漏洞类别:RedHat
漏洞等级: 
漏洞信息
The Ghostscript suite contains utilities for rendering PostScript and PDF documents.
It was found that the ghostscript functions getenv, filenameforall and .libfile did not honor the -dSAFER option, usually used when processing untrusted documents, leading to information disclosure. A specially crafted postscript document could read environment variable, list directory and retrieve file content respectively, from the target. (CVE-2013-5653, CVE-2016-7977)
It was found that the ghostscript function .setdevice suffered a use-after-free vulnerability due to an incorrect reference count. A specially crafted postscript document could trigger code execution in the context of the gs process. (CVE-2016-7978)
It was found that the ghostscript function .initialize_dsc_parser did not validate its parameter before using it, allowing a type confusion flaw. A specially crafted postscript document could cause a crash code execution in the context of the gs process. (CVE-2016-7979)
It was found that ghostscript did not sufficiently check the validity of parameters given to the .sethalftone5 function. A specially crafted postscript document could cause a crash, or execute arbitrary code in the context of the gs process. (CVE-2016-8602)
漏洞危害
A specially crafted postscript document could read environment variable, list directory and retrieve file content respectively, from the target.
A specially crafted postscript document could trigger code execution in the context of the gs process.
解决方案
Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.
Refer to Red Hat security advisory RHSA-2017:0013 to address this issue and obtain more information.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0day
文章评论