TencentOS Server 3: ghostscript (TSSA-2022:0123)

🗓️ 16 Jun 2025 00:00:00Reported by TenableType

TencentOS Server 3 is vulnerable due to outdated ghostscript; updates available for security flaws.

Reporter	Title	Published	Views	Family All 616
0day.today	Ghostscript 9.26 - Pseudo-Operator Remote Code Execution Exploit	24 Jan 201900:00	–	zdt
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Ghostscript affect PowerKVM	4 Mar 201905:50	–	ibm
IBM Security Bulletins	Security Bulletin: WebSphere Cast Iron and App Connect Professional are affected by vulnerabilities in Pacemaker, ImageMagick, gd-libgd, libxslt, cURL libcurl , Ghostscript.	21 Feb 202204:39	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabiliies in ghostscript affect PowerKVM	17 May 201916:05	–	ibm
FreeBSD	Ghostscript -- Security bypass vulnerabilities	20 Aug 201900:00	–	freebsd
FreeBSD	Ghostscript -- Security bypass vulnerability	21 Mar 201900:00	–	freebsd
Tenable Nessus	Amazon Linux 2 : ghostscript (ALAS-2021-1598)	19 Feb 202100:00	–	nessus
Tenable Nessus	Amazon Linux 2 : ghostscript (ALAS-2023-2003)	22 Mar 202300:00	–	nessus
Tenable Nessus	Alibaba Cloud Linux 3 : 0123: ghostscript (ALINUX3-SA-2022:0123)	14 May 202500:00	–	nessus
Tenable Nessus	CentOS 8 : ghostscript (CESA-2019:0971)	29 Jan 202100:00	–	nessus

Source	Link
mirrors	www.mirrors.tencent.com/tlinux/errata/tssa-20220123.xml
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2022:0123.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(240001);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/20");

  script_cve_id(
    "CVE-2019-10216",
    "CVE-2019-14811",
    "CVE-2019-14812",
    "CVE-2019-14813",
    "CVE-2019-14817",
    "CVE-2019-14869",
    "CVE-2019-3835",
    "CVE-2019-3838",
    "CVE-2019-3839",
    "CVE-2019-6116"
  );

  script_name(english:"TencentOS Server 3: ghostscript (TSSA-2022:0123)");

  script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 3 host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2022:0123 advisory.

    Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

    CVE-2019-10216:
    In ghostscript before version 9.50, the .buildfont1 procedure did not properly secure its privileged
    calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a
    specially crafted PostScript file that could escalate privileges and access files outside of restricted
    areas.

    CVE-2019-14811:
    A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it
    did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A
    specially crafted PostScript file could disable security protection and then have access to the file
    system, or execute arbitrary commands.

    CVE-2019-14812:
    A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it
    did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A
    specially crafted PostScript file could disable security protection and then have access to the file
    system, or execute arbitrary commands.

    CVE-2019-14813:
    A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did
    not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially
    crafted PostScript file could disable security protection and then have access to the file system, or
    execute arbitrary commands.

    CVE-2019-14817:
    A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where
    it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A
    specially crafted PostScript file could disable security protection and then have access to the file
    system, or execute arbitrary commands.

    CVE-2019-14869:
    A flaw was found in all versions of ghostscript 9.x before 9.50, where the `.charkeys` procedure, where it
    did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An
    attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate
    privileges within the Ghostscript and access files outside of restricted areas or execute commands.

    CVE-2019-3835:
    It was found that the superexec operator was available in the internal dictionary in ghostscript before
    9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the
    file system outside of the constrains imposed by -dSAFER.

    CVE-2019-3838:
    It was found that the forceput operator could be extracted from the DefineResource method in ghostscript
    before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access
    to the file system outside of the constrains imposed by -dSAFER.

    CVE-2019-3839:
    It was found that in ghostscript some privileged operators remained accessible from various places after
    the CVE-2019-6116 fix. A specially crafted PostScript file could use this flaw in order to, for example,
    have access to the file system outside of the constrains imposed by -dSAFER. Ghostscript versions before
    9.27 are vulnerable.

    CVE-2019-6116:
    In Artifex Ghostscript through 9.26, ephemeral or transient procedures can allow access to system
    operators, leading to remote code execution.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20220123.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-14813");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/07/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/07/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/06/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:ghostscript");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tencent Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^3([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 3.x', 'TencentOS ' + os_version);

if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);

var constraints = [
  {
    'release': '3',
    'pkgs': [
      {'reference':'ghostscript-9.25-5.tl3.1', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'ghostscript-9.25-5.tl3.1', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'ghostscript-debuginfo-9.25-5.tl3.1', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'ghostscript-debuginfo-9.25-5.tl3.1', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'ghostscript-debugsource-9.25-5.tl3.1', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'ghostscript-debugsource-9.25-5.tl3.1', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'ghostscript-doc-9.25-5.tl3.1', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'ghostscript-gtk-9.25-5.tl3.1', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'ghostscript-gtk-9.25-5.tl3.1', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'ghostscript-gtk-debuginfo-9.25-5.tl3.1', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'ghostscript-gtk-debuginfo-9.25-5.tl3.1', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'ghostscript-tools-dvipdf-9.25-5.tl3.1', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'ghostscript-tools-dvipdf-9.25-5.tl3.1', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'ghostscript-tools-fonts-9.25-5.tl3.1', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'ghostscript-tools-fonts-9.25-5.tl3.1', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'ghostscript-tools-printing-9.25-5.tl3.1', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'ghostscript-tools-printing-9.25-5.tl3.1', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'ghostscript-x11-9.25-5.tl3.1', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'ghostscript-x11-9.25-5.tl3.1', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'ghostscript-x11-debuginfo-9.25-5.tl3.1', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'ghostscript-x11-debuginfo-9.25-5.tl3.1', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'libgs-9.25-5.tl3.1', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'libgs-9.25-5.tl3.1', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'libgs-debuginfo-9.25-5.tl3.1', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'libgs-debuginfo-9.25-5.tl3.1', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'libgs-devel-9.25-5.tl3.1', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'libgs-devel-9.25-5.tl3.1', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ghostscript / ghostscript-debuginfo / ghostscript-debugsource / etc');
}

20 Nov 2025 00:00Current

7.6High risk

Vulners AI Score7.6

CVSS 27.5

CVSS 3.19.8

CVSS 37.3

EPSS0.60542