PT-2019-1696 · Artifex+5 · Ghostscript+5

Cedric Buissart

Published

2019-02-20

Updated

2024-06-15

CVE-2019-3838

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Ghostscript versions prior to 9.27

Description The issue is related to insecure privilege management in the DefineResource method of the Ghostscript file conversion program. Exploitation of this issue could allow a remote attacker to elevate their privileges. A specially crafted PostScript file could exploit this flaw to access the file system outside of the constraints imposed by -dSAFER.

Recommendations For Ghostscript versions prior to 9.27, update to version 9.27 or later to resolve the issue. As a temporary workaround, consider restricting access to the DefineResource method until a patch is available. Avoid using the forceput operator in the DefineResource method until the issue is resolved.

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-648CWE-269

Related Identifiers

ALT-PU-2019-1913

ALT-PU-2019-1917

BDU:2019-01300

CESA-2019_0633

CESA-2019_0971

CVE-2019-3838

DLA-1761-1

DSA-4432-1

MGASA-2019-0130

OPENSUSE-SU-2019:1121-1

OPENSUSE-SU-2019_1119-1

OPENSUSE-SU-2019_1121-1

OPENSUSE-SU-2024:10783-1

RHSA-2019:0633

RHSA-2019:0971

RHSA-2019_0633

RHSA-2019_0971

SUSE-SU-2019:0718-1

SUSE-SU-2019:0719-1

SUSE-SU-2019:14155-1

SUSE-SU-2019_0718-1

SUSE-SU-2019_0719-1

USN-3915-1

Affected Products

Alt Linux

Centos

Ghostscript

Red Hat

Suse

Ubuntu

PT-2019-1696 · Artifex+5 · Ghostscript+5

CVE-2019-3838

Weakness Enumeration

Related Identifiers

Affected Products

References · 129