Security update for ghostscript
SUSE Patch
security@suse.de
SUSE Security Team
SUSE-SU-2017:1138-1
Final
1
1
2017-04-28T18:55:31Z
current
2017-04-28T18:55:31Z
2017-04-28T18:55:31Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for ghostscript
This update for ghostscript fixes the following security vulnerabilities:
CVE-2017-8291: A remote command execution and a -dSAFER bypass via a crafted .eps document were
exploited in the wild. (bsc#1036453)
CVE-2016-9601: An integer overflow in the bundled jbig2dec library could have been misused to cause
a Denial-of-Service. (bsc#1018128)
CVE-2016-10220: A NULL pointer dereference in the PDF Transparency module allowed remote attackers
to cause a Denial-of-Service. (bsc#1032120)
CVE-2017-5951: A NULL pointer dereference allowed remote attackers to cause a denial of service
via a crafted PostScript document. (bsc#1032114)
CVE-2017-7207: A NULL pointer dereference allowed remote attackers to cause a denial of service
via a crafted PostScript document. (bsc#1030263)
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
SUSE-SLE-DESKTOP-12-SP1-2017-659,SUSE-SLE-DESKTOP-12-SP2-2017-659,SUSE-SLE-RPI-12-SP2-2017-659,SUSE-SLE-SDK-12-SP1-2017-659,SUSE-SLE-SDK-12-SP2-2017-659,SUSE-SLE-SERVER-12-SP1-2017-659,SUSE-SLE-SERVER-12-SP2-2017-659
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://www.suse.com/support/update/announcement/2017/suse-su-20171138-1/
Link for SUSE-SU-2017:1138-1
https://lists.suse.com/pipermail/sle-security-updates/2017-April/002834.html
E-Mail link for SUSE-SU-2017:1138-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1018128
SUSE Bug 1018128
https://bugzilla.suse.com/1030263
SUSE Bug 1030263
https://bugzilla.suse.com/1032114
SUSE Bug 1032114
https://bugzilla.suse.com/1032120
SUSE Bug 1032120
https://bugzilla.suse.com/1036453
SUSE Bug 1036453
https://www.suse.com/security/cve/CVE-2016-10220/
SUSE CVE CVE-2016-10220 page
https://www.suse.com/security/cve/CVE-2016-9601/
SUSE CVE CVE-2016-9601 page
https://www.suse.com/security/cve/CVE-2017-5951/
SUSE CVE CVE-2017-5951 page
https://www.suse.com/security/cve/CVE-2017-7207/
SUSE CVE CVE-2017-7207 page
https://www.suse.com/security/cve/CVE-2017-8291/
SUSE CVE CVE-2017-8291 page
SUSE Linux Enterprise Desktop 12 SP1
SUSE Linux Enterprise Desktop 12 SP2
SUSE Linux Enterprise Server 12 SP1
SUSE Linux Enterprise Server 12 SP2
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
SUSE Linux Enterprise Server for SAP Applications 12 SP1
SUSE Linux Enterprise Server for SAP Applications 12 SP2
SUSE Linux Enterprise Software Development Kit 12 SP1
SUSE Linux Enterprise Software Development Kit 12 SP2
ghostscript-9.15-20.1
ghostscript-x11-9.15-20.1
ghostscript-devel-9.15-20.1
ghostscript-9.15-20.1 as a component of SUSE Linux Enterprise Desktop 12 SP1
ghostscript-x11-9.15-20.1 as a component of SUSE Linux Enterprise Desktop 12 SP1
ghostscript-9.15-20.1 as a component of SUSE Linux Enterprise Desktop 12 SP2
ghostscript-x11-9.15-20.1 as a component of SUSE Linux Enterprise Desktop 12 SP2
ghostscript-9.15-20.1 as a component of SUSE Linux Enterprise Server 12 SP1
ghostscript-x11-9.15-20.1 as a component of SUSE Linux Enterprise Server 12 SP1
ghostscript-9.15-20.1 as a component of SUSE Linux Enterprise Server 12 SP2
ghostscript-x11-9.15-20.1 as a component of SUSE Linux Enterprise Server 12 SP2
ghostscript-9.15-20.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
ghostscript-x11-9.15-20.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
ghostscript-9.15-20.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1
ghostscript-x11-9.15-20.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1
ghostscript-9.15-20.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2
ghostscript-x11-9.15-20.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2
ghostscript-devel-9.15-20.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP1
ghostscript-devel-9.15-20.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2
The gs_makewordimagedevice function in base/gsdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file that is mishandled in the PDF Transparency module.
CVE-2016-10220
SUSE Linux Enterprise Desktop 12 SP1:ghostscript-9.15-20.1
SUSE Linux Enterprise Desktop 12 SP1:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Desktop 12 SP2:ghostscript-9.15-20.1
SUSE Linux Enterprise Desktop 12 SP2:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server 12 SP1:ghostscript-9.15-20.1
SUSE Linux Enterprise Server 12 SP1:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server 12 SP2:ghostscript-9.15-20.1
SUSE Linux Enterprise Server 12 SP2:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:ghostscript-9.15-20.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1:ghostscript-9.15-20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:ghostscript-9.15-20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Software Development Kit 12 SP1:ghostscript-devel-9.15-20.1
SUSE Linux Enterprise Software Development Kit 12 SP2:ghostscript-devel-9.15-20.1
important
1.9
AV:L/AC:M/Au:N/C:N/I:N/A:P
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2017/suse-su-20171138-1/
https://www.suse.com/security/cve/CVE-2016-10220.html
CVE-2016-10220
https://bugzilla.suse.com/1032120
SUSE Bug 1032120
https://bugzilla.suse.com/1036453
SUSE Bug 1036453
ghostscript before version 9.21 is vulnerable to a heap based buffer overflow that was found in the ghostscript jbig2_decode_gray_scale_image function which is used to decode halftone segments in a JBIG2 image. A document (PostScript or PDF) with an embedded, specially crafted, jbig2 image could trigger a segmentation fault in ghostscript.
CVE-2016-9601
SUSE Linux Enterprise Desktop 12 SP1:ghostscript-9.15-20.1
SUSE Linux Enterprise Desktop 12 SP1:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Desktop 12 SP2:ghostscript-9.15-20.1
SUSE Linux Enterprise Desktop 12 SP2:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server 12 SP1:ghostscript-9.15-20.1
SUSE Linux Enterprise Server 12 SP1:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server 12 SP2:ghostscript-9.15-20.1
SUSE Linux Enterprise Server 12 SP2:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:ghostscript-9.15-20.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1:ghostscript-9.15-20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:ghostscript-9.15-20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Software Development Kit 12 SP1:ghostscript-devel-9.15-20.1
SUSE Linux Enterprise Software Development Kit 12 SP2:ghostscript-devel-9.15-20.1
important
3.3
AV:L/AC:M/Au:N/C:N/I:P/A:P
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2017/suse-su-20171138-1/
https://www.suse.com/security/cve/CVE-2016-9601.html
CVE-2016-9601
https://bugzilla.suse.com/1018128
SUSE Bug 1018128
https://bugzilla.suse.com/1036453
SUSE Bug 1036453
The mem_get_bits_rectangle function in base/gdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file.
CVE-2017-5951
SUSE Linux Enterprise Desktop 12 SP1:ghostscript-9.15-20.1
SUSE Linux Enterprise Desktop 12 SP1:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Desktop 12 SP2:ghostscript-9.15-20.1
SUSE Linux Enterprise Desktop 12 SP2:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server 12 SP1:ghostscript-9.15-20.1
SUSE Linux Enterprise Server 12 SP1:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server 12 SP2:ghostscript-9.15-20.1
SUSE Linux Enterprise Server 12 SP2:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:ghostscript-9.15-20.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1:ghostscript-9.15-20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:ghostscript-9.15-20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Software Development Kit 12 SP1:ghostscript-devel-9.15-20.1
SUSE Linux Enterprise Software Development Kit 12 SP2:ghostscript-devel-9.15-20.1
important
1.9
AV:L/AC:M/Au:N/C:N/I:N/A:P
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2017/suse-su-20171138-1/
https://www.suse.com/security/cve/CVE-2017-5951.html
CVE-2017-5951
https://bugzilla.suse.com/1032114
SUSE Bug 1032114
https://bugzilla.suse.com/1036453
SUSE Bug 1036453
The mem_get_bits_rectangle function in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted PostScript document.
CVE-2017-7207
SUSE Linux Enterprise Desktop 12 SP1:ghostscript-9.15-20.1
SUSE Linux Enterprise Desktop 12 SP1:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Desktop 12 SP2:ghostscript-9.15-20.1
SUSE Linux Enterprise Desktop 12 SP2:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server 12 SP1:ghostscript-9.15-20.1
SUSE Linux Enterprise Server 12 SP1:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server 12 SP2:ghostscript-9.15-20.1
SUSE Linux Enterprise Server 12 SP2:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:ghostscript-9.15-20.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1:ghostscript-9.15-20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:ghostscript-9.15-20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Software Development Kit 12 SP1:ghostscript-devel-9.15-20.1
SUSE Linux Enterprise Software Development Kit 12 SP2:ghostscript-devel-9.15-20.1
important
1.5
AV:L/AC:M/Au:S/C:N/I:N/A:P
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2017/suse-su-20171138-1/
https://www.suse.com/security/cve/CVE-2017-7207.html
CVE-2017-7207
https://bugzilla.suse.com/1030263
SUSE Bug 1030263
https://bugzilla.suse.com/1036453
SUSE Bug 1036453
Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remote command execution via .rsdparams type confusion with a "/OutputFile (%pipe%" substring in a crafted .eps document that is an input to the gs program, as exploited in the wild in April 2017.
CVE-2017-8291
SUSE Linux Enterprise Desktop 12 SP1:ghostscript-9.15-20.1
SUSE Linux Enterprise Desktop 12 SP1:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Desktop 12 SP2:ghostscript-9.15-20.1
SUSE Linux Enterprise Desktop 12 SP2:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server 12 SP1:ghostscript-9.15-20.1
SUSE Linux Enterprise Server 12 SP1:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server 12 SP2:ghostscript-9.15-20.1
SUSE Linux Enterprise Server 12 SP2:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:ghostscript-9.15-20.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1:ghostscript-9.15-20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:ghostscript-9.15-20.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:ghostscript-x11-9.15-20.1
SUSE Linux Enterprise Software Development Kit 12 SP1:ghostscript-devel-9.15-20.1
SUSE Linux Enterprise Software Development Kit 12 SP2:ghostscript-devel-9.15-20.1
important
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2017/suse-su-20171138-1/
https://www.suse.com/security/cve/CVE-2017-8291.html
CVE-2017-8291
https://bugzilla.suse.com/1036453
SUSE Bug 1036453