{ "threat_severity" : "Moderate", "public_date" : "2024-05-16T00:00:00Z", "bugzilla" : { "description" : "ghostscript: format string injection leads to shell command execution (SAFER bypass)", "id" : "2293950", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2293950" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device.", "A flaw in Ghostscript has been identified where the uniprint device allows users to pass various string fragments as device options. These strings, particularly upWriteComponentCommands and upYMoveCommand, are treated as format strings for gp_fprintf and gs_snprintf. This lack of restriction permits arbitrary format strings with multiple specifiers, potentially leading to data leakage from the stack and memory corruption. In RHEL 9 or newer, an attacker could exploit this vulnerability to temporarily disable Ghostscript’s SAFER mode, which prevents Postscript code from executing commands or opening arbitrary files during the current invocation." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-09-03T00:00:00Z", "advisory" : "RHSA-2024:6197", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "ghostscript-0:9.54.0-17.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-09-09T00:00:00Z", "advisory" : "RHSA-2024:6466", "cpe" : "cpe:/a:redhat:rhel_eus:9.2", "package" : "ghostscript-0:9.54.0-12.el9_2.2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "ghostscript", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "ghostscript", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "ghostscript", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "ghostscript", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "gimp:flatpak/ghostscript", "cpe" : "cpe:/o:redhat:enterprise_linux:8" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-29510\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-29510" ], "name" : "CVE-2024-29510", "mitigation" : { "value" : "Passing the -dSAFER safety argument on the command line prevents the issue by locking security-related variables after Ghostscript's initialization. In RHEL 9, -dSAFER is enabled by default, ensuring that insecure commands are rejected in a safer environment. The versions of Ghostscript in RHEL 7 and RHEL 8 have an older implementation of SAFER mode that is not enabled by default, but can be enabled by passing -dSAFER on the command line when invoking Ghostscript. This older SAFER mode implementation denies Postscript code the ability to change the output device, and therefore prevents malicious Postscript code from selecting the uniprint output device in order to exploit the format string vulnerabilities in its upWriteComponentCommands and upYMoveCommand parameters. On RHEL 7 and RHEL 8, we recommend always passing -dSAFER on the command line, and avoiding manually selecting the uniprint output device on the command line.", "lang" : "en:us" }, "csaw" : false }