CVE-2023-38559: Ghostscript: 1973 in devn_pcx_write_rle could result in dos
First published: Mon Jul 17 2023(Updated: )
A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This issue may allow a local attacker to cause a denial of service via outputting a crafted PDF file for a DEVN device with gs.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Artifex Ghostscript | ||
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux | =9.0 | |
| ubuntu/ghostscript | <9.26~dfsg+0-0ubuntu0.18.04.18+ | 9.26~dfsg+0-0ubuntu0.18.04.18+ |
| ubuntu/ghostscript | <9.50~dfsg-5ubuntu4.9 | 9.50~dfsg-5ubuntu4.9 |
| ubuntu/ghostscript | <9.55.0~dfsg1-0ubuntu5.4 | 9.55.0~dfsg1-0ubuntu5.4 |
| ubuntu/ghostscript | <10.0.0~dfsg1-0ubuntu1.3 | 10.0.0~dfsg1-0ubuntu1.3 |
| ubuntu/ghostscript | <9.26~dfsg+0-0ubuntu0.16.04.14+ | 9.26~dfsg+0-0ubuntu0.16.04.14+ |
| ubuntu/ghostscript | <10.01.2~dfsg1-0ubuntu2 | 10.01.2~dfsg1-0ubuntu2 |
| Fedoraproject Fedora | =37 | |
| Fedoraproject Fedora | =38 | |
| Debian Debian Linux | =10.0 | |
| debian/ghostscript | <=9.27~dfsg-2+deb10u5<=9.53.3~dfsg-7+deb11u5 | 9.27~dfsg-2+deb10u9 9.53.3~dfsg-7+deb11u6 10.0.0~dfsg-11+deb12u3 10.02.1~dfsg-3 |
| Artifex Ghostscript | <10.02.0 |
Remedy
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=2224367
- https://access.redhat.com/security/cve/CVE-2023-38559
- https://bugs.ghostscript.com/show_bug.cgi?id=706897
- https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1
- https://access.redhat.com/errata/RHSA-2023:6544
- https://lists.debian.org/debian-lts-announce/2023/08/msg00006.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GBV6BTUREXM6DB3OGHGLMWGAZ3I45TXE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QH7ERAYSSXEYDWWY7LOV7CA5MIDZN3Z6/
- https://access.redhat.com/errata/RHSA-2023:7053
- https://launchpad.net/bugs/cve/CVE-2023-38559
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2225380
- https://www.cve.org/CVERecord?id=CVE-2023-38559 https://nvd.nist.gov/vuln/detail/CVE-2023-38559 https://bugs.ghostscript.com/show_bug.cgi?id=706897 https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1
- https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f
- https://security-tracker.debian.org/tracker/CVE-2023-38559
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38559
- https://ubuntu.com/security/notices/USN-6297-1
- https://nvd.nist.gov/vuln/detail/CVE-2023-38559
- https://ubuntu.com/security/CVE-2023-38559
Frequently Asked Questions
What is the vulnerability ID of this buffer overflow flaw?
The vulnerability ID of this buffer overflow flaw is CVE-2023-38559.
Where is the buffer overflow flaw located?
The buffer overflow flaw is located in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript.
What is the impact of this buffer overflow flaw?
This buffer overflow flaw may allow a local attacker to cause a denial of service via outputting a crafted PDF file for a DEVN device with gs.
Which software is affected by this buffer overflow flaw?
The Artifex Ghostscript software and Redhat Enterprise Linux 8.0 and 9.0 are affected by this buffer overflow flaw.
What is the severity of this buffer overflow flaw?
The severity of this buffer overflow flaw is medium with a score of 5.5.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/usn-cve
- source/Ubuntu
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- agent/remedy
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-38559
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/tags
- collector/nvd-latest
- agent/software-canonical-lookup-request
- agent/title
- collector/nvd-api
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- vendor/artifex
- canonical/artifex ghostscript
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- version/redhat enterprise linux/9.0
- package-manager/ubuntu
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/37
- version/fedoraproject fedora/38
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- package-manager/debian