CVE-2013-5653

Summary

CVE	CVE-2013-5653
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2017-03-07 15:59:00 UTC
Updated	2018-01-05 02:29:00 UTC
Description	The getenv and filenameforall functions in Ghostscript 9.10 ignore the "-dSAFER" argument, which allows remote attackers to read data via a crafted postscript file.

Risk And Classification

Problem Types: CWE-200

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Artifex	Afpl Ghostscript	9.10	All	All	All
Application	Artifex	Afpl Ghostscript	9.10	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All

References

Reference	Source	Link	Tags
697169 – .libfile does not honor -dSAFER	CONFIRM	bugs.ghostscript.com	Issue Tracking, Patch
694724 – GhostScript information disclosure - paranoidsafer	CONFIRM	bugs.ghostscript.com	Issue Tracking, Patch
1380327 – (CVE-2013-5653) CVE-2013-5653 ghostscript: getenv and filenameforall ignore -dSAFER	CONFIRM	bugzilla.redhat.com	Issue Tracking, Patch
Red Hat Customer Portal	REDHAT	rhn.redhat.com
Red Hat Customer Portal	REDHAT	rhn.redhat.com
oss-security - Re: ImageMagick identify "d:" hangs	MLIST	www.openwall.com	Mailing List, Patch, Third Party Advisory
Ghostscript CVE-2013-5653 Multiple Information Disclosure Vulnerabilities	BID	www.securityfocus.com
Debian -- Security Information -- DSA-3691-1 ghostscript	DEBIAN	www.debian.org	Third Party Advisory
oss-security - Re: ImageMagick identify "d:" hangs	MLIST	www.openwall.com	Mailing List, Patch, Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

378143 Virtuozzo Linux Security Update for ghostscript-doc (VZLSA-2017:0013)
378268 Virtuozzo Linux Security Update for ghostscript-devel (VZLSA-2017:0014)