FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Ghostscript -- arbitrary code execution

Affected packages
ghostscript9-agpl-base < 9.24
ghostscript9-agpl-x11 < 9.24

Details

VuXML ID 30c0f878-b03e-11e8-be8a-0011d823eebd
Discovery 2018-08-21
Entry 2018-09-04

CERT reports:

Ghostscript contains an optional -dSAFER option, which is supposed to prevent unsafe PostScript operations. Multiple PostScript operations bypass the protections provided by -dSAFER, which can allow an attacker to execute arbitrary commands with arbitrary arguments. This vulnerability can also be exploited in applications that leverage Ghostscript, such as ImageMagick, GraphicsMagick, evince, Okular, Nautilus, and others.

Exploit code for this vulnerability is publicly available.

References

CVE Name CVE-2018-15908
CVE Name CVE-2018-15909
CVE Name CVE-2018-15910
CVE Name CVE-2018-15911
URL https://www.kb.cert.org/vuls/id/332928