Security update for ghostscript SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:3942-1 Final 1 1 2024-11-07T10:11:48Z current 2024-11-07T10:11:48Z 2024-11-07T10:11:48Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ghostscript This update for ghostscript fixes the following issues: - CVE-2024-46951: Fixed arbitrary code execution via unchecked 'Implementation' pointer in 'Pattern' color space (bsc#1232265). - CVE-2024-46953: Fixed integer overflow when parsing the page format results in path truncation, path traversal, code execution (bsc#1232267). - CVE-2024-46956: Fixed arbitrary code execution via out of bounds data access in filenameforall (bsc#1232270). - CVE-2024-46955: Fixed out of bounds read when reading color in 'Indexed' color space (bsc#1232269). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-3942,SUSE-SLE-SERVER-12-SP5-LTSS-2024-3942,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2024-3942 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20243942-1/ Link for SUSE-SU-2024:3942-1 https://lists.suse.com/pipermail/sle-security-updates/2024-November/019787.html E-Mail link for SUSE-SU-2024:3942-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1232265 SUSE Bug 1232265 https://bugzilla.suse.com/1232267 SUSE Bug 1232267 https://bugzilla.suse.com/1232269 SUSE Bug 1232269 https://bugzilla.suse.com/1232270 SUSE Bug 1232270 https://www.suse.com/security/cve/CVE-2024-46951/ SUSE CVE CVE-2024-46951 page https://www.suse.com/security/cve/CVE-2024-46953/ SUSE CVE CVE-2024-46953 page https://www.suse.com/security/cve/CVE-2024-46955/ SUSE CVE CVE-2024-46955 page https://www.suse.com/security/cve/CVE-2024-46956/ SUSE CVE CVE-2024-46956 page SUSE Linux Enterprise Server 12 SP5-LTSS SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 ghostscript-9.52-23.86.1 ghostscript-devel-9.52-23.86.1 ghostscript-mini-9.52-23.86.1 ghostscript-mini-devel-9.52-23.86.1 ghostscript-x11-9.52-23.86.1 ghostscript-9.52-23.86.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS ghostscript-devel-9.52-23.86.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS ghostscript-x11-9.52-23.86.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS ghostscript-9.52-23.86.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 ghostscript-devel-9.52-23.86.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 ghostscript-x11-9.52-23.86.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 An issue was discovered in psi/zcolor.c in Artifex Ghostscript before 10.04.0. An unchecked Implementation pointer in Pattern color space could lead to arbitrary code execution. CVE-2024-46951 SUSE Linux Enterprise Server 12 SP5-LTSS:ghostscript-9.52-23.86.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ghostscript-devel-9.52-23.86.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ghostscript-x11-9.52-23.86.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ghostscript-9.52-23.86.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ghostscript-devel-9.52-23.86.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ghostscript-x11-9.52-23.86.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243942-1/ https://www.suse.com/security/cve/CVE-2024-46951.html CVE-2024-46951 https://bugzilla.suse.com/1232173 SUSE Bug 1232173 https://bugzilla.suse.com/1232265 SUSE Bug 1232265 An issue was discovered in base/gsdevice.c in Artifex Ghostscript before 10.04.0. An integer overflow when parsing the filename format string (for the output filename) results in path truncation, and possible path traversal and code execution. CVE-2024-46953 SUSE Linux Enterprise Server 12 SP5-LTSS:ghostscript-9.52-23.86.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ghostscript-devel-9.52-23.86.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ghostscript-x11-9.52-23.86.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ghostscript-9.52-23.86.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ghostscript-devel-9.52-23.86.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ghostscript-x11-9.52-23.86.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243942-1/ https://www.suse.com/security/cve/CVE-2024-46953.html CVE-2024-46953 https://bugzilla.suse.com/1232173 SUSE Bug 1232173 https://bugzilla.suse.com/1232267 SUSE Bug 1232267 An issue was discovered in psi/zcolor.c in Artifex Ghostscript before 10.04.0. There is an out-of-bounds read when reading color in Indexed color space. CVE-2024-46955 SUSE Linux Enterprise Server 12 SP5-LTSS:ghostscript-9.52-23.86.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ghostscript-devel-9.52-23.86.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ghostscript-x11-9.52-23.86.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ghostscript-9.52-23.86.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ghostscript-devel-9.52-23.86.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ghostscript-x11-9.52-23.86.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243942-1/ https://www.suse.com/security/cve/CVE-2024-46955.html CVE-2024-46955 https://bugzilla.suse.com/1232173 SUSE Bug 1232173 https://bugzilla.suse.com/1232269 SUSE Bug 1232269 An issue was discovered in psi/zfile.c in Artifex Ghostscript before 10.04.0. Out-of-bounds data access in filenameforall can lead to arbitrary code execution. CVE-2024-46956 SUSE Linux Enterprise Server 12 SP5-LTSS:ghostscript-9.52-23.86.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ghostscript-devel-9.52-23.86.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ghostscript-x11-9.52-23.86.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ghostscript-9.52-23.86.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ghostscript-devel-9.52-23.86.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ghostscript-x11-9.52-23.86.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243942-1/ https://www.suse.com/security/cve/CVE-2024-46956.html CVE-2024-46956 https://bugzilla.suse.com/1232173 SUSE Bug 1232173 https://bugzilla.suse.com/1232270 SUSE Bug 1232270