It was found that RHSA-2018:2918 did not fully fix CVE-2018-16509. An attacker could possibly exploit another variant of the flaw and bypass the -dSAFER protection to, for example, execute arbitrary shell commands via a specially crafted PostScript document. This only affects ghostscript 9.07 as shipped with Red Hat Enterprise Linux 7.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has ghostscript packages installed that are affected by multiple vulnerabilities:

  - An issue was discovered in Artifex Ghostscript before     9.26. LockSafetyParams is not checked correctly if     another device is used. (CVE-2018-19409)

  - It was discovered that the ghostscript .tempfile     function did not properly handle file permissions. An     attacker could possibly exploit this to exploit this to     bypass the -dSAFER protection and delete files or     disclose their content via a specially crafted     PostScript document. (CVE-2018-15908)

  - An issue was discovered in Artifex Ghostscript before     9.25. Incorrect restoration of privilege checking when     running out of stack during exception handling could be     used by attackers able to supply crafted PostScript to     execute code using the pipe instruction. This is due     to an incomplete fix for CVE-2018-16509.
    (CVE-2018-16802)

  - It was discovered that the ghostscript device cleanup     did not properly handle devices replaced with a null     device. An attacker could possibly exploit this to     bypass the -dSAFER protection and crash ghostscript or,     possibly, execute arbitrary code in the ghostscript     context via a specially crafted PostScript document.
    (CVE-2018-16541)

  - It was discovered that ghostscript did not properly     verify the key used in aesdecode. An attacker could     possibly exploit this to bypass the -dSAFER protection     and crash ghostscript or, possibly, execute arbitrary     code in the ghostscript context via a specially crafted     PostScript document. (CVE-2018-15911)

  - It was discovered that the ghostscript did not properly     restrict access to files open prior to enabling the
    -dSAFER mode. An attacker could possibly exploit this to     bypass the -dSAFER protection and disclose the content     of affected files via a specially crafted PostScript     document. (CVE-2018-16539)

  - Artifex Ghostscript before 9.25 allowed a user-writable     error exception table, which could be used by remote     attackers able to supply crafted PostScript to     potentially overwrite or replace error handlers to     inject code. (CVE-2018-17183)

  - Artifex Ghostscript 9.25 and earlier allows attackers to     bypass a sandbox protection mechanism via vectors     involving errorhandler setup. NOTE: this issue exists     because of an incomplete fix for CVE-2018-17183.
    (CVE-2018-17961)

  - Artifex Ghostscript allows attackers to bypass a sandbox     protection mechanism by leveraging exposure of system     operators in the saved execution stack in an error     object. (CVE-2018-18073)

  - Artifex Ghostscript 9.25 and earlier allows attackers to     bypass a sandbox protection mechanism via vectors     involving the 1Policy operator. (CVE-2018-18284)

  - It was found that RHSA-2018:2918 did not fully fix     CVE-2018-16509. An attacker could possibly exploit     another variant of the flaw and bypass the -dSAFER     protection to, for example, execute arbitrary shell     commands via a specially crafted PostScript document.
    (CVE-2018-16863)

  - In Artifex Ghostscript through 9.25, the setpattern     operator did not properly validate certain types. A     specially crafted PostScript document could exploit this     to crash Ghostscript or, possibly, execute arbitrary     code in the context of the Ghostscript process. This is     a type confusion issue because of failure to check     whether the Implementation of a pattern dictionary was a     structure type. (CVE-2018-19134)

  - It was discovered that the ghostscript .shfill operator     did not properly validate certain types. An attacker     could possibly exploit this to bypass the -dSAFER     protection and crash ghostscript or, possibly, execute     arbitrary code in the ghostscript context via a     specially crafted PostScript document. (CVE-2018-15909)

  - It was discovered that the ghostscript .type operator     did not properly validate its operands. A specially     crafted PostScript document could exploit this to crash     ghostscript or, possibly, execute arbitrary code in the     context of the ghostscript process. (CVE-2018-16511)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the ghostscript package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - It was discovered that ghostscript did not properly     verify the key used in aesdecode. An attacker could     possibly exploit this to bypass the -dSAFER protection     and crash ghostscript or, possibly, execute arbitrary     code in the ghostscript context via a specially crafted     PostScript document.i1/4^CVE-2018-15911i1/4%0

  - An issue was discovered in Artifex Ghostscript before     9.25. Incorrect 'restoration of privilege' checking     when running out of stack during exception handling     could be used by attackers able to supply crafted     PostScript to execute code using the 'pipe'     instruction. This is due to an incomplete fix for     CVE-2018-16509.i1/4^CVE-2018-16802i1/4%0

  - It was found that RHSA-2018:2918 did not fully fix     CVE-2018-16509. An attacker could possibly exploit     another variant of the flaw and bypass the -dSAFER     protection to, for example, execute arbitrary shell     commands via a specially crafted PostScript     document.i1/4^CVE-2018-16863i1/4%0

  - Artifex Ghostscript before 9.25 allowed a user-writable     error exception table, which could be used by remote     attackers able to supply crafted PostScript to     potentially overwrite or replace error handlers to     inject code.i1/4^CVE-2018-17183i1/4%0

  - Artifex Ghostscript 9.25 and earlier allows attackers     to bypass a sandbox protection mechanism via vectors     involving errorhandler setup. NOTE: this issue exists     because of an incomplete fix for     CVE-2018-17183.i1/4^CVE-2018-17961i1/4%0

  - Artifex Ghostscript allows attackers to bypass a     sandbox protection mechanism by leveraging exposure of     system operators in the saved execution stack in an     error object.i1/4^CVE-2018-18073i1/4%0

  - Artifex Ghostscript 9.25 and earlier allows attackers     to bypass a sandbox protection mechanism via vectors     involving the 1Policy operator.i1/4^CVE-2018-18284i1/4%0

  - In Artifex Ghostscript through 9.25, the setpattern     operator did not properly validate certain types. A     specially crafted PostScript document could exploit     this to crash Ghostscript or, possibly, execute     arbitrary code in the context of the Ghostscript     process. This is a type confusion issue because of     failure to check whether the Implementation of a     pattern dictionary was a structure     type.i1/4^CVE-2018-19134i1/4%0

  - An issue was discovered in Artifex Ghostscript before     9.26. LockSafetyParams is not checked correctly if     another device is used.i1/4^CVE-2018-19409i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - It was discovered that the ghostscript .tempfile     function did not properly handle file permissions. An     attacker could possibly exploit this to exploit this to     bypass the -dSAFER protection and delete files or     disclose their content via a specially crafted     PostScript document.i1/4^CVE-2018-15908i1/4%0

  - It was discovered that the ghostscript .shfill operator     did not properly validate certain types. An attacker     could possibly exploit this to bypass the -dSAFER     protection and crash ghostscript or, possibly, execute     arbitrary code in the ghostscript context via a     specially crafted PostScript     document.i1/4^CVE-2018-15909i1/4%0

  - It was discovered that ghostscript did not properly     verify the key used in aesdecode. An attacker could     possibly exploit this to bypass the -dSAFER protection     and crash ghostscript or, possibly, execute arbitrary     code in the ghostscript context via a specially crafted     PostScript document.i1/4^CVE-2018-15911i1/4%0

  - It was discovered that the ghostscript .type operator     did not properly validate its operands. A specially     crafted PostScript document could exploit this to crash     ghostscript or, possibly, execute arbitrary code in the     context of the ghostscript process.i1/4^CVE-2018-16511i1/4%0

  - It was discovered that the ghostscript did not properly     restrict access to files open prior to enabling the
    -dSAFER mode. An attacker could possibly exploit this     to bypass the -dSAFER protection and disclose the     content of affected files via a specially crafted     PostScript document.i1/4^CVE-2018-16539i1/4%0

  - It was discovered that the ghostscript device cleanup     did not properly handle devices replaced with a null     device. An attacker could possibly exploit this to     bypass the -dSAFER protection and crash ghostscript or,     possibly, execute arbitrary code in the ghostscript     context via a specially crafted PostScript     document.i1/4^CVE-2018-16541i1/4%0

  - An issue was discovered in Artifex Ghostscript before     9.25. Incorrect 'restoration of privilege' checking     when running out of stack during exception handling     could be used by attackers able to supply crafted     PostScript to execute code using the 'pipe'     instruction. This is due to an incomplete fix for     CVE-2018-16509.i1/4^CVE-2018-16802i1/4%0

  - It was found that RHSA-2018:2918 did not fully fix     CVE-2018-16509. An attacker could possibly exploit     another variant of the flaw and bypass the -dSAFER     protection to, for example, execute arbitrary shell     commands via a specially crafted PostScript     document.i1/4^CVE-2018-16863i1/4%0

  - Artifex Ghostscript before 9.25 allowed a user-writable     error exception table, which could be used by remote     attackers able to supply crafted PostScript to     potentially overwrite or replace error handlers to     inject code.i1/4^CVE-2018-17183i1/4%0

  - Artifex Ghostscript 9.25 and earlier allows attackers     to bypass a sandbox protection mechanism via vectors     involving errorhandler setup. NOTE: this issue exists     because of an incomplete fix for     CVE-2018-17183.i1/4^CVE-2018-17961i1/4%0

  - Artifex Ghostscript allows attackers to bypass a     sandbox protection mechanism by leveraging exposure of     system operators in the saved execution stack in an     error object.i1/4^CVE-2018-18073i1/4%0

  - Artifex Ghostscript 9.25 and earlier allows attackers     to bypass a sandbox protection mechanism via vectors     involving the 1Policy operator.i1/4^CVE-2018-18284i1/4%0

  - In Artifex Ghostscript through 9.25, the setpattern     operator did not properly validate certain types. A     specially crafted PostScript document could exploit     this to crash Ghostscript or, possibly, execute     arbitrary code in the context of the Ghostscript     process. This is a type confusion issue because of     failure to check whether the Implementation of a     pattern dictionary was a structure     type.i1/4^CVE-2018-19134i1/4%0

  - An issue was discovered in Artifex Ghostscript before     9.26. LockSafetyParams is not checked correctly if     another device is used.i1/4^CVE-2018-19409i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - ghostscript: Incorrect 'restoration of privilege'     checking when running out of stack during exception     handling (CVE-2018-16802)

  - ghostscript: User-writable error exception table     (CVE-2018-17183)

  - ghostscript: Saved execution stacks can leak operator     arrays (incomplete fix for CVE-2018-17183)     (CVE-2018-17961)

  - ghostscript: Saved execution stacks can leak operator     arrays (CVE-2018-18073)

  - ghostscript: 1Policy operator allows a sandbox     protection bypass (CVE-2018-18284)

  - ghostscript: Type confusion in setpattern (700141)     (CVE-2018-19134)

  - ghostscript: Improperly implemented security check in     zsetdevice function in psi/zdevice.c (CVE-2018-19409)

  - ghostscript: Uninitialized memory access in the     aesdecode operator (699665) (CVE-2018-15911)

  - ghostscript: incomplete fix for CVE-2018-16509     (CVE-2018-16863)

  - ghostscript: incorrect access checking in temp file     handling to disclose contents of files (699658)     (CVE-2018-16539)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - ghostscript: gssetresolution and gsgetresolution memory     corruption(CVE-2018-16543)

  - ghostscript: use-after-free in copydevice     handling(CVE-2018-16540)

  - ghostscript: incomplete fix for CVE-2018-16509     (CVE-2018-16863)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - ghostscript: Incorrect 'restoration of privilege'     checking when running out of stack during exception     handling (CVE-2018-16802)

  - ghostscript: User-writable error exception table     (CVE-2018-17183)

  - ghostscript: Saved execution stacks can leak operator     arrays (incomplete fix for CVE-2018-17183)     (CVE-2018-17961)

  - ghostscript: Saved execution stacks can leak operator     arrays (CVE-2018-18073)

  - ghostscript: 1Policy operator allows a sandbox     protection bypass (CVE-2018-18284)

  - ghostscript: Type confusion in setpattern (700141)     (CVE-2018-19134)

  - ghostscript: Improperly implemented security check in     zsetdevice function in psi/zdevice.c (CVE-2018-19409)

  - ghostscript: Uninitialized memory access in the     aesdecode operator (699665) (CVE-2018-15911)

  - ghostscript: incomplete fix for CVE-2018-16509     (CVE-2018-16863)

  - ghostscript: gssetresolution and gsgetresolution memory     corruption(CVE-2018-16543)

  - ghostscript: use-after-free in copydevice     handling(CVE-2018-16540)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - It was discovered that the ghostscript .tempfile     function did not properly handle file permissions. An     attacker could possibly exploit this to exploit this to     bypass the -dSAFER protection and delete files or     disclose their content via a specially crafted     PostScript document.i1/4^CVE-2018-15908i1/4%0

  - It was discovered that the ghostscript .shfill operator     did not properly validate certain types. An attacker     could possibly exploit this to bypass the -dSAFER     protection and crash ghostscript or, possibly, execute     arbitrary code in the ghostscript context via a     specially crafted PostScript     document.i1/4^CVE-2018-15909i1/4%0

  - It was discovered that ghostscript did not properly     verify the key used in aesdecode. An attacker could     possibly exploit this to bypass the -dSAFER protection     and crash ghostscript or, possibly, execute arbitrary     code in the ghostscript context via a specially crafted     PostScript document.i1/4^CVE-2018-15911i1/4%0

  - It was discovered that the ghostscript .type operator     did not properly validate its operands. A specially     crafted PostScript document could exploit this to crash     ghostscript or, possibly, execute arbitrary code in the     context of the ghostscript process.i1/4^CVE-2018-16511i1/4%0

  - It was discovered that the ghostscript did not properly     restrict access to files open prior to enabling the
    -dSAFER mode. An attacker could possibly exploit this     to bypass the -dSAFER protection and disclose the     content of affected files via a specially crafted     PostScript document.i1/4^CVE-2018-16539i1/4%0

  - It was discovered that the ghostscript device cleanup     did not properly handle devices replaced with a null     device. An attacker could possibly exploit this to     bypass the -dSAFER protection and crash ghostscript or,     possibly, execute arbitrary code in the ghostscript     context via a specially crafted PostScript     document.i1/4^CVE-2018-16541i1/4%0

  - An issue was discovered in Artifex Ghostscript before     9.25. Incorrect 'restoration of privilege' checking     when running out of stack during exception handling     could be used by attackers able to supply crafted     PostScript to execute code using the 'pipe'     instruction. This is due to an incomplete fix for     CVE-2018-16509.i1/4^CVE-2018-16802i1/4%0

  - It was found that RHSA-2018:2918 did not fully fix     CVE-2018-16509. An attacker could possibly exploit     another variant of the flaw and bypass the -dSAFER     protection to, for example, execute arbitrary shell     commands via a specially crafted PostScript     document.i1/4^CVE-2018-16863i1/4%0

  - Artifex Ghostscript before 9.25 allowed a user-writable     error exception table, which could be used by remote     attackers able to supply crafted PostScript to     potentially overwrite or replace error handlers to     inject code.i1/4^CVE-2018-17183i1/4%0

  - Artifex Ghostscript 9.25 and earlier allows attackers     to bypass a sandbox protection mechanism via vectors     involving errorhandler setup. NOTE: this issue exists     because of an incomplete fix for     CVE-2018-17183.i1/4^CVE-2018-17961i1/4%0

  - Artifex Ghostscript allows attackers to bypass a     sandbox protection mechanism by leveraging exposure of     system operators in the saved execution stack in an     error object.i1/4^CVE-2018-18073i1/4%0

  - Artifex Ghostscript 9.25 and earlier allows attackers     to bypass a sandbox protection mechanism via vectors     involving the 1Policy operator.i1/4^CVE-2018-18284i1/4%0

  - In Artifex Ghostscript through 9.25, the setpattern     operator did not properly validate certain types. A     specially crafted PostScript document could exploit     this to crash Ghostscript or, possibly, execute     arbitrary code in the context of the Ghostscript     process. This is a type confusion issue because of     failure to check whether the Implementation of a     pattern dictionary was a structure     type.i1/4^CVE-2018-19134i1/4%0

  - An issue was discovered in Artifex Ghostscript before     9.26. LockSafetyParams is not checked correctly if     another device is used.i1/4^CVE-2018-19409i1/4%0

  - It was discovered that ghostscript did not properly     handle certain stack overflow error conditions. An     attacker could possibly exploit this to bypass the
    -dSAFER protection and crash ghostscript or, possibly,     execute arbitrary code in the ghostscript context via a     specially crafted PostScript     document.i1/4^CVE-2018-16542i1/4%0

  - It was discovered that the type of the     LockDistillerParams parameter is not properly verified.
    An attacker could possibly exploit this to bypass the
    -dSAFER protection and crash ghostscript or, possibly,     execute arbitrary code in the ghostscript context via a     specially crafted PostScript     document.i1/4^CVE-2018-15910i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for ghostscript is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed.

Security Fix(es) :

* ghostscript: incomplete fix for CVE-2018-16509 (CVE-2018-16863)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es) :

* Previously, the flushpage operator has been removed as part of a major clean-up of a non-standard operator. However, flushpage has been found to be used in a few specific use cases. With this update, it has been re-added to support those use cases. (BZ#1654290)

Security Fix(es) :

  - ghostscript: incomplete fix for CVE-2018-16509     (CVE-2018-16863)

Bug Fix(es) :

  - Previously, the flushpage operator has been removed as     part of a major clean-up of a non-standard operator.
    However, flushpage has been found to be used in a few     specific use cases. With this update, it has been re-     added to support those use cases.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2018:3761 advisory.

  - ghostscript: incomplete fix for CVE-2018-16509 (CVE-2018-16863)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2018-3761 advisory.

    [9.07-31.el7_6.3]
    - Resolves: #1654290 ghostscript update breaks xdvi (gs: Error: /undefined in flushpage)

    [9.07-31.el7_6.2]
    - Resolves: #1652901 - CVE-2018-16863 ghostscript: incomplete fix for       CVE-2018-16509

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
127227	NewStart CGSL CORE 5.04 / MAIN 5.04 : ghostscript Multiple Vulnerabilities (NS-SA-2019-0046)	Nessus	NewStart CGSL Local Security Checks	critical
123895	EulerOS Virtualization 2.5.4 : ghostscript (EulerOS-SA-2019-1209)	Nessus	Huawei Local Security Checks	critical
123891	EulerOS Virtualization 2.5.3 : ghostscript (EulerOS-SA-2019-1205)	Nessus	Huawei Local Security Checks	critical
122376	EulerOS 2.0 SP2 : ghostscript (EulerOS-SA-2019-1049)	Nessus	Huawei Local Security Checks	critical
122170	EulerOS 2.0 SP5 : ghostscript (EulerOS-SA-2019-1023)	Nessus	Huawei Local Security Checks	high
122169	EulerOS 2.0 SP3 : ghostscript (EulerOS-SA-2019-1022)	Nessus	Huawei Local Security Checks	critical
121276	EulerOS Virtualization 2.5.1 : ghostscript (EulerOS-SA-2019-1016)	Nessus	Huawei Local Security Checks	critical
119901	EulerOS Virtualization 2.5.2 : ghostscript (EulerOS-SA-2018-1412)	Nessus	Huawei Local Security Checks	critical
119666	CentOS 7 : ghostscript (CESA-2018:3761)	Nessus	CentOS Local Security Checks	high
119446	Scientific Linux Security Update : ghostscript on SL7.x x86_64 (20181204)	Nessus	Scientific Linux Local Security Checks	high
119331	RHEL 7 : ghostscript (RHSA-2018:3761)	Nessus	Red Hat Local Security Checks	high
119329	Oracle Linux 7 : ghostscript (ELSA-2018-3761)	Nessus	Oracle Linux Local Security Checks	high

Detections

Analytics

CVE-2018-16863

high

Tenable Plugins

critical

critical

critical

critical

high

critical

critical

critical

high

high

high

high