Lucene search

K
almalinuxAlmaLinuxALSA-2024:6197
HistorySep 03, 2024 - 12:00 a.m.

Moderate: ghostscript security update

2024-09-0300:00:00
errata.almalinux.org
3
ghostscript suite
postscript
pdf
rendering
bitmap formats
code execution
cve-2024-29510
cve-2024-33869
cve-2024-33870
unix
security fix

CVSS3

6.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

AI Score

8.1

Confidence

Low

The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed.

Security Fix(es):

  • ghostscript: format string injection leads to shell command execution (SAFER bypass) (CVE-2024-29510)
  • ghostscript: path traversal and command execution due to path reduction (CVE-2024-33869)
  • ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths (CVE-2024-33870)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVSS3

6.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

AI Score

8.1

Confidence

Low