According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :
In Artifex Ghostscript before 9.26, a carefully crafted PDF file can trigger an extremely long running computation when parsing the file.(CVE-2018-19478)
The gs_makewordimagedevice function in base/gsdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file that is mishandled in the PDF Transparency module.(CVE-2016-10220)
Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to denial of service (application crash) or disclosure of sensitive information from process memory, because of an integer overflow in the jbig2_decode_symbol_dict function in jbig2_symbol_dict.c in libjbig2dec.a during operation on a crafted .jb2 file.(CVE-2017-7885)
Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds writes because of an integer overflow in the jbig2_build_huffman_table function in jbig2_huffman.c during operations on a crafted JBIG2 file, leading to a denial of service (application crash) or possibly execution of arbitrary code.(CVE-2017-7975)
psi/ztoken.c in Artifex Ghostscript 9.21 mishandles references to the scanner state structure, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PostScript document, related to an out-of-bounds read in the igc_reloc_struct_ptr function in psi/igc.c.(CVE-2017-11714)
The gs_alloc_ref_array function in psi/ialloc.c in Artifex Ghostscript 9.21 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted PostScript document. This is related to a lack of an integer overflow check in base/gsalloc.c.(CVE-2017-9835)
The pdf14_pop_transparency_group function in base/gdevp14.c in the PDF Transparency module in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file.(CVE-2016-10218)
The fill_threshhold_buffer function in base/gxht_thresh.c in Artifex Software, Inc.
Ghostscript 9.20 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted PostScript document.(CVE-2016-10317)
The pdf14_open function in base/gdevp14.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted file that is mishandled in the color management module.(CVE-2016-10217)
The intersect function in base/gxfill.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted file.(CVE-2016-10219)
The mem_get_bits_rectangle function in base/gdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file.(CVE-2017-5951)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(131862);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/04");
script_cve_id(
"CVE-2016-10217",
"CVE-2016-10218",
"CVE-2016-10219",
"CVE-2016-10220",
"CVE-2016-10317",
"CVE-2017-11714",
"CVE-2017-5951",
"CVE-2017-7885",
"CVE-2017-7975",
"CVE-2017-9835",
"CVE-2018-19478"
);
script_name(english:"EulerOS 2.0 SP2 : ghostscript (EulerOS-SA-2019-2370)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the ghostscript packages installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :
- In Artifex Ghostscript before 9.26, a carefully crafted
PDF file can trigger an extremely long running
computation when parsing the file.(CVE-2018-19478)
- The gs_makewordimagedevice function in base/gsdevmem.c
in Artifex Software, Inc. Ghostscript 9.20 allows
remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a
crafted file that is mishandled in the PDF Transparency
module.(CVE-2016-10220)
- Artifex jbig2dec 0.13 has a heap-based buffer over-read
leading to denial of service (application crash) or
disclosure of sensitive information from process
memory, because of an integer overflow in the
jbig2_decode_symbol_dict function in
jbig2_symbol_dict.c in libjbig2dec.a during operation
on a crafted .jb2 file.(CVE-2017-7885)
- Artifex jbig2dec 0.13, as used in Ghostscript, allows
out-of-bounds writes because of an integer overflow in
the jbig2_build_huffman_table function in
jbig2_huffman.c during operations on a crafted JBIG2
file, leading to a denial of service (application
crash) or possibly execution of arbitrary
code.(CVE-2017-7975)
- psi/ztoken.c in Artifex Ghostscript 9.21 mishandles
references to the scanner state structure, which allows
remote attackers to cause a denial of service
(application crash) or possibly have unspecified other
impact via a crafted PostScript document, related to an
out-of-bounds read in the igc_reloc_struct_ptr function
in psi/igc.c.(CVE-2017-11714)
- The gs_alloc_ref_array function in psi/ialloc.c in
Artifex Ghostscript 9.21 allows remote attackers to
cause a denial of service (heap-based buffer overflow
and application crash) or possibly have unspecified
other impact via a crafted PostScript document. This is
related to a lack of an integer overflow check in
base/gsalloc.c.(CVE-2017-9835)
- The pdf14_pop_transparency_group function in
base/gdevp14.c in the PDF Transparency module in
Artifex Software, Inc. Ghostscript 9.20 allows remote
attackers to cause a denial of service (NULL pointer
dereference and application crash) via a crafted
file.(CVE-2016-10218)
- The fill_threshhold_buffer function in
base/gxht_thresh.c in Artifex Software, Inc.
Ghostscript 9.20 allows remote attackers to cause a
denial of service (heap-based buffer overflow and
application crash) or possibly have unspecified other
impact via a crafted PostScript
document.(CVE-2016-10317)
- The pdf14_open function in base/gdevp14.c in Artifex
Software, Inc. Ghostscript 9.20 allows remote attackers
to cause a denial of service (use-after-free and
application crash) via a crafted file that is
mishandled in the color management
module.(CVE-2016-10217)
- The intersect function in base/gxfill.c in Artifex
Software, Inc. Ghostscript 9.20 allows remote attackers
to cause a denial of service (divide-by-zero error and
application crash) via a crafted file.(CVE-2016-10219)
- The mem_get_bits_rectangle function in base/gdevmem.c
in Artifex Software, Inc. Ghostscript 9.20 allows
remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a
crafted file.(CVE-2017-5951)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2370
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?12e3aad4");
script_set_attribute(attribute:"solution", value:
"Update the affected ghostscript packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-9835");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"patch_publication_date", value:"2019/12/04");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/10");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ghostscript");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ghostscript-cups");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
script_exclude_keys("Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["ghostscript-9.07-31.6.h15",
"ghostscript-cups-9.07-31.6.h15"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ghostscript");
}
Vendor | Product | Version | CPE |
---|---|---|---|
huawei | euleros | ghostscript | p-cpe:/a:huawei:euleros:ghostscript |
huawei | euleros | ghostscript-cups | p-cpe:/a:huawei:euleros:ghostscript-cups |
huawei | euleros | 2.0 | cpe:/o:huawei:euleros:2.0 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10217
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10218
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10219
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10220
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10317
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11714
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5951
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7885
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7975
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9835
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19478
www.nessus.org/u?12e3aad4