Описание
In Artifex Ghostscript before 9.24, gssetresolution and gsgetresolution allow attackers to have an unspecified impact.
It was discovered that the ghostscript gssetresolution and gsgetresolution procedures were available, although they have dangerous side effects. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.
Отчет
CVE-2018-16543 requires the "device subclassing" feature to be present in ghostscript in order to exploit it and corrupt the interpreter's memory. This feature appeared in Ghostscript-9.18. Thus ghostscript 9.07, as shipped in Red Hat Enterprise Linux 7, and older are not affected : although the attacker has access to the gssetresolution and gsgetresolution operators, they can not use these to corrupt memory.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | ghostscript | Not affected | ||
| Red Hat Enterprise Linux 6 | ghostscript | Not affected | ||
| Red Hat Enterprise Linux 7 | ghostscript | Not affected | ||
| Red Hat Enterprise Linux 8 | ghostscript | Not affected |
Показывать по
Дополнительная информация
Статус:
7.3 High
CVSS3
Связанные уязвимости
In Artifex Ghostscript before 9.24, gssetresolution and gsgetresolution allow attackers to have an unspecified impact.
In Artifex Ghostscript before 9.24, gssetresolution and gsgetresolution allow attackers to have an unspecified impact.
In Artifex Ghostscript before 9.24, gssetresolution and gsgetresolutio ...
In Artifex Ghostscript before 9.24, gssetresolution and gsgetresolution allow attackers to have an unspecified impact.
Уязвимость компонентов gssetresolution и gsgetresolution набора программного обеспечения для обработки, преобразования и генерации документов Ghostscript, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
7.3 High
CVSS3