SB2020083001 - Gentoo update for GPL Ghostscript

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020083001

SB2020083001 - Gentoo update for GPL Ghostscript

Published: August 30, 2020

Security Bulletin ID SB2020083001
Severity
High
Patch available
YES
Number of vulnerabilities 26
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 12% Medium 88%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 26 secuirty vulnerabilities.


1) Buffer overflow (CVE-ID: CVE-2020-15900)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when use of a non-standard PostScript operator can allow overriding of file access controls. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Input validation error (CVE-ID: CVE-2020-16287)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service via a crafted PDF file.


3) Input validation error (CVE-ID: CVE-2020-16288)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service via a crafted PDF file.


4) Input validation error (CVE-ID: CVE-2020-16289)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service via a crafted PDF file.


5) Input validation error (CVE-ID: CVE-2020-16290)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service via a crafted PDF file.


6) Input validation error (CVE-ID: CVE-2020-16291)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service via a crafted PDF file.


7) Input validation error (CVE-ID: CVE-2020-16292)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service via a crafted PDF file.


8) Input validation error (CVE-ID: CVE-2020-16293)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service via a crafted PDF file.


9) Input validation error (CVE-ID: CVE-2020-16294)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service via a crafted PDF file.


10) Input validation error (CVE-ID: CVE-2020-16295)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service via a crafted PDF file.


11) Input validation error (CVE-ID: CVE-2020-16296)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service via a crafted PDF file.


12) Input validation error (CVE-ID: CVE-2020-16297)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service via a crafted PDF file.


13) Input validation error (CVE-ID: CVE-2020-16298)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service via a crafted PDF file.


14) Input validation error (CVE-ID: CVE-2020-16299)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service via a crafted PDF file.


15) Input validation error (CVE-ID: CVE-2020-16300)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in devices/gdevtfnx.c. A remote attacker can cause a denial of service via a crafted PDF file.


16) Input validation error (CVE-ID: CVE-2020-16301)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service via a crafted PDF file.


17) Buffer overflow (CVE-ID: CVE-2020-16302)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

A buffer overflow vulnerability exists in jetp3852_print_page() in devices/gdev3852.c of Artifex Software GhostScript. A remote attacker can trick the victim to open a specially crafted PDF file, trigger memory corruption and execute arbitrary code on the system.


18) Use-after-free (CVE-ID: CVE-2020-16303)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing a crafted PDF file in devices/vector/gdevxps.c. A remote attacker can trick the victim to open a specially crafted PDF file, trigger a use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.


19) Out-of-bounds write (CVE-ID: CVE-2020-16304)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

A buffer overflow vulnerability in image_render_color_thresh() in base/gxicolor.c of Artifex Software GhostScript v9.50 allows a remote attacker to execute arbitrary code on the system via a crafted eps file.


20) Input validation error (CVE-ID: CVE-2020-16305)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in devices/gdevpcx.c. A remote attacker can cause a denial of service via a crafted PDF file.


21) Input validation error (CVE-ID: CVE-2020-16306)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in devices/gdevtsep.c. A remote attacker can cause a denial of service via a crafted postscript file.


22) Input validation error (CVE-ID: CVE-2020-16307)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in devices/vector/gdevtxtw.c. A remote attacker can cause a denial of service via a crafted postscript file.


23) Input validation error (CVE-ID: CVE-2020-16308)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in devices/gdevcdj.c. A remote attacker can cause a denial of service via a crafted PDF file.


24) Input validation error (CVE-ID: CVE-2020-16309)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in gdevlxm.c. A remote attacker can cause a denial of service via a crafted eps file.


25) Input validation error (CVE-ID: CVE-2020-16310)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in gdevdm24.c. A remote attacker can cause a denial of service via a crafted PDF file.


26) Input validation error (CVE-ID: CVE-2020-17538)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in GetNumSameData() and GetNumWrongData() function. A remote attacker can cause a denial of service via a crafted PDF file.


Remediation

Install update from vendor's website.

References