Description: | Summary: The remote host is missing an update for the Huawei EulerOS 'ghostscript' package(s) announced via the EulerOS-SA-2019-1613 advisory.
Vulnerability Insight: It was found that the forceput operator could be extracted from the DefineResource method. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER.(CVE-2019-3838)
t was found that the superexec operator was available in the internal dictionary. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER.(CVE-2019-3835)
It was found that ghostscript could leak sensitive operators on the operand stack when a pseudo-operator pushes a subroutine. A specially crafted PostScript file could use this flaw to escape the -dSAFER protection in order to, for example, have access to the file system outside of the SAFER constraints.(CVE-2019-6116)
It was found that some privileged operators remained accessible from various places after the CVE-2019-6116 fix. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER.(CVE-2019-3839)
The set_text_distance function in devices/vector/gdevpdts.c in the pdfwrite component in Artifex Ghostscript through 9.22 does not prevent overflows in text-positioning calculation, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document.(CVE-2018-10194)
Affected Software/OS: 'ghostscript' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.2.0.
Solution: Please install the updated package(s).
CVSS Score: 6.8
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
|