important: ghostscript/xpdf security update
important
An update for ghostscript/xpdf is now available for NewStart CGSL MAIN 7.02.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
ghostscript:
xpdf:
Security Fix(es):
ghostscript: A flaw was found in Ghostscript. The `runpdf` command allowed the new C-based PDF interpreter to be invoked from within PS. With this, it can pass various flags and arguments (for example, see `pdf_impl_set_param`) normally passed via the command line when the PDF interpreter is invoked directly. Because PS-strings are not null-terminated, this issue will result in a heap buffer overflow when a value of `PDFPassword` is supplied with a NULL byte in the middle.(CVE-2024-29509)
ghostscript: A flaw in Ghostscript has been identified where the uniprint device allows users to pass various string fragments as device options. These strings, particularly upWriteComponentCommands and upYMoveCommand, are treated as format strings for gp_fprintf and gs_snprintf. This lack of restriction permits arbitrary format strings with multiple specifiers, potentially leading to data leakage from the stack and memory corruption. In RHEL 9 or newer, an attacker could exploit this vulnerability to temporarily disable Ghostscript’s SAFER mode, which prevents Postscript code from executing commands or opening arbitrary files during the current invocation.(CVE-2024-29510)
ghostscript: A flaw was found in Ghostscript. In certain circumstances, path reduction in the "gp_validate_path_len" function may allow path traversal or possible command execution.(CVE-2024-33869)
ghostscript: A flaw was found in Ghostscript. When the `gp_validate_path_len` function validates a path, it distinguishes between absolute and relative paths. In the case of relative paths, it will check the path with and without the current-directory-prefix ("foo" and "./foo"). This does not take into account paths with a parent-directory-prefix. Therefore, a path like "../../foo" is also tested as "./../../foo" and if the current directory "./" is in the permitted paths, it will pass the check, which may allow arbitrary file access.(CVE-2024-33870)
ghostscript: A flaw was found in Ghostscript. The "Driver" parameter for the "opvp"/"oprp" device specifies the name of a dynamic library and allows any library to be loaded. This flaw allows a malicious user to send a specially crafted document that, when processed by Ghostscript, could potentially lead to arbitrary code execution with the privileges of the Ghostscript process on the system.(CVE-2024-33871)
ghostscript: IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.(CVE-2023-39417)
ghostscript: A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.(CVE-2023-39418)
ghostscript: A vulnerability was found in Artifex Ghostscript in gdevijs.c, allows a malicious remote attacker to perform remote code execution via crafted PostScript documents.(CVE-2023-43115)
ghostscript: A vulnerability was found in Ghostscript. This flaw occurs due to a mishandled permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).(CVE-2023-36664)
ghostscript: A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This issue may allow a local attacker to cause a denial of service via outputting a crafted PDF file for a DEVN device with gs.(CVE-2023-38559)
ghostscript: A flaw was found in Artifex Ghostscript's psi/zcolor.c component. This vulnerability allows arbitrary code execution via an unchecked implementation pointer in the Pattern color space.(CVE-2024-46951)
ghostscript: A flaw was found in Artifex Ghostscript's PDF XRef stream handling. This vulnerability allows a buffer overflow via crafted values in the W array of a PDF XRef stream.(CVE-2024-46952)
ghostscript: A flaw was found in Artifex Ghostscript base/gsdevice.c. This vulnerability allows path truncation, path traversal, and possible code execution via an integer overflow when parsing the filename format string for the output filename.(CVE-2024-46953)
ghostscript: A flaw was found in Ghostscript/base/gp_utf8.c. This vulnerability allows directory traversal via overlong UTF-8 encoding, potentially leading to unauthorized access to filesystem directories.(CVE-2024-46954)
ghostscript: A flaw was found in Artifex Ghostscript's psi/zfile.c component. This vulnerability allows arbitrary code execution via out-of-bounds data access.(CVE-2024-46956)
ghostscript: bugfix
xpdf: XPDF 4.04 is vulnerable to Null Pointer Dereference in FoFiType1C.cc:2393.(CVE-2022-38928)
xpdf: There is a use-after-free issue in JBIG2Stream::close() located in JBIG2Stream.cc in Xpdf 4.04. It can be triggered by sending a crafted PDF file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service or possibly have unspecified other impact.(CVE-2022-38222)
xpdf: bugfix
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 7.02.03B8.