1. Ubuntu Security Notices
  2. USN-3272-1

USN-3272-1: Ghostscript vulnerabilities

Publication date

28 April 2017

Overview

Several security issues were fixed in Ghostscript.

Releases

Packages

Details

It was discovered that Ghostscript improperly handled parameters to
the rsdparams and eqproc commands. An attacker could use these to
craft a malicious document that could disable -dSAFER protections,
thereby allowing the execution of arbitrary code, or cause a denial
of service (application crash). (CVE-2017-8291)

Kamil Frankowicz discovered a use-after-free vulnerability in the
color management module of Ghostscript. An attacker could use this
to cause a denial of service (application crash). (CVE-2016-10217)

Kamil Frankowicz discovered a divide-by-zero error in the scan
conversion code in Ghostscript. An attacker could use this to cause
a denial of service (application crash). (CVE-2016-10219)

Kamil Frankowicz discovered multiple NULL pointer dereference errors in
Ghostscript. An attacker could use these...

It was discovered that Ghostscript improperly handled parameters to
the rsdparams and eqproc commands. An attacker could use these to
craft a malicious document that could disable -dSAFER protections,
thereby allowing the execution of arbitrary code, or cause a denial
of service (application crash). (CVE-2017-8291)

Kamil Frankowicz discovered a use-after-free vulnerability in the
color management module of Ghostscript. An attacker could use this
to cause a denial of service (application crash). (CVE-2016-10217)

Kamil Frankowicz discovered a divide-by-zero error in the scan
conversion code in Ghostscript. An attacker could use this to cause
a denial of service (application crash). (CVE-2016-10219)

Kamil Frankowicz discovered multiple NULL pointer dereference errors in
Ghostscript. An attacker could use these to cause a denial of service
(application crash). (CVE-2016-10220, CVE-2017-5951, CVE-2017-7207)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
17.04 zesty ghostscript –  9.19~dfsg+1-0ubuntu7.2
ghostscript-x –  9.19~dfsg+1-0ubuntu7.2
libgs9 –  9.19~dfsg+1-0ubuntu7.2
libgs9-common –  9.19~dfsg+1-0ubuntu7.2
16.10 yakkety ghostscript –  9.19~dfsg+1-0ubuntu6.4
ghostscript-x –  9.19~dfsg+1-0ubuntu6.4
libgs9 –  9.19~dfsg+1-0ubuntu6.4
libgs9-common –  9.19~dfsg+1-0ubuntu6.4
16.04 xenial ghostscript –  9.18~dfsg~0-0ubuntu2.4
ghostscript-x –  9.18~dfsg~0-0ubuntu2.4
libgs9 –  9.18~dfsg~0-0ubuntu2.4
libgs9-common –  9.18~dfsg~0-0ubuntu2.4
14.04 trusty ghostscript –  9.10~dfsg-0ubuntu10.7
ghostscript-x –  9.10~dfsg-0ubuntu10.7
libgs9 –  9.10~dfsg-0ubuntu10.7
libgs9-common –  9.10~dfsg-0ubuntu10.7
12.04 precise ghostscript –  9.05~dfsg-0ubuntu4.5
ghostscript-x –  9.05~dfsg-0ubuntu4.5
libgs9 –  9.05~dfsg-0ubuntu4.5
libgs9-common –  9.05~dfsg-0ubuntu4.5

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›