PT-2019-5103 · Artifex+5 · Ghostscript+5

Lukas Schauer

Published

2019-11-14

Updated

2020-10-25

CVE-2019-14869

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions ghostscript versions 9.x before 9.50

Description A flaw in the .charkeys procedure of ghostscript allows scripts to bypass -dSAFER restrictions by not properly securing its privileged calls. This enables an attacker to create a specially crafted PostScript file that could escalate privileges within Ghostscript, access files outside of restricted areas, or execute commands. The exploitation of this flaw may allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service.

Recommendations For ghostscript versions 9.x before 9.50, update to version 9.50 or later to resolve the issue. As a temporary workaround, consider restricting access to the .charkeys procedure to minimize the risk of exploitation. Avoid using the -dSAFER restrictions in affected versions until the issue is resolved.

Fix

Incorrect Permission

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-732CWE-648CWE-269

Related Identifiers

ALT-PU-2020-2906

ALT-PU-2020-2917

ALT-PU-2020-2921

ALT-PU-2020-3124

BDU:2020-01769

CESA-2019_3888

CESA-2019_3890

CVE-2019-14869

DLA-1992-1

DSA-4569-1

MGASA-2019-0336

OPENSUSE-SU-2019:2534-1

OPENSUSE-SU-2019:2535-1

OPENSUSE-SU-2019_2534-1

OPENSUSE-SU-2019_2535-1

RHSA-2019:3888

RHSA-2019:3890

RHSA-2019_3888

RHSA-2019_3890

RHSA-2020:0222

SUSE-SU-2019:2981-1

SUSE-SU-2019:2983-1

SUSE-SU-2019_2981-1

SUSE-SU-2019_2983-1

USN-4193-1

Affected Products

Alt Linux

Centos

Red Hat

Suse

Ubuntu

Ghostscript

PT-2019-5103 · Artifex+5 · Ghostscript+5

CVE-2019-14869

Weakness Enumeration

Related Identifiers

Affected Products

References · 53