Headline
Ubuntu Security Notice USN-6213-1
Ubuntu Security Notice 6213-1 - It was discovered that Ghostscript incorrectly handled pipe devices. If a user or automated system were tricked into opening a specially crafted PDF file, a remote attacker could use this issue to execute arbitrary code.
==========================================================================
Ubuntu Security Notice USN-6213-1
July 10, 2023
ghostscript vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Ghostscript could be made to run programs if it opened a specially crafted
file.
Software Description:
- ghostscript: PostScript and PDF interpreter
Details:
It was discovered that Ghostscript incorrectly handled pipe devices. If a
user or automated system were tricked into opening a specially crafted PDF
file, a remote attacker could use this issue to execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
ghostscript 10.0.0~dfsg1-0ubuntu1.2
Ubuntu 22.10:
ghostscript 9.56.1~dfsg1-0ubuntu3.2
Ubuntu 22.04 LTS:
ghostscript 9.55.0~dfsg1-0ubuntu5.3
Ubuntu 20.04 LTS:
ghostscript 9.50~dfsg-5ubuntu4.8
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6213-1
CVE-2023-36664
Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/10.0.0~dfsg1-0ubuntu1.2
https://launchpad.net/ubuntu/+source/ghostscript/9.56.1~dfsg1-0ubuntu3.2
https://launchpad.net/ubuntu/+source/ghostscript/9.55.0~dfsg1-0ubuntu5.3
https://launchpad.net/ubuntu/+source/ghostscript/9.50~dfsg-5ubuntu4.8
Related news
An issue was discovered in the function gdev_prn_open_printer_seekable() in Artifex Ghostscript through 10.02.0 allows remote attackers to crash the application via a dangling pointer.
Gentoo Linux Security Advisory 202309-3 - Multiple vulnerabilities have been discovered in GPL Ghostscript, the worst of which could result in remote code execution. Versions greater than or equal to 10.01.2 are affected.
Multiple security vulnerabilities have been discovered in various services, including Honeywell Experion distributed control system (DCS) and QuickBlox, that, if successfully exploited, could result in severe compromise of affected systems. Dubbed Crit.IX, the nine flaws in the Honeywell Experion DCS platform allow for "unauthorized remote code execution, which means an attacker would have
Debian Linux Security Advisory 5446-1 - It was discovered that Ghostscript, the GPL PostScript/PDF interpreter, does not properly handle permission validation for pipe devices, which could result in the execution of arbitrary commands if malformed document files are processed.
Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).