INFSA-2024:6197: Ghostscript security update
Information about definition
Identificator: INFSA-2024:6197
Type: security
Release date: 2024-12-26 14:19:50 UTC
Information about package
The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed.
Vulnerabilities description
- CVE-2024-29510
Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device.
- CVE-2024-33869
An issue was discovered in Artifex Ghostscript before 10.03.1. Path traversal and command execution can occur (via a crafted PostScript document) because of path reduction in base/gpmisc.c. For example, restrictions on use of %pipe% can be bypassed via the aa/../%pipe%command# output filename.
- CVE-2024-33870
An issue was discovered in Artifex Ghostscript before 10.03.1. There is path traversal (via a crafted PostScript document) to arbitrary files if the current directory is in the permitted paths. For example, there can be a transformation of ../../foo to ./../../foo and this will grant access if ./ is permitted.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2024-29510
|
no information | 5.5 | no information |
|
NIST — CVE-2024-33869
|
no information | 5.3 | no information |
|
NIST — CVE-2024-33870
|
no information | 6.8 | no information |
Updated packages