The getenv and filenameforall functions in Ghostscript 9.10 ignore the "-dSAFER" argument, which allows remote attackers to read data via a crafted postscript file.
References
Link | Resource |
---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=1380327 | Issue Tracking Patch |
https://bugs.ghostscript.com/show_bug.cgi?id=697169 | Issue Tracking Patch |
https://bugs.ghostscript.com/show_bug.cgi?id=694724 | Issue Tracking Patch |
http://www.openwall.com/lists/oss-security/2016/09/29/5 | Mailing List Patch Third Party Advisory |
http://www.openwall.com/lists/oss-security/2016/09/29/28 | Mailing List Patch Third Party Advisory |
http://www.debian.org/security/2016/dsa-3691 | Third Party Advisory |
http://www.securityfocus.com/bid/96497 | |
http://rhn.redhat.com/errata/RHSA-2017-0014.html | |
http://rhn.redhat.com/errata/RHSA-2017-0013.html |
Information
Published : 2017-03-07 07:59
Updated : 2018-01-04 18:29
NVD link : CVE-2013-5653
Mitre link : CVE-2013-5653
JSON object : View
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
Products Affected
debian
- debian_linux
artifex
- afpl_ghostscript