Описание
A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass -dSAFER restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
A flaw was found in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass -dSAFER restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
Меры по смягчению последствий
Please refer to the "Mitigation" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat 3scale API Management Platform 2 | ghostscript | Not affected | ||
| Red Hat Enterprise Linux 5 | ghostscript | Out of support scope | ||
| Red Hat Enterprise Linux 6 | ghostscript | Out of support scope | ||
| 3scale API Management 2.6 on RHEL 7 | 3scale-amp26/3scale-operator | Fixed | RHSA-2019:2534 | 21.08.2019 |
| 3scale API Management 2.6 on RHEL 7 | 3scale-amp26/apicast-gateway | Fixed | RHSA-2019:2534 | 21.08.2019 |
| 3scale API Management 2.6 on RHEL 7 | 3scale-amp26/backend | Fixed | RHSA-2019:2534 | 21.08.2019 |
| 3scale API Management 2.6 on RHEL 7 | 3scale-amp26/operator | Fixed | RHSA-2019:2534 | 21.08.2019 |
| 3scale API Management 2.6 on RHEL 7 | 3scale-amp26/toolbox | Fixed | RHSA-2019:2534 | 21.08.2019 |
| 3scale API Management 2.6 on RHEL 7 | 3scale-amp26/zync | Fixed | RHSA-2019:2534 | 21.08.2019 |
| Red Hat Enterprise Linux 7 | ghostscript | Fixed | RHSA-2019:2586 | 02.09.2019 |
Показывать по
Дополнительная информация
Статус:
7.3 High
CVSS3
Связанные уязвимости
A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
A flaw was found in all ghostscript versions 9.x before 9.50, in the . ...
A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
Уязвимость процедуры .setuserparams2 программы конвертирования файлов формата PostScript Ghostscript, позволяющая нарушителю выполнить произвольные команды или получить доступ к файловой системе
7.3 High
CVSS3