Ghostscript vulnerabilities

2009-04-1500:00:00

ubuntu.com

8.2 High

AI Score

Confidence

Low

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.139 Low

EPSS

Percentile

95.6%

JSON

Releases

Ubuntu 8.10
Ubuntu 8.04
Ubuntu 6.06

Packages

ghostscript -
gs-esp -
gs-gpl -

Details

It was discovered that Ghostscript contained a buffer underflow in its
CCITTFax decoding filter. If a user or automated system were tricked into
opening a crafted PDF file, an attacker could cause a denial of service or
execute arbitrary code with privileges of the user invoking the program.
(CVE-2007-6725)

It was discovered that Ghostscript contained a buffer overflow in the
BaseFont writer module. If a user or automated system were tricked into
opening a crafted Postscript file, an attacker could cause a denial of
service or execute arbitrary code with privileges of the user invoking the
program. (CVE-2008-6679)

It was discovered that Ghostscript contained additional integer overflows
in its ICC color management library. If a user or automated system were
tricked into opening a crafted Postscript or PDF file, an attacker could
cause a denial of service or execute arbitrary code with privileges of the
user invoking the program. (CVE-2009-0792)

Alin Rad Pop discovered that Ghostscript contained a buffer overflow in the
jbig2dec library. If a user or automated system were tricked into opening a
crafted PDF file, an attacker could cause a denial of service or execute
arbitrary code with privileges of the user invoking the program.
(CVE-2009-0196)

USN-743-1 provided updated ghostscript and gs-gpl packages to fix two
security vulnerabilities. This update corrects the same vulnerabilities in
the gs-esp package.

Original advisory details:
It was discovered that Ghostscript contained multiple integer overflows in
its ICC color management library. If a user or automated system were
tricked into opening a crafted Postscript file, an attacker could cause a
denial of service or execute arbitrary code with privileges of the user
invoking the program. (CVE-2009-0583)

It was discovered that Ghostscript did not properly perform bounds
checking in its ICC color management library. If a user or automated
system were tricked into opening a crafted Postscript file, an attacker
could cause a denial of service or execute arbitrary code with privileges
of the user invoking the program. (CVE-2009-0584)

OSVersionArchitecturePackageVersionFilename
Ubuntu8.10noarchlibgs8< 8.63.dfsg.1-0ubuntu6.4UNKNOWN
Ubuntu8.10noarchghostscript< 8.63.dfsg.1-0ubuntu6.4UNKNOWN
Ubuntu8.10noarchghostscript-x< 8.63.dfsg.1-0ubuntu6.4UNKNOWN
Ubuntu8.10noarchlibgs-dev< 8.63.dfsg.1-0ubuntu6.4UNKNOWN
Ubuntu8.04noarchlibgs8< 8.61.dfsg.1-1ubuntu3.2UNKNOWN
Ubuntu8.04noarchghostscript< 8.61.dfsg.1-1ubuntu3.2UNKNOWN
Ubuntu8.04noarchghostscript-x< 8.61.dfsg.1-1ubuntu3.2UNKNOWN
Ubuntu8.04noarchlibgs-dev< 8.61.dfsg.1-1ubuntu3.2UNKNOWN
Ubuntu6.06noarchgs-gpl< 8.15-4ubuntu3.3UNKNOWN
Ubuntu6.06noarchgs-esp< 8.15.2.dfsg.0ubuntu1-0ubuntu1.2UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Ubuntu	8.10	noarch	libgs8	< 8.63.dfsg.1-0ubuntu6.4	UNKNOWN
Ubuntu	8.10	noarch	ghostscript	< 8.63.dfsg.1-0ubuntu6.4	UNKNOWN
Ubuntu	8.10	noarch	ghostscript-x	< 8.63.dfsg.1-0ubuntu6.4	UNKNOWN
Ubuntu	8.10	noarch	libgs-dev	< 8.63.dfsg.1-0ubuntu6.4	UNKNOWN
Ubuntu	8.04	noarch	libgs8	< 8.61.dfsg.1-1ubuntu3.2	UNKNOWN
Ubuntu	8.04	noarch	ghostscript	< 8.61.dfsg.1-1ubuntu3.2	UNKNOWN
Ubuntu	8.04	noarch	ghostscript-x	< 8.61.dfsg.1-1ubuntu3.2	UNKNOWN
Ubuntu	8.04	noarch	libgs-dev	< 8.61.dfsg.1-1ubuntu3.2	UNKNOWN
Ubuntu	6.06	noarch	gs-gpl	< 8.15-4ubuntu3.3	UNKNOWN
Ubuntu	6.06	noarch	gs-esp	< 8.15.2.dfsg.0ubuntu1-0ubuntu1.2	UNKNOWN