FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-16 06:42:40 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
22ae307a-1ac4-11ea-b267-001cc0382b2f	Ghostscript -- Security bypass vulnerabilities Cedric Buissart (Red Hat) reports: A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. Discovery 2019-08-20 Entry 2019-12-09 ghostscript9-agpl-base ghostscript9-agpl-x11 < 9.50 CVE-2019-14811 CVE-2019-14812 CVE-2019-14813 CVE-2019-14817
5ed7102e-6454-11e9-9a3a-001cc0382b2f	Ghostscript -- Security bypass vulnerability Cedric Buissart (Red Hat) reports: It was found that the superexec operator was available in the internal dictionary in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. Discovery 2019-03-21 Entry 2019-04-21 ghostscript9-agpl-base ghostscript9-agpl-x11 < 9.27 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3835 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3838 CVE-2019-3835 CVE-2019-3838
30c0f878-b03e-11e8-be8a-0011d823eebd	Ghostscript -- arbitrary code execution CERT reports: Ghostscript contains an optional -dSAFER option, which is supposed to prevent unsafe PostScript operations. Multiple PostScript operations bypass the protections provided by -dSAFER, which can allow an attacker to execute arbitrary commands with arbitrary arguments. This vulnerability can also be exploited in applications that leverage Ghostscript, such as ImageMagick, GraphicsMagick, evince, Okular, Nautilus, and others. Exploit code for this vulnerability is publicly available. Discovery 2018-08-21 Entry 2018-09-04 ghostscript9-agpl-base ghostscript9-agpl-x11 < 9.24 https://www.kb.cert.org/vuls/id/332928 CVE-2018-15908 CVE-2018-15909 CVE-2018-15910 CVE-2018-15911

VuXML ID

Description

22ae307a-1ac4-11ea-b267-001cc0382b2f

Ghostscript -- Security bypass vulnerabilities

Cedric Buissart (Red Hat) reports:

A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.

A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.

A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.

A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.

Discovery 2019-08-20
Entry 2019-12-09
ghostscript9-agpl-base
ghostscript9-agpl-x11

< 9.50

CVE-2019-14811
CVE-2019-14812
CVE-2019-14813
CVE-2019-14817

5ed7102e-6454-11e9-9a3a-001cc0382b2f

Ghostscript -- Security bypass vulnerability

Cedric Buissart (Red Hat) reports:

It was found that the superexec operator was available in the internal dictionary in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER.

It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER.

Discovery 2019-03-21
Entry 2019-04-21
ghostscript9-agpl-base
ghostscript9-agpl-x11

< 9.27

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3838
CVE-2019-3835
CVE-2019-3838

30c0f878-b03e-11e8-be8a-0011d823eebd

Ghostscript -- arbitrary code execution

CERT reports:

Ghostscript contains an optional -dSAFER option, which is supposed to prevent unsafe PostScript operations. Multiple PostScript operations bypass the protections provided by -dSAFER, which can allow an attacker to execute arbitrary commands with arbitrary arguments. This vulnerability can also be exploited in applications that leverage Ghostscript, such as ImageMagick, GraphicsMagick, evince, Okular, Nautilus, and others.

Exploit code for this vulnerability is publicly available.

Discovery 2018-08-21
Entry 2018-09-04
ghostscript9-agpl-base
ghostscript9-agpl-x11

< 9.24

https://www.kb.cert.org/vuls/id/332928
CVE-2018-15908
CVE-2018-15909
CVE-2018-15910
CVE-2018-15911