ghostscript-9.20-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10003 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z ghostscript-9.20-2.1 on GA media These are all security issues fixed in the ghostscript-9.20-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10003 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10003 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2013-5653/ SUSE CVE CVE-2013-5653 page https://www.suse.com/security/cve/CVE-2015-3228/ SUSE CVE CVE-2015-3228 page https://www.suse.com/security/cve/CVE-2016-7976/ SUSE CVE CVE-2016-7976 page https://www.suse.com/security/cve/CVE-2016-7977/ SUSE CVE CVE-2016-7977 page https://www.suse.com/security/cve/CVE-2016-7978/ SUSE CVE CVE-2016-7978 page https://www.suse.com/security/cve/CVE-2016-7979/ SUSE CVE CVE-2016-7979 page https://www.suse.com/security/cve/CVE-2016-8602/ SUSE CVE CVE-2016-8602 page openSUSE Tumbleweed ghostscript-9.20-2.1 ghostscript-devel-9.20-2.1 ghostscript-x11-9.20-2.1 ghostscript-9.20-2.1 as a component of openSUSE Tumbleweed ghostscript-devel-9.20-2.1 as a component of openSUSE Tumbleweed ghostscript-x11-9.20-2.1 as a component of openSUSE Tumbleweed The getenv and filenameforall functions in Ghostscript 9.10 ignore the "-dSAFER" argument, which allows remote attackers to read data via a crafted postscript file. CVE-2013-5653 openSUSE Tumbleweed:ghostscript-9.20-2.1 openSUSE Tumbleweed:ghostscript-devel-9.20-2.1 openSUSE Tumbleweed:ghostscript-x11-9.20-2.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-5653.html CVE-2013-5653 https://bugzilla.suse.com/1001951 SUSE Bug 1001951 https://bugzilla.suse.com/1004237 SUSE Bug 1004237 https://bugzilla.suse.com/1007816 SUSE Bug 1007816 https://bugzilla.suse.com/1036453 SUSE Bug 1036453 Integer overflow in the gs_heap_alloc_bytes function in base/gsmalloc.c in Ghostscript 9.15 and earlier allows remote attackers to cause a denial of service (crash) via a crafted Postscript (ps) file, as demonstrated by using the ps2pdf command, which triggers an out-of-bounds read or write. CVE-2015-3228 openSUSE Tumbleweed:ghostscript-9.20-2.1 openSUSE Tumbleweed:ghostscript-devel-9.20-2.1 openSUSE Tumbleweed:ghostscript-x11-9.20-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-3228.html CVE-2015-3228 https://bugzilla.suse.com/939342 SUSE Bug 939342 The PS Interpreter in Ghostscript 9.18 and 9.20 allows remote attackers to execute arbitrary code via crafted userparams. CVE-2016-7976 openSUSE Tumbleweed:ghostscript-9.20-2.1 openSUSE Tumbleweed:ghostscript-devel-9.20-2.1 openSUSE Tumbleweed:ghostscript-x11-9.20-2.1 moderate 7.1 AV:N/AC:H/Au:N/C:C/I:C/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-7976.html CVE-2016-7976 https://bugzilla.suse.com/1001951 SUSE Bug 1001951 https://bugzilla.suse.com/1004237 SUSE Bug 1004237 Ghostscript before 9.21 might allow remote attackers to bypass the SAFER mode protection mechanism and consequently read arbitrary files via the use of the .libfile operator in a crafted postscript document. CVE-2016-7977 openSUSE Tumbleweed:ghostscript-9.20-2.1 openSUSE Tumbleweed:ghostscript-devel-9.20-2.1 openSUSE Tumbleweed:ghostscript-x11-9.20-2.1 moderate 5.4 AV:N/AC:H/Au:N/C:C/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-7977.html CVE-2016-7977 https://bugzilla.suse.com/1001951 SUSE Bug 1001951 https://bugzilla.suse.com/1004237 SUSE Bug 1004237 https://bugzilla.suse.com/1095610 SUSE Bug 1095610 Use-after-free vulnerability in Ghostscript 9.20 might allow remote attackers to execute arbitrary code via vectors related to a reference leak in .setdevice. CVE-2016-7978 openSUSE Tumbleweed:ghostscript-9.20-2.1 openSUSE Tumbleweed:ghostscript-devel-9.20-2.1 openSUSE Tumbleweed:ghostscript-x11-9.20-2.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-7978.html CVE-2016-7978 https://bugzilla.suse.com/1001951 SUSE Bug 1001951 https://bugzilla.suse.com/1004237 SUSE Bug 1004237 Ghostscript before 9.21 might allow remote attackers to bypass the SAFER mode protection mechanism and consequently execute arbitrary code by leveraging type confusion in .initialize_dsc_parser. CVE-2016-7979 openSUSE Tumbleweed:ghostscript-9.20-2.1 openSUSE Tumbleweed:ghostscript-devel-9.20-2.1 openSUSE Tumbleweed:ghostscript-x11-9.20-2.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-7979.html CVE-2016-7979 https://bugzilla.suse.com/1001951 SUSE Bug 1001951 https://bugzilla.suse.com/1004237 SUSE Bug 1004237 The .sethalftone5 function in psi/zht2.c in Ghostscript before 9.21 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Postscript document that calls .sethalftone5 with an empty operand stack. CVE-2016-8602 openSUSE Tumbleweed:ghostscript-9.20-2.1 openSUSE Tumbleweed:ghostscript-devel-9.20-2.1 openSUSE Tumbleweed:ghostscript-x11-9.20-2.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-8602.html CVE-2016-8602 https://bugzilla.suse.com/1001951 SUSE Bug 1001951 https://bugzilla.suse.com/1004237 SUSE Bug 1004237 https://bugzilla.suse.com/1036453 SUSE Bug 1036453