Amazon Linux 2 Security Advisory: ALAS-2021-1598
Advisory Release Date: 2021-02-17 00:58 Pacific
Advisory Updated Date: 2021-02-19 22:06 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
Artifex Ghostscript before 9.25 allowed a user-writable error exception table, which could be used by remote attackers able to supply crafted PostScript to potentially overwrite or replace error handlers to inject code. (CVE-2018-17183)
Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving errorhandler setup. NOTE: this issue exists because of an incomplete fix for CVE-2018-17183. (CVE-2018-17961)
Artifex Ghostscript allows attackers to bypass a sandbox protection mechanism by leveraging exposure of system operators in the saved execution stack in an error object. (CVE-2018-18073)
Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving the 1Policy operator. (CVE-2018-18284)
In Artifex Ghostscript through 9.25, the setpattern operator did not properly validate certain types. A specially crafted PostScript document could exploit this to crash Ghostscript or, possibly, execute arbitrary code in the context of the Ghostscript process. This is a type confusion issue because of failure to check whether the Implementation of a pattern dictionary was a structure type. (CVE-2018-19134)
An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is not checked correctly if another device is used. (CVE-2018-19409)
psi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because available stack space is not checked when the device remains the same. (CVE-2018-19475)
psi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a setcolorspace type confusion. (CVE-2018-19476)
psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a JBIG2Decode type confusion. (CVE-2018-19477)
A flaw was found in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14811)
A flaw was found in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14812)
A flaw was found in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14813)
A flaw was found in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14817)
A flaw was found in the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges within the Ghostscript and access files outside of restricted areas or execute commands. (CVE-2019-14869)
It was found that the superexec operator was available in the internal dictionary. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. (CVE-2019-3835)
It was found that the forceput operator could be extracted from the DefineResource method. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. (CVE-2019-3838)
It was found that some privileged operators remained accessible from various places after the CVE-2019-6116 fix. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. (CVE-2019-3839)
It was found that ghostscript could leak sensitive operators on the operand stack when a pseudo-operator pushes a subroutine. A specially crafted PostScript file could use this flaw to escape the -dSAFER protection in order to, for example, have access to the file system outside of the SAFER constraints. (CVE-2019-6116)
Affected Packages:
ghostscript
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update ghostscript to update your system.
aarch64:
ghostscript-9.25-5.amzn2.aarch64
libgs-9.25-5.amzn2.aarch64
libgs-devel-9.25-5.amzn2.aarch64
ghostscript-gtk-9.25-5.amzn2.aarch64
ghostscript-cups-9.25-5.amzn2.aarch64
ghostscript-debuginfo-9.25-5.amzn2.aarch64
i686:
ghostscript-9.25-5.amzn2.i686
libgs-9.25-5.amzn2.i686
libgs-devel-9.25-5.amzn2.i686
ghostscript-gtk-9.25-5.amzn2.i686
ghostscript-cups-9.25-5.amzn2.i686
ghostscript-debuginfo-9.25-5.amzn2.i686
noarch:
ghostscript-doc-9.25-5.amzn2.noarch
src:
ghostscript-9.25-5.amzn2.src
x86_64:
ghostscript-9.25-5.amzn2.x86_64
libgs-9.25-5.amzn2.x86_64
libgs-devel-9.25-5.amzn2.x86_64
ghostscript-gtk-9.25-5.amzn2.x86_64
ghostscript-cups-9.25-5.amzn2.x86_64
ghostscript-debuginfo-9.25-5.amzn2.x86_64