SB2019050717 - Red Hat update for ghostscript
Published: May 7, 2019 Updated: May 7, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Exposed dangerous method or function (CVE-ID: CVE-2019-3835)
2) OS Command Injection (CVE-ID: CVE-2019-3838)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when processing PostScript files with Ghostscript. A remote attacker can create a specially crafted PDF file, trick the victim to open it and execute arbitrary commands on the affected system.
3) Buffer overflow (CVE-ID: CVE-2019-3839)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing Postsccript files within the GPL PostScript/PDF interpreter. A remote attacker can create a specially crafted Postscript document, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Command Injection (CVE-ID: CVE-2019-6116)
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists due to leak of sensitive operators on the operand stack when a pseudo-operator pushes a subroutine. A remote unauthenticated attacker can supply a specially crafted PostScript file to escape the -dSAFER protection, gain access to the file system and execute arbitrary commands.
Remediation
Install update from vendor's website.