScript command\n was accepted even though it is not intended for use\n during document processing (e.g., after the startup\n phase). This lead to memory corruption, allowing remote\n attackers able to supply crafted PostScript to crash the\n interpreter or possibly have unspecified other impact\n (bsc#1107581).\n\n - CVE-2018-16802: Incorrect 'restoration of privilege'\n checking when running out of stack during exception\n handling could have been used by attackers able to\n supply crafted PostScript to execute code using the\n 'pipe' instruction. This is due to an incomplete fix for\n CVE-2018-16509 (bsc#1108027).\n\nThese non-security issues were fixed :\n\n - Fixes problems with argument handling, some unintended\n results of the security fixes to the SAFER file access\n restrictions (specifically accessing ICC profile files).\n\n - Avoid that ps2epsi fails with 'Error: /undefined in\n --setpagedevice--'\n\nFor additional changes please check\nhttp://www.ghostscript.com/doc/9.25/News.htm\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n # http://www.ghostscript.com/doc/9.25/News.htm\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.ghostscript.com/doc/9.25/News.htm\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1106171\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1106172\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1106173\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1106195\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107410\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107411\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107412\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107413\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107420\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107421\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107422\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107423\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107426\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107581\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1108027\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1109105\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected ghostscript packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Ghostscript Failed Restore Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-mini\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-mini-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-mini-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-mini-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-x11-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libspectre-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libspectre-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libspectre1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libspectre1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"ghostscript-9.25-lp150.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"ghostscript-debuginfo-9.25-lp150.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"ghostscript-debugsource-9.25-lp150.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"ghostscript-devel-9.25-lp150.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"ghostscript-mini-9.25-lp150.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"ghostscript-mini-debuginfo-9.25-lp150.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"ghostscript-mini-debugsource-9.25-lp150.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"ghostscript-mini-devel-9.25-lp150.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"ghostscript-x11-9.25-lp150.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"ghostscript-x11-debuginfo-9.25-lp150.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libspectre-debugsource-0.2.8-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libspectre-devel-0.2.8-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libspectre1-0.2.8-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libspectre1-debuginfo-0.2.8-lp150.2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ghostscript-mini / ghostscript-mini-debuginfo / etc\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T16:39:25", "description": "This update for ghostscript to version 9.25 fixes the following \nissues :\n\nThese security issues were fixed :\n\n - CVE-2018-17183: Remote attackers were be able to supply\n crafted PostScript to potentially overwrite or replace\n error handlers to inject code (bsc#1109105)\n\n - CVE-2018-15909: Prevent type confusion using the .shfill\n operator that could have been used by attackers able to\n supply crafted PostScript files to crash the interpreter\n or potentially execute code (bsc#1106172).\n\n - CVE-2018-15908: Prevent attackers that are able to\n supply malicious PostScript files to bypass .tempfile\n restrictions and write files (bsc#1106171).\n\n - CVE-2018-15910: Prevent a type confusion in the\n LockDistillerParams parameter that could have been used\n to crash the interpreter or execute code (bsc#1106173).\n\n - CVE-2018-15911: Prevent use uninitialized memory access\n in the aesdecode operator that could have been used to\n crash the interpreter or potentially execute code\n (bsc#1106195).\n\n - CVE-2018-16513: Prevent a type confusion in the setcolor\n function that could have been used to crash the\n interpreter or possibly have unspecified other impact\n (bsc#1107412).\n\n - CVE-2018-16509: Incorrect 'restoration of privilege'\n checking during handling of /invalidaccess exceptions\n could be have been used by attackers able to supply\n crafted PostScript to execute code using the 'pipe'\n instruction (bsc#1107410).\n\n - CVE-2018-16510: Incorrect exec stack handling in the\n 'CS' and 'SC' PDF primitives could have been used by\n remote attackers able to supply crafted PDFs to crash\n the interpreter or possibly have unspecified other\n impact (bsc#1107411).\n\n - CVE-2018-16542: Prevent attackers able to supply crafted\n PostScript files from using insufficient interpreter\n stack-size checking during error handling to crash the\n interpreter (bsc#1107413).\n\n - CVE-2018-16541: Prevent attackers able to supply crafted\n PostScript files from using incorrect free logic in\n pagedevice replacement to crash the interpreter\n (bsc#1107421).\n\n - CVE-2018-16540: Prevent use-after-free in copydevice\n handling that could have been used to crash the\n interpreter or possibly have unspecified other impact\n (bsc#1107420).\n\n - CVE-2018-16539: Prevent attackers able to supply crafted\n PostScript files from using incorrect access checking in\n temp file handling to disclose contents of files on the\n system otherwise not readable (bsc#1107422).\n\n - CVE-2018-16543: gssetresolution and gsgetresolution\n allowed attackers to have an unspecified impact\n (bsc#1107423).\n\n - CVE-2018-16511: A type confusion in 'ztype' could have\n been used by remote attackers able to supply crafted\n PostScript to crash the interpreter or possibly have\n unspecified other impact (bsc#1107426).\n\n - CVE-2018-16585: The .setdistillerkeys PostScript command\n was accepted even though it is not intended for use\n during document processing (e.g., after the startup\n phase). This lead to memory corruption, allowing remote\n attackers able to supply crafted PostScript to crash the\n interpreter or possibly have unspecified other impact\n (bsc#1107581).\n\n - CVE-2018-16802: Incorrect 'restoration of privilege'\n checking when running out of stack during exception\n handling could have been used by attackers able to\n supply crafted PostScript to execute code using the\n 'pipe' instruction. This is due to an incomplete fix for\n CVE-2018-16509 (bsc#1108027).\n\nThese non-security issues were fixed :\n\n - Fixes problems with argument handling, some unintended\n results of the security fixes to the SAFER file access\n restrictions (specifically accessing ICC profile files).\n\n - Avoid that ps2epsi fails with 'Error: /undefined in\n --setpagedevice--'\n\nFor additional changes please check\nhttp://www.ghostscript.com/doc/9.25/News.htm and the changes file of\nthe package. This update was imported from the SUSE:SLE-12:Update\nupdate project.", "edition": 19, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-10-09T00:00:00", "title": "openSUSE Security Update : ghostscript (openSUSE-2018-1122)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-15910", "CVE-2018-15908", "CVE-2018-17183", "CVE-2018-16585", "CVE-2018-16540", "CVE-2018-15911", "CVE-2018-16802", "CVE-2018-16510", "CVE-2018-16511", "CVE-2018-16541", "CVE-2018-16539", "CVE-2018-16509", "CVE-2018-16543", "CVE-2018-15909", "CVE-2018-16542", "CVE-2018-16513"], "modified": "2018-10-09T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:ghostscript-mini-debuginfo", "p-cpe:/a:novell:opensuse:ghostscript-x11", "p-cpe:/a:novell:opensuse:ghostscript", "p-cpe:/a:novell:opensuse:ghostscript-mini", "p-cpe:/a:novell:opensuse:ghostscript-x11-debuginfo", "p-cpe:/a:novell:opensuse:ghostscript-devel", "p-cpe:/a:novell:opensuse:ghostscript-debugsource", "p-cpe:/a:novell:opensuse:ghostscript-mini-devel", "cpe:/o:novell:opensuse:42.3", "p-cpe:/a:novell:opensuse:ghostscript-debuginfo", "p-cpe:/a:novell:opensuse:ghostscript-mini-debugsource"], "id": "OPENSUSE-2018-1122.NASL", "href": "https://www.tenable.com/plugins/nessus/117979", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-1122.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117979);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2018-15908\", \"CVE-2018-15909\", \"CVE-2018-15910\", \"CVE-2018-15911\", \"CVE-2018-16509\", \"CVE-2018-16510\", \"CVE-2018-16511\", \"CVE-2018-16513\", \"CVE-2018-16539\", \"CVE-2018-16540\", \"CVE-2018-16541\", \"CVE-2018-16542\", \"CVE-2018-16543\", \"CVE-2018-16585\", \"CVE-2018-16802\", \"CVE-2018-17183\");\n\n script_name(english:\"openSUSE Security Update : ghostscript (openSUSE-2018-1122)\");\n script_summary(english:\"Check for the openSUSE-2018-1122 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for ghostscript to version 9.25 fixes the following \nissues :\n\nThese security issues were fixed :\n\n - CVE-2018-17183: Remote attackers were be able to supply\n crafted PostScript to potentially overwrite or replace\n error handlers to inject code (bsc#1109105)\n\n - CVE-2018-15909: Prevent type confusion using the .shfill\n operator that could have been used by attackers able to\n supply crafted PostScript files to crash the interpreter\n or potentially execute code (bsc#1106172).\n\n - CVE-2018-15908: Prevent attackers that are able to\n supply malicious PostScript files to bypass .tempfile\n restrictions and write files (bsc#1106171).\n\n - CVE-2018-15910: Prevent a type confusion in the\n LockDistillerParams parameter that could have been used\n to crash the interpreter or execute code (bsc#1106173).\n\n - CVE-2018-15911: Prevent use uninitialized memory access\n in the aesdecode operator that could have been used to\n crash the interpreter or potentially execute code\n (bsc#1106195).\n\n - CVE-2018-16513: Prevent a type confusion in the setcolor\n function that could have been used to crash the\n interpreter or possibly have unspecified other impact\n (bsc#1107412).\n\n - CVE-2018-16509: Incorrect 'restoration of privilege'\n checking during handling of /invalidaccess exceptions\n could be have been used by attackers able to supply\n crafted PostScript to execute code using the 'pipe'\n instruction (bsc#1107410).\n\n - CVE-2018-16510: Incorrect exec stack handling in the\n 'CS' and 'SC' PDF primitives could have been used by\n remote attackers able to supply crafted PDFs to crash\n the interpreter or possibly have unspecified other\n impact (bsc#1107411).\n\n - CVE-2018-16542: Prevent attackers able to supply crafted\n PostScript files from using insufficient interpreter\n stack-size checking during error handling to crash the\n interpreter (bsc#1107413).\n\n - CVE-2018-16541: Prevent attackers able to supply crafted\n PostScript files from using incorrect free logic in\n pagedevice replacement to crash the interpreter\n (bsc#1107421).\n\n - CVE-2018-16540: Prevent use-after-free in copydevice\n handling that could have been used to crash the\n interpreter or possibly have unspecified other impact\n (bsc#1107420).\n\n - CVE-2018-16539: Prevent attackers able to supply crafted\n PostScript files from using incorrect access checking in\n temp file handling to disclose contents of files on the\n system otherwise not readable (bsc#1107422).\n\n - CVE-2018-16543: gssetresolution and gsgetresolution\n allowed attackers to have an unspecified impact\n (bsc#1107423).\n\n - CVE-2018-16511: A type confusion in 'ztype' could have\n been used by remote attackers able to supply crafted\n PostScript to crash the interpreter or possibly have\n unspecified other impact (bsc#1107426).\n\n - CVE-2018-16585: The .setdistillerkeys PostScript command\n was accepted even though it is not intended for use\n during document processing (e.g., after the startup\n phase). This lead to memory corruption, allowing remote\n attackers able to supply crafted PostScript to crash the\n interpreter or possibly have unspecified other impact\n (bsc#1107581).\n\n - CVE-2018-16802: Incorrect 'restoration of privilege'\n checking when running out of stack during exception\n handling could have been used by attackers able to\n supply crafted PostScript to execute code using the\n 'pipe' instruction. This is due to an incomplete fix for\n CVE-2018-16509 (bsc#1108027).\n\nThese non-security issues were fixed :\n\n - Fixes problems with argument handling, some unintended\n results of the security fixes to the SAFER file access\n restrictions (specifically accessing ICC profile files).\n\n - Avoid that ps2epsi fails with 'Error: /undefined in\n --setpagedevice--'\n\nFor additional changes please check\nhttp://www.ghostscript.com/doc/9.25/News.htm and the changes file of\nthe package. This update was imported from the SUSE:SLE-12:Update\nupdate project.\"\n );\n # http://www.ghostscript.com/doc/9.25/News.htm\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.ghostscript.com/doc/9.25/News.htm\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1106171\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1106172\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1106173\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1106195\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107410\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107411\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107412\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107413\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107420\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107421\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107422\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107423\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107426\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107581\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1108027\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1109105\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected ghostscript packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Ghostscript Failed Restore Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-mini\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-mini-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-mini-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-mini-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-x11-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.3\", reference:\"ghostscript-9.25-14.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"ghostscript-debuginfo-9.25-14.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"ghostscript-debugsource-9.25-14.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"ghostscript-devel-9.25-14.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"ghostscript-mini-9.25-14.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"ghostscript-mini-debuginfo-9.25-14.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"ghostscript-mini-debugsource-9.25-14.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"ghostscript-mini-devel-9.25-14.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"ghostscript-x11-9.25-14.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"ghostscript-x11-debuginfo-9.25-14.9.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ghostscript-mini / ghostscript-mini-debuginfo / etc\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-07-04T18:56:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-15910", "CVE-2018-15908", "CVE-2018-16585", "CVE-2018-16540", "CVE-2018-15911", "CVE-2018-16511", "CVE-2018-16541", "CVE-2018-16539", "CVE-2018-16543", "CVE-2018-16542", "CVE-2018-16513"], "description": "Tavis Ormandy discovered multiple vulnerabilities in Ghostscript, an\ninterpreter for the PostScript language, which could result in denial of\nservice, the creation of files or the execution of arbitrary code if a\nmalformed Postscript file is processed (despite the dSAFER sandbox being\nenabled).", "modified": "2019-07-04T00:00:00", "published": "2018-09-07T00:00:00", "id": "OPENVAS:1361412562310704288", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704288", "type": "openvas", "title": "Debian Security Advisory DSA 4288-1 (ghostscript - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4288-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704288\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2018-15908\", \"CVE-2018-15910\", \"CVE-2018-15911\", \"CVE-2018-16511\", \"CVE-2018-16513\",\n \"CVE-2018-16539\", \"CVE-2018-16540\", \"CVE-2018-16541\", \"CVE-2018-16542\", \"CVE-2018-16543\",\n \"CVE-2018-16585\");\n script_name(\"Debian Security Advisory DSA 4288-1 (ghostscript - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-09-07 00:00:00 +0200 (Fri, 07 Sep 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2018/dsa-4288.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n script_tag(name:\"affected\", value:\"ghostscript on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), these problems have been fixed in\nversion 9.20~dfsg-3.2+deb9u4.\n\nWe recommend that you upgrade your ghostscript packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/ghostscript\");\n script_tag(name:\"summary\", value:\"Tavis Ormandy discovered multiple vulnerabilities in Ghostscript, an\ninterpreter for the PostScript language, which could result in denial of\nservice, the creation of files or the execution of arbitrary code if a\nmalformed Postscript file is processed (despite the dSAFER sandbox being\nenabled).\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"ghostscript\", ver:\"9.20~dfsg-3.2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ghostscript-dbg\", ver:\"9.20~dfsg-3.2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ghostscript-doc\", ver:\"9.20~dfsg-3.2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ghostscript-x\", ver:\"9.20~dfsg-3.2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libgs-dev\", ver:\"9.20~dfsg-3.2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libgs9\", ver:\"9.20~dfsg-3.2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libgs9-common\", ver:\"9.20~dfsg-3.2+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-29T20:09:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-15910", "CVE-2018-15908", "CVE-2018-16585", "CVE-2018-16540", "CVE-2018-15911", "CVE-2018-11645", "CVE-2018-16802", "CVE-2018-16511", "CVE-2018-16541", "CVE-2018-16539", "CVE-2018-16509", "CVE-2018-15909", "CVE-2018-16542", "CVE-2018-16513"], "description": "Tavis Ormandy discovered multiple vulnerabilities in Ghostscript, an\ninterpreter for the PostScript language, which could result in denial of\nservice, the creation of files or the execution of arbitrary code if a\nmalformed Postscript file is processed (despite the dSAFER sandbox being\nenabled).", "modified": "2020-01-29T00:00:00", "published": "2018-09-13T00:00:00", "id": "OPENVAS:1361412562310891504", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891504", "type": "openvas", "title": "Debian LTS: Security Advisory for ghostscript (DLA-1504-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891504\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2018-11645\", \"CVE-2018-15908\", \"CVE-2018-15909\", \"CVE-2018-15910\", \"CVE-2018-15911\",\n \"CVE-2018-16509\", \"CVE-2018-16511\", \"CVE-2018-16513\", \"CVE-2018-16539\", \"CVE-2018-16540\",\n \"CVE-2018-16541\", \"CVE-2018-16542\", \"CVE-2018-16585\", \"CVE-2018-16802\");\n script_name(\"Debian LTS: Security Advisory for ghostscript (DLA-1504-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-09-13 00:00:00 +0200 (Thu, 13 Sep 2018)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/09/msg00015.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_tag(name:\"affected\", value:\"ghostscript on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n9.06~dfsg-2+deb8u8.\n\nWe recommend that you upgrade your ghostscript packages.\");\n\n script_tag(name:\"summary\", value:\"Tavis Ormandy discovered multiple vulnerabilities in Ghostscript, an\ninterpreter for the PostScript language, which could result in denial of\nservice, the creation of files or the execution of arbitrary code if a\nmalformed Postscript file is processed (despite the dSAFER sandbox being\nenabled).\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"ghostscript\", ver:\"9.06~dfsg-2+deb8u8\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ghostscript-dbg\", ver:\"9.06~dfsg-2+deb8u8\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ghostscript-doc\", ver:\"9.06~dfsg-2+deb8u8\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ghostscript-x\", ver:\"9.06~dfsg-2+deb8u8\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libgs-dev\", ver:\"9.06~dfsg-2+deb8u8\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libgs9\", ver:\"9.06~dfsg-2+deb8u8\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libgs9-common\", ver:\"9.06~dfsg-2+deb8u8\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T17:39:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-15910", "CVE-2018-15908", "CVE-2018-17183", "CVE-2018-16585", "CVE-2018-16540", "CVE-2018-15911", "CVE-2018-16802", "CVE-2018-16510", "CVE-2018-16511", "CVE-2018-16541", "CVE-2018-16539", "CVE-2018-16509", "CVE-2018-16543", "CVE-2018-15909", "CVE-2018-16542", "CVE-2018-16513"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310851986", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851986", "type": "openvas", "title": "openSUSE: Security Advisory for ghostscript (openSUSE-SU-2018:3038-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851986\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_cve_id(\"CVE-2018-15908\", \"CVE-2018-15909\", \"CVE-2018-15910\", \"CVE-2018-15911\", \"CVE-2018-16509\", \"CVE-2018-16510\", \"CVE-2018-16511\", \"CVE-2018-16513\", \"CVE-2018-16539\", \"CVE-2018-16540\", \"CVE-2018-16541\", \"CVE-2018-16542\", \"CVE-2018-16543\", \"CVE-2018-16585\", \"CVE-2018-16802\", \"CVE-2018-17183\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-10-26 06:27:07 +0200 (Fri, 26 Oct 2018)\");\n script_name(\"openSUSE: Security Advisory for ghostscript (openSUSE-SU-2018:3038-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:3038-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00012.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ghostscript'\n package(s) announced via the openSUSE-SU-2018:3038-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for ghostscript to version 9.25 fixes the following issues:\n\n These security issues were fixed:\n\n - CVE-2018-17183: Remote attackers were be able to supply crafted\n PostScript to potentially overwrite or replace error handlers to inject\n code (bsc#1109105)\n\n - CVE-2018-15909: Prevent type confusion using the .shfill operator that\n could have been used by attackers able to supply crafted PostScript\n files to crash the interpreter or potentially execute code (bsc#1106172).\n\n - CVE-2018-15908: Prevent attackers that are able to supply malicious\n PostScript files to bypass .tempfile restrictions and write files\n (bsc#1106171).\n\n - CVE-2018-15910: Prevent a type confusion in the LockDistillerParams\n parameter that could have been used to crash the interpreter or execute\n code (bsc#1106173).\n\n - CVE-2018-15911: Prevent use uninitialized memory access in the aesdecode\n operator that could have been used to crash the interpreter or\n potentially execute code (bsc#1106195).\n\n - CVE-2018-16513: Prevent a type confusion in the setcolor function that\n could have been used to crash the interpreter or possibly have\n unspecified other impact (bsc#1107412).\n\n - CVE-2018-16509: Incorrect 'restoration of privilege' checking during\n handling\n of /invalidaccess exceptions could be have been used by attackers able\n to supply crafted PostScript to execute code using the 'pipe'\n instruction (bsc#1107410).\n\n - CVE-2018-16510: Incorrect exec stack handling in the 'CS' and 'SC' PDF\n primitives could have been used by remote attackers able to supply\n crafted PDFs to crash the interpreter or possibly have unspecified other\n impact (bsc#1107411).\n\n - CVE-2018-16542: Prevent attackers able to supply crafted PostScript\n files from using insufficient interpreter stack-size checking during\n error handling to crash the interpreter (bsc#1107413).\n\n - CVE-2018-16541: Prevent attackers able to supply crafted PostScript\n files from using incorrect free logic in pagedevice replacement to crash\n the interpreter (bsc#1107421).\n\n - CVE-2018-16540: Prevent use-after-free in copydevice handling that could\n have been used to crash the interpreter or possibly have unspecified\n other impact (bsc#1107420).\n\n - CVE-2018-16539: Prevent attackers able to supply crafted PostScript\n files from using incorrect access checking in temp file handling to\n disclose contents\n of files on the system otherwise not readable (bsc#1107422).\n\n - CVE-2018-16543: gssetresolution and gsgetresolution allowed attackers to\n have an unspecified impact (bsc#1107423).\n\n - CVE-2018-16511: A type confusion in 'zty ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n\n script_tag(name:\"affected\", value:\"ghostscript on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n if(!isnull(res = isrpmvuln(pkg:\"ghostscript\", rpm:\"ghostscript~9.25~lp150.2.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ghostscript-debuginfo\", rpm:\"ghostscript-debuginfo~9.25~lp150.2.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ghostscript-debugsource\", rpm:\"ghostscript-debugsource~9.25~lp150.2.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ghostscript-devel\", rpm:\"ghostscript-devel~9.25~lp150.2.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ghostscript-mini\", rpm:\"ghostscript-mini~9.25~lp150.2.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ghostscript-mini-debuginfo\", rpm:\"ghostscript-mini-debuginfo~9.25~lp150.2.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ghostscript-mini-debugsource\", rpm:\"ghostscript-mini-debugsource~9.25~lp150.2.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ghostscript-mini-devel\", rpm:\"ghostscript-mini-devel~9.25~lp150.2.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ghostscript-x11\", rpm:\"ghostscript-x11~9.25~lp150.2.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ghostscript-x11-debuginfo\", rpm:\"ghostscript-x11-debuginfo~9.25~lp150.2.6.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libspectre-debugsource\", rpm:\"libspectre-debugsource~0.2.8~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libspectre-devel\", rpm:\"libspectre-devel~0.2.8~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libspectre1\", rpm:\"libspectre1~0.2.8~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libspectre1-debuginfo\", rpm:\"libspectre1-debuginfo~0.2.8~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-15910", "CVE-2018-15908", "CVE-2018-16585", "CVE-2018-16540", "CVE-2018-15911", "CVE-2018-11645", "CVE-2018-16802", "CVE-2018-16510", "CVE-2018-16511", "CVE-2018-16541", "CVE-2018-16539", "CVE-2018-16509", "CVE-2018-16543", "CVE-2018-15909", "CVE-2018-16542", "CVE-2018-16513"], "description": "The remote host is missing an update for the ", "modified": "2019-03-18T00:00:00", "published": "2018-09-20T00:00:00", "id": "OPENVAS:1361412562310843638", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843638", "type": "openvas", "title": "Ubuntu Update for ghostscript USN-3768-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3768_1.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for ghostscript USN-3768-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843638\");\n script_version(\"$Revision: 14288 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-09-20 07:34:01 +0200 (Thu, 20 Sep 2018)\");\n script_cve_id(\"CVE-2018-11645\", \"CVE-2018-15908\", \"CVE-2018-15909\",\n \"CVE-2018-15910\", \"CVE-2018-15911\", \"CVE-2018-16509\", \"CVE-2018-16510\",\n \"CVE-2018-16511\", \"CVE-2018-16513\", \"CVE-2018-16539\", \"CVE-2018-16540\",\n \"CVE-2018-16541\", \"CVE-2018-16542\", \"CVE-2018-16543\", \"CVE-2018-16585\",\n \"CVE-2018-16802\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for ghostscript USN-3768-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ghostscript'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Tavis Ormandy discovered multiple security issues in Ghostscript. If a user\nor automated system were tricked into processing a specially crafted file,\na remote attacker could possibly use these issues to access arbitrary\nfiles, execute arbitrary code, or cause a denial of service.\");\n script_tag(name:\"affected\", value:\"ghostscript on Ubuntu 18.04 LTS,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"USN\", value:\"3768-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3768-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|18\\.04 LTS|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"ghostscript\", ver:\"9.10~dfsg-0ubuntu10.13\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libgs9\", ver:\"9.10~dfsg-0ubuntu10.13\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU18.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"ghostscript\", ver:\"9.22~dfsg+1-0ubuntu1.2\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libgs9\", ver:\"9.22~dfsg+1-0ubuntu1.2\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"ghostscript\", ver:\"9.18~dfsg~0-0ubuntu2.9\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libgs9\", ver:\"9.18~dfsg~0-0ubuntu2.9\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T17:39:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-15910", "CVE-2018-15908", "CVE-2018-17183", "CVE-2018-16585", "CVE-2018-16540", "CVE-2018-15911", "CVE-2018-16802", "CVE-2018-16510", "CVE-2018-16511", "CVE-2018-16541", "CVE-2018-16539", "CVE-2018-16509", "CVE-2018-16543", "CVE-2018-15909", "CVE-2018-16542", "CVE-2018-16513"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2018-10-06T00:00:00", "id": "OPENVAS:1361412562310851926", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851926", "type": "openvas", "title": "openSUSE: Security Advisory for ghostscript (openSUSE-SU-2018:3036-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851926\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-10-06 08:17:19 +0200 (Sat, 06 Oct 2018)\");\n script_cve_id(\"CVE-2018-15908\", \"CVE-2018-15909\", \"CVE-2018-15910\", \"CVE-2018-15911\", \"CVE-2018-16509\", \"CVE-2018-16510\", \"CVE-2018-16511\", \"CVE-2018-16513\", \"CVE-2018-16539\", \"CVE-2018-16540\", \"CVE-2018-16541\", \"CVE-2018-16542\", \"CVE-2018-16543\", \"CVE-2018-16585\", \"CVE-2018-16802\", \"CVE-2018-17183\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for ghostscript (openSUSE-SU-2018:3036-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ghostscript'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for ghostscript to version 9.25 fixes the following issues:\n\n These security issues were fixed:\n\n - CVE-2018-17183: Remote attackers were be able to supply crafted\n PostScript to potentially overwrite or replace error handlers to inject\n code (bsc#1109105)\n\n - CVE-2018-15909: Prevent type confusion using the .shfill operator that\n could have been used by attackers able to supply crafted PostScript\n files to crash the interpreter or potentially execute code (bsc#1106172).\n\n - CVE-2018-15908: Prevent attackers that are able to supply malicious\n PostScript files to bypass .tempfile restrictions and write files\n (bsc#1106171).\n\n - CVE-2018-15910: Prevent a type confusion in the LockDistillerParams\n parameter that could have been used to crash the interpreter or execute\n code (bsc#1106173).\n\n - CVE-2018-15911: Prevent use uninitialized memory access in the aesdecode\n operator that could have been used to crash the interpreter or\n potentially execute code (bsc#1106195).\n\n - CVE-2018-16513: Prevent a type confusion in the setcolor function that\n could have been used to crash the interpreter or possibly have\n unspecified other impact (bsc#1107412).\n\n - CVE-2018-16509: Incorrect 'restoration of privilege' checking during\n handling\n of /invalidaccess exceptions could be have been used by attackers able\n to supply crafted PostScript to execute code using the 'pipe'\n instruction (bsc#1107410).\n\n - CVE-2018-16510: Incorrect exec stack handling in the 'CS' and 'SC' PDF\n primitives could have been used by remote attackers able to supply\n crafted PDFs to crash the interpreter or possibly have unspecified other\n impact (bsc#1107411).\n\n - CVE-2018-16542: Prevent attackers able to supply crafted PostScript\n files from using insufficient interpreter stack-size checking during\n error handling to crash the interpreter (bsc#1107413).\n\n - CVE-2018-16541: Prevent attackers able to supply crafted PostScript\n files from using incorrect free logic in pagedevice replacement to crash\n the interpreter (bsc#1107421).\n\n - CVE-2018-16540: Prevent use-after-free in copydevice handling that could\n have been used to crash the interpreter or possibly have unspecified\n other impact (bsc#1107420).\n\n - CVE-2018-16539: Prevent attackers able to supply crafted PostScript\n files from using incorrect access checking in temp file handling to\n disclose contents\n of files on the system otherwise not readable (bsc#1107422).\n\n - CVE-2018-16543: gssetresolution and gsgetresolution allowed attackers to\n have an unspecified impact (bsc#1107423).\n\n - CVE-2018-16511: A type confusion in 'zty ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n\n script_tag(name:\"affected\", value:\"ghostscript on openSUSE Leap 42.3\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:3036-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00011.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"ghostscript\", rpm:\"ghostscript~9.25~14.9.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ghostscript-debuginfo\", rpm:\"ghostscript-debuginfo~9.25~14.9.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ghostscript-debugsource\", rpm:\"ghostscript-debugsource~9.25~14.9.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ghostscript-devel\", rpm:\"ghostscript-devel~9.25~14.9.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ghostscript-mini\", rpm:\"ghostscript-mini~9.25~14.9.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ghostscript-mini-debuginfo\", rpm:\"ghostscript-mini-debuginfo~9.25~14.9.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ghostscript-mini-debugsource\", rpm:\"ghostscript-mini-debugsource~9.25~14.9.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ghostscript-mini-devel\", rpm:\"ghostscript-mini-devel~9.25~14.9.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ghostscript-x11\", rpm:\"ghostscript-x11~9.25~14.9.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ghostscript-x11-debuginfo\", rpm:\"ghostscript-x11-debuginfo~9.25~14.9.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2020-11-10T12:37:33", "bulletinFamily": "unix", "cvelist": ["CVE-2018-15910", "CVE-2018-15908", "CVE-2018-16585", "CVE-2018-16540", "CVE-2018-15911", "CVE-2018-11645", "CVE-2018-16802", "CVE-2018-16511", "CVE-2018-16541", "CVE-2018-16539", "CVE-2018-16509", "CVE-2018-15909", "CVE-2018-16542", "CVE-2018-16513"], "description": "**Issue Overview:**\n\nIt was discovered that the ghostscript .shfill operator did not properly validate certain types. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.([CVE-2018-15909 __](<https://access.redhat.com/security/cve/CVE-2018-15909>))\n\nAn issue was discovered in Artifex Ghostscript before 9.24. A type confusion in &quot;ztype&quot; could be used by remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact.([CVE-2018-16511 __](<https://access.redhat.com/security/cve/CVE-2018-16511>))\n\nAn issue was discovered in Artifex Ghostscript before 9.24. The .setdistillerkeys PostScript command is accepted even though it is not intended for use during document processing (e.g., after the startup phase). This leads to memory corruption, allowing remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact.([CVE-2018-16585 __](<https://access.redhat.com/security/cve/CVE-2018-16585>))\n\nIt was discovered that the ghostscript PDF14 compositor did not properly handle the copying of a device. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.([CVE-2018-16540 __](<https://access.redhat.com/security/cve/CVE-2018-16540>))\n\nIt was discovered that the ghostscript device cleanup did not properly handle devices replaced with a null device. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.([CVE-2018-16541 __](<https://access.redhat.com/security/cve/CVE-2018-16541>))\n\nIt was discovered that the ghostscript did not properly restrict access to files open prior to enabling the -dSAFER mode. An attacker could possibly exploit this to bypass the -dSAFER protection and disclose the content of affected files via a specially crafted PostScript document.([CVE-2018-16539 __](<https://access.redhat.com/security/cve/CVE-2018-16539>))\n\nAn issue was discovered in Artifex Ghostscript before 9.25. Incorrect &quot;restoration of privilege&quot; checking when running out of stack during exception handling could be used by attackers able to supply crafted PostScript to execute code using the &quot;pipe&quot; instruction. This is due to an incomplete fix for [CVE-2018-16509 __](<https://access.redhat.com/security/cve/CVE-2018-16509>).([CVE-2018-16802 __](<https://access.redhat.com/security/cve/CVE-2018-16802>))\n\nIt was discovered that ghostscript did not properly handle certain stack overflow error conditions. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.([CVE-2018-16542 __](<https://access.redhat.com/security/cve/CVE-2018-16542>))\n\nGhostscript did not honor the -dSAFER option when executing the &quot;status&quot; instruction, which can be used to retrieve information such as a file&#x27;s existence and size. A specially crafted postscript document could use this flow to gain information on the targeted system&#x27;s filesystem content.([CVE-2018-11645 __](<https://access.redhat.com/security/cve/CVE-2018-11645>))\n\nIt was discovered that the ghostscript did not properly validate the operands passed to the setcolor function. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.([CVE-2018-16513 __](<https://access.redhat.com/security/cve/CVE-2018-16513>))\n\nIt was discovered that the type of the LockDistillerParams parameter is not properly verified. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.([CVE-2018-15910 __](<https://access.redhat.com/security/cve/CVE-2018-15910>))\n\nIt was discovered that the ghostscript /invalidaccess checks fail under certain conditions. An attacker could possibly exploit this to bypass the -dSAFER protection and, for example, execute arbitrary shell commands via a specially crafted PostScript document.([CVE-2018-16509 __](<https://access.redhat.com/security/cve/CVE-2018-16509>))\n\nIt was discovered that ghostscript did not properly verify the key used in aesdecode. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.([CVE-2018-15911 __](<https://access.redhat.com/security/cve/CVE-2018-15911>))\n\nIt was discovered that the ghostscript .tempfile function did not properly handle file permissions. An attacker could possibly exploit this to exploit this to bypass the -dSAFER protection and delete files or disclose their content via a specially crafted PostScript document.([CVE-2018-15908 __](<https://access.redhat.com/security/cve/CVE-2018-15908>))\n\n \n**Affected Packages:** \n\n\nghostscript\n\n \n**Issue Correction:** \nRun _yum update ghostscript_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n ghostscript-9.06-8.amzn2.0.5.i686 \n ghostscript-devel-9.06-8.amzn2.0.5.i686 \n ghostscript-gtk-9.06-8.amzn2.0.5.i686 \n ghostscript-cups-9.06-8.amzn2.0.5.i686 \n ghostscript-debuginfo-9.06-8.amzn2.0.5.i686 \n \n noarch: \n ghostscript-doc-9.06-8.amzn2.0.5.noarch \n \n src: \n ghostscript-9.06-8.amzn2.0.5.src \n \n x86_64: \n ghostscript-9.06-8.amzn2.0.5.x86_64 \n ghostscript-devel-9.06-8.amzn2.0.5.x86_64 \n ghostscript-gtk-9.06-8.amzn2.0.5.x86_64 \n ghostscript-cups-9.06-8.amzn2.0.5.x86_64 \n ghostscript-debuginfo-9.06-8.amzn2.0.5.x86_64 \n \n \n", "edition": 1, "modified": "2018-10-08T22:17:00", "published": "2018-10-08T22:17:00", "id": "ALAS2-2018-1088", "href": "https://alas.aws.amazon.com/AL2/ALAS-2018-1088.html", "title": "Important: ghostscript", "type": "amazon", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2018-10-05T22:29:19", "bulletinFamily": "unix", "cvelist": ["CVE-2018-15910", "CVE-2018-15908", "CVE-2018-17183", "CVE-2018-16585", "CVE-2018-16540", "CVE-2018-15911", "CVE-2018-16802", "CVE-2018-16510", "CVE-2018-16511", "CVE-2018-16541", "CVE-2018-16539", "CVE-2018-16509", "CVE-2018-16543", "CVE-2018-15909", "CVE-2018-16542", "CVE-2018-16513"], "description": "This update for ghostscript to version 9.25 fixes the following issues:\n\n These security issues were fixed:\n\n - CVE-2018-17183: Remote attackers were be able to supply crafted\n PostScript to potentially overwrite or replace error handlers to inject\n code (bsc#1109105)\n - CVE-2018-15909: Prevent type confusion using the .shfill operator that\n could have been used by attackers able to supply crafted PostScript\n files to crash the interpreter or potentially execute code (bsc#1106172).\n - CVE-2018-15908: Prevent attackers that are able to supply malicious\n PostScript files to bypass .tempfile restrictions and write files\n (bsc#1106171).\n - CVE-2018-15910: Prevent a type confusion in the LockDistillerParams\n parameter that could have been used to crash the interpreter or execute\n code (bsc#1106173).\n - CVE-2018-15911: Prevent use uninitialized memory access in the aesdecode\n operator that could have been used to crash the interpreter or\n potentially execute code (bsc#1106195).\n - CVE-2018-16513: Prevent a type confusion in the setcolor function that\n could have been used to crash the interpreter or possibly have\n unspecified other impact (bsc#1107412).\n - CVE-2018-16509: Incorrect &quot;restoration of privilege&quot; checking during\n handling\n of /invalidaccess exceptions could be have been used by attackers able\n to supply crafted PostScript to execute code using the &quot;pipe&quot;\n instruction (bsc#1107410).\n - CVE-2018-16510: Incorrect exec stack handling in the &quot;CS&quot; and &quot;SC&quot; PDF\n primitives could have been used by remote attackers able to supply\n crafted PDFs to crash the interpreter or possibly have unspecified other\n impact (bsc#1107411).\n - CVE-2018-16542: Prevent attackers able to supply crafted PostScript\n files from using insufficient interpreter stack-size checking during\n error handling to crash the interpreter (bsc#1107413).\n - CVE-2018-16541: Prevent attackers able to supply crafted PostScript\n files from using incorrect free logic in pagedevice replacement to crash\n the interpreter (bsc#1107421).\n - CVE-2018-16540: Prevent use-after-free in copydevice handling that could\n have been used to crash the interpreter or possibly have unspecified\n other impact (bsc#1107420).\n - CVE-2018-16539: Prevent attackers able to supply crafted PostScript\n files from using incorrect access checking in temp file handling to\n disclose contents\n of files on the system otherwise not readable (bsc#1107422).\n - CVE-2018-16543: gssetresolution and gsgetresolution allowed attackers to\n have an unspecified impact (bsc#1107423).\n - CVE-2018-16511: A type confusion in &quot;ztype&quot; could have been used by\n remote attackers able to supply crafted PostScript to crash the\n interpreter or possibly have unspecified other impact (bsc#1107426).\n - CVE-2018-16585: The .setdistillerkeys PostScript command was accepted\n even though it is not intended for use during document processing (e.g.,\n after the startup phase). This lead to memory corruption, allowing\n remote attackers able to supply crafted PostScript to crash the\n interpreter or possibly have unspecified other impact (bsc#1107581).\n - CVE-2018-16802: Incorrect &quot;restoration of privilege&quot; checking when\n running\n out of stack during exception handling could have been used by attackers\n able to supply crafted PostScript to execute code using the &quot;pipe&quot;\n instruction. This is due to an incomplete fix for CVE-2018-16509\n (bsc#1108027).\n\n These non-security issues were fixed:\n\n * Fixes problems with argument handling, some unintended results of the\n security fixes to the SAFER file access restrictions (specifically\n accessing ICC profile files).\n * Avoid that ps2epsi fails with 'Error: /undefined in --setpagedevice--'\n\n For additional changes please check\n <a rel=\"nofollow\" href=\"http://www.ghostscript.com/doc/9.25/News.htm\">http://www.ghostscript.com/doc/9.25/News.htm</a> and the changes file of the\n package.\n\n This update was imported from the SUSE:SLE-12:Update update project.\n\n", "edition": 1, "modified": "2018-10-05T21:10:24", "published": "2018-10-05T21:10:24", "id": "OPENSUSE-SU-2018:3036-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00011.html", "title": "Security update for ghostscript (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-05T22:29:19", "bulletinFamily": "unix", "cvelist": ["CVE-2018-15910", "CVE-2018-15908", "CVE-2018-17183", "CVE-2018-16585", "CVE-2018-16540", "CVE-2018-15911", "CVE-2018-16802", "CVE-2018-16510", "CVE-2018-16511", "CVE-2018-16541", "CVE-2018-16539", "CVE-2018-16509", "CVE-2018-16543", "CVE-2018-15909", "CVE-2018-16542", "CVE-2018-16513"], "description": "This update for ghostscript to version 9.25 fixes the following issues:\n\n These security issues were fixed:\n\n - CVE-2018-17183: Remote attackers were be able to supply crafted\n PostScript to potentially overwrite or replace error handlers to inject\n code (bsc#1109105)\n - CVE-2018-15909: Prevent type confusion using the .shfill operator that\n could have been used by attackers able to supply crafted PostScript\n files to crash the interpreter or potentially execute code (bsc#1106172).\n - CVE-2018-15908: Prevent attackers that are able to supply malicious\n PostScript files to bypass .tempfile restrictions and write files\n (bsc#1106171).\n - CVE-2018-15910: Prevent a type confusion in the LockDistillerParams\n parameter that could have been used to crash the interpreter or execute\n code (bsc#1106173).\n - CVE-2018-15911: Prevent use uninitialized memory access in the aesdecode\n operator that could have been used to crash the interpreter or\n potentially execute code (bsc#1106195).\n - CVE-2018-16513: Prevent a type confusion in the setcolor function that\n could have been used to crash the interpreter or possibly have\n unspecified other impact (bsc#1107412).\n - CVE-2018-16509: Incorrect &quot;restoration of privilege&quot; checking during\n handling\n of /invalidaccess exceptions could be have been used by attackers able\n to supply crafted PostScript to execute code using the &quot;pipe&quot;\n instruction (bsc#1107410).\n - CVE-2018-16510: Incorrect exec stack handling in the &quot;CS&quot; and &quot;SC&quot; PDF\n primitives could have been used by remote attackers able to supply\n crafted PDFs to crash the interpreter or possibly have unspecified other\n impact (bsc#1107411).\n - CVE-2018-16542: Prevent attackers able to supply crafted PostScript\n files from using insufficient interpreter stack-size checking during\n error handling to crash the interpreter (bsc#1107413).\n - CVE-2018-16541: Prevent attackers able to supply crafted PostScript\n files from using incorrect free logic in pagedevice replacement to crash\n the interpreter (bsc#1107421).\n - CVE-2018-16540: Prevent use-after-free in copydevice handling that could\n have been used to crash the interpreter or possibly have unspecified\n other impact (bsc#1107420).\n - CVE-2018-16539: Prevent attackers able to supply crafted PostScript\n files from using incorrect access checking in temp file handling to\n disclose contents\n of files on the system otherwise not readable (bsc#1107422).\n - CVE-2018-16543: gssetresolution and gsgetresolution allowed attackers to\n have an unspecified impact (bsc#1107423).\n - CVE-2018-16511: A type confusion in &quot;ztype&quot; could have been used by\n remote attackers able to supply crafted PostScript to crash the\n interpreter or possibly have unspecified other impact (bsc#1107426).\n - CVE-2018-16585: The .setdistillerkeys PostScript command was accepted\n even though it is not intended for use during document processing (e.g.,\n after the startup phase). This lead to memory corruption, allowing\n remote attackers able to supply crafted PostScript to crash the\n interpreter or possibly have unspecified other impact (bsc#1107581).\n - CVE-2018-16802: Incorrect &quot;restoration of privilege&quot; checking when\n running\n out of stack during exception handling could have been used by attackers\n able to supply crafted PostScript to execute code using the &quot;pipe&quot;\n instruction. This is due to an incomplete fix for CVE-2018-16509\n (bsc#1108027).\n\n These non-security issues were fixed:\n\n * Fixes problems with argument handling, some unintended results of the\n security fixes to the SAFER file access restrictions (specifically\n accessing ICC profile files).\n * Avoid that ps2epsi fails with 'Error: /undefined in --setpagedevice--'\n\n For additional changes please check\n <a rel=\"nofollow\" href=\"http://www.ghostscript.com/doc/9.25/News.htm\">http://www.ghostscript.com/doc/9.25/News.htm</a>\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2018-10-05T21:13:14", "published": "2018-10-05T21:13:14", "id": "OPENSUSE-SU-2018:3038-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00012.html", "title": "Security update for ghostscript (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}], "ubuntu": [{"lastseen": "2020-07-02T11:39:58", "bulletinFamily": "unix", "cvelist": ["CVE-2018-15910", "CVE-2018-15908", "CVE-2018-16585", "CVE-2018-16540", "CVE-2018-15911", "CVE-2018-11645", "CVE-2018-16802", "CVE-2018-16510", "CVE-2018-16511", "CVE-2018-16541", "CVE-2018-16539", "CVE-2018-16509", "CVE-2018-16543", "CVE-2018-15909", "CVE-2018-16542", "CVE-2018-16513"], "description": "Tavis Ormandy discovered multiple security issues in Ghostscript. If a user \nor automated system were tricked into processing a specially crafted file, \na remote attacker could possibly use these issues to access arbitrary \nfiles, execute arbitrary code, or cause a denial of service.", "edition": 5, "modified": "2018-09-19T00:00:00", "published": "2018-09-19T00:00:00", "id": "USN-3768-1", "href": "https://ubuntu.com/security/notices/USN-3768-1", "title": "Ghostscript vulnerabilities", "type": "ubuntu", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2018-11-25T00:34:57", "bulletinFamily": "unix", "cvelist": ["CVE-2018-15910", "CVE-2017-11714", "CVE-2018-15908", "CVE-2017-9618", "CVE-2018-16585", "CVE-2017-9740", "CVE-2017-9611", "CVE-2018-16540", "CVE-2018-18284", "CVE-2018-15911", "CVE-2017-7948", "CVE-2017-9835", "CVE-2018-16802", "CVE-2018-16510", "CVE-2018-16511", "CVE-2018-16541", "CVE-2017-9726", "CVE-2018-10194", "CVE-2017-9612", "CVE-2018-16539", "CVE-2018-16509", "CVE-2017-9610", "CVE-2017-9739", "CVE-2018-19409", "CVE-2018-16543", "CVE-2018-15909", "CVE-2017-9620", "CVE-2018-16542", "CVE-2017-9727", "CVE-2018-16513", "CVE-2017-9619"], "description": "### Background\n\nGhostscript is an interpreter for the PostScript language and for PDF.\n\n### Description\n\nMultiple vulnerabilities have been discovered in GPL Ghostscript. Please review the CVE identifiers referenced below for additional information. \n\n### Impact\n\nA context-dependent attacker could entice a user to open a specially crafted PostScript file or PDF document using GPL Ghostscript possibly resulting in the execution of arbitrary code with the privileges of the process, a Denial of Service condition, or other unspecified impacts, \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll GPL Ghostscript users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-text/ghostscript-gpl-9.26\"", "edition": 1, "modified": "2018-11-24T00:00:00", "published": "2018-11-24T00:00:00", "id": "GLSA-201811-12", "href": "https://security.gentoo.org/glsa/201811-12", "title": "GPL Ghostscript: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}