CLD-367 Details
Other IDs this deficiency may be known by:
Basic Information:
| Affected Package(s) |
ghostscript |
| Deficiency Type |
SECURITY |
| Date Created |
2018-04-18 23:05:08 |
| Date Last Modified |
2018-04-19 11:34:57 |
Version Specific Information:
| Cucumber 1.0 i686 | fixed in ghostscript-9.22-i686-2 |
| Cucumber 1.0 x86_64 | fixed in ghostscript-9.22-x86_64-2 and ghostscript-lib_i686-9.22-lib_i686-2 |
| Cucumber 1.1 i686 |
fixed in ghostscript-9.22-i686-2 |
| Cucumber 1.1 x86_64 |
fixed in ghostscript-9.22-x86_64-2 and ghostscript-lib_i686-9.22-lib_i686-2 |
Details:
=================================== Overview ===================================
The set_text_distance function in devices/vector/gdevpdts.c in the pdfwrite
component in Artifex Ghostscript through 9.22 does not prevent overflows in
text-positioning calculation, which allows remote attackers to cause a denial
of service (application crash) or possibly have unspecified other impact via a
crafted PDF document.
================================= Our Analysis =================================
----- Affected Products -----
Versions of ghostscript 9.22 that have not had the patch from
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879
applied are vulnerable. This includes ghostscript as originally packaged in
Cucumber Linux 1.0 and 1.1.
----- Scope and Impact of this Vulnerability -----
Allows for a denial of service (application crash) and possibly other
unspecified impacts.
----- Fix for this Vulnerability -----
This vulnerability can be fixed by applying the commit from
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879.
================================= Our Solution =================================
We have applied the aforementioned commit and rebuilt.