Ghostscript Multiple Security Bypass Vulnerabilities

Bugtraq ID:	105122
Class:	Input Validation Error
CVE:	CVE-2018-16509 CVE-2018-15910 CVE-2018-15911
Remote:	Yes
Local:	No
Published:	Aug 21 2018 12:00AM
Updated:	Apr 26 2019 11:00AM
Credit:	Tavis Ormandy.
Vulnerable:	Synology Router Manager 1.1 Synology Diskstation Manager 6.2 Synology Diskstation Manager 6.1 Synology Diskstation Manager 5.2 Redhat Enterprise Linux 7 Redhat Enterprise Linux 6 + Trustix Secure Enterprise Linux 2.0 + Trustix Secure Linux 2.2 + Trustix Secure Linux 2.1 + Trustix Secure Linux 2.0 Redhat Enterprise Linux 5 Pulse Secure Pulse Connect Secure 9.0R3 Pulse Secure Pulse Connect Secure 9.0R2 Pulse Secure Pulse Connect Secure 9.0R1 Pulse Secure Pulse Connect Secure 8.3R7 Pulse Secure Pulse Connect Secure 8.3R6 Pulse Secure Pulse Connect Secure 8.3R5 Pulse Secure Pulse Connect Secure 8.3R4 Pulse Secure Pulse Connect Secure 8.3R1 Pulse Secure Pulse Connect Secure 8.3 R1 Pulse Secure Pulse Connect Secure 8.2R6 Pulse Secure Pulse Connect Secure 8.2R5 Pulse Secure Pulse Connect Secure 8.2R11 Pulse Secure Pulse Connect Secure 8.2R10 Pulse Secure Pulse Connect Secure 8.2R1.1 Pulse Secure Pulse Connect Secure 8.2R1 Pulse Secure Pulse Connect Secure 8.2R0 Oracle Linux 7 ImageMagick ImageMagick 0 + Turbolinux Turbolinux Server 7.0 + Turbolinux Turbolinux Workstation 7.0 GNOME Evince 0 GIMP GIMP 0 Ghostscript Ghostscript 8.15.2 Ghostscript Ghostscript 8.0.1 Ghostscript Ghostscript 9.23 Ghostscript Ghostscript 9.20 Ghostscript Ghostscript 9.19 Ghostscript Ghostscript 9.18 Ghostscript Ghostscript 9.10 Ghostscript Ghostscript 9.05 Ghostscript Ghostscript 9.04 Ghostscript Ghostscript 8.71 Ghostscript Ghostscript 8.70 Ghostscript Ghostscript 8.64 Ghostscript Ghostscript 8.61 Ghostscript Ghostscript 8.60 Ghostscript Ghostscript 8.57 Ghostscript Ghostscript 8.56 Ghostscript Ghostscript 8.54 Ghostscript Ghostscript 8.15 Ghostscript Ghostscript 8 64 Ghostscript Ghostscript 7.07 Ghostscript Ghostscript 7.05 Ghostscript Ghostscript 0 + Debian Linux 3.1 sparc + Debian Linux 3.1 s/390 + Debian Linux 3.1 ppc + Debian Linux 3.1 mipsel + Debian Linux 3.1 mips + Debian Linux 3.1 m68k + Debian Linux 3.1 ia-64 + Debian Linux 3.1 ia-32 + Debian Linux 3.1 hppa + Debian Linux 3.1 arm + Debian Linux 3.1 amd64 + Debian Linux 3.1 alpha + Debian Linux 3.1 + Debian Linux 4.0 sparc + Debian Linux 4.0 s/390 + Debian Linux 4.0 powerpc + Debian Linux 4.0 mipsel + Debian Linux 4.0 mips + Debian Linux 4.0 m68k + Debian Linux 4.0 ia-64 + Debian Linux 4.0 ia-32 + Debian Linux 4.0 hppa + Debian Linux 4.0 arm + Debian Linux 4.0 amd64 + Debian Linux 4.0 alpha + Debian Linux 4.0 CubeSoft CubePDF 1.0.0 RC 12 CubeSoft CubePDF 1.0.0
Not Vulnerable:	Pulse Secure Pulse Connect Secure 9.0R4 Pulse Secure Pulse Connect Secure 9.0R3.4 Pulse Secure Pulse Connect Secure 8.3R7.1 Pulse Secure Pulse Connect Secure 8.2R12.1 Ghostscript Ghostscript 9.24 + CubeSoft CubePDF 1.0 RC 13 CubeSoft CubePDF 1.0 RC 13

Ghostscript Multiple Security Bypass Vulnerabilities

Ghostscript is prone to multiple security-bypass vulnerabilities.

Successful exploits of these issues may allow remote attackers to execute arbitrary code in the context of the application or obtain potentially sensitive information. Failed exploits may result in denial-of-service conditions.

Ghostscript Multiple Security Bypass Vulnerabilities

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Ghostscript Multiple Security Bypass Vulnerabilities

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Ghostscript Multiple Security Bypass Vulnerabilities

References:

• ghostscript: multiple critical vulnerabilities, including remote command execut (chromium.org)
  
• Bug 1619751 - (CVE-2018-15910) CVE-2018-15910 ghostscript: LockDistillerParams t (Red Hat Bugzilla)
  
• Bug 1625832 - (CVE-2018-15911) CVE-2018-15911 ghostscript: uninitialized memory (Red Hat Bugzilla)
  
• CubePDF 1.0.0RC13 (CubeSoft)
  
• CVE-2018-15911 (Red Hat Bugzilla)
  
• Ghostscript Homepage (Ghostscript)
  
• More Ghostscript Issues: Should we disable PS coders in policy.xml by default? (Tavis Ormandy)
  
• Bug 1619748 - (CVE-2018-16509) CVE-2018-16509 ghostscript: /invalidaccess bypass (Red Hat Bugzilla)
  
• CVE-2018-15910 (Red Hat Bugzilla)
  
• CVE-2018-16509 (Red Hat Bugzilla)
  
• Oracle Linux Bulletin - October 2018 (Oracle)
  
• SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in P (Pulse Secure)
  
• Synology-SA-18:49 Ghostscript (Synology)
  
• VU#332928: Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities (CERT)