CLD-367 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-10194 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) ghostscript
Deficiency Type SECURITY
Date Created 2018-04-18 23:05:08
Date Last Modified 2018-04-19 11:34:57

Version Specific Information:

Cucumber 1.0 i686fixed in ghostscript-9.22-i686-2
Cucumber 1.0 x86_64fixed in ghostscript-9.22-x86_64-2 and ghostscript-lib_i686-9.22-lib_i686-2

Cucumber 1.1 i686 fixed in ghostscript-9.22-i686-2
Cucumber 1.1 x86_64 fixed in ghostscript-9.22-x86_64-2 and ghostscript-lib_i686-9.22-lib_i686-2


=================================== Overview ===================================

The set_text_distance function in devices/vector/gdevpdts.c in the pdfwrite
component in Artifex Ghostscript through 9.22 does not prevent overflows in
text-positioning calculation, which allows remote attackers to cause a denial
of service (application crash) or possibly have unspecified other impact via a
crafted PDF document. 

================================= Our Analysis =================================

----- Affected Products -----
Versions of ghostscript 9.22 that have not had the patch from;a=commit;h=39b1e54b2968620723bf32e96764c88797714879
applied are vulnerable. This includes ghostscript as originally packaged in
Cucumber Linux 1.0 and 1.1.

----- Scope and Impact of this Vulnerability -----
Allows for a denial of service (application crash) and possibly other
unspecified impacts.

----- Fix for this Vulnerability -----
This vulnerability can be fixed by applying the commit from;a=commit;h=39b1e54b2968620723bf32e96764c88797714879.

================================= Our Solution =================================

We have applied the aforementioned commit and rebuilt.