Bug 2184585 (CVE-2023-28879) - CVE-2023-28879 ghostscript: buffer overflow in base/sbcp.c leading to data corruption
Summary: CVE-2023-28879 ghostscript: buffer overflow in base/sbcp.c leading to data co...
Keywords:
Status: NEW
Alias: CVE-2023-28879
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2184586 2188297 2188299 2188300
Blocks: 2183631
TreeView+ depends on / blocked
 
Reported: 2023-04-05 06:00 UTC by TEJ RATHI
Modified: 2024-02-01 01:40 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:6544 0 None None None 2023-11-07 08:19:18 UTC
Red Hat Product Errata RHSA-2023:7053 0 None None None 2023-11-14 15:19:27 UTC

Description TEJ RATHI 2023-04-05 06:00:25 UTC
In Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode, TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte less than full, and one then tries to write an escaped character, two bytes are written.

https://bugs.ghostscript.com/show_bug.cgi?id=706494
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=37ed5022cecd584de868933b5b60da2e995b3179
https://ghostscript.readthedocs.io/en/latest/News.html
https://lists.debian.org/debian-lts-announce/2023/04/msg00003.html

Comment 1 TEJ RATHI 2023-04-05 06:00:44 UTC
Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 2184586]

Comment 4 Dhananjay Arunesh 2023-05-05 08:46:09 UTC
Why AV -> L ?

As per documentation [1] specially the "Invoking Ghostscript" section, Ghostscript can be used as a command line client just like any other command/executable or Ghostscript can also be used as a general engine inside other applications. Considering above use cases the "Attack vector" differs between being "Local" or "Network". If a custom application happens to be using the Python pillow library which internally uses the Ghostscript command line as shown in the original writeup [3] and accepts input over the network then there is a possibility of this being exploited over the network. However if this is not the case then attack vector can be considered "Local" someone needs to manually invoke the command line client on a given machine.


[1] https://ghostscript.com/docs/9.54.0/Use.htm
[2] https://github.com/python-pillow/Pillow/blob/main/src/PIL/EpsImagePlugin.py
[3] https://offsec.almond.consulting/ghostscript-cve-2023-28879.html

Comment 9 errata-xmlrpc 2023-11-07 08:19:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6544 https://access.redhat.com/errata/RHSA-2023:6544

Comment 10 errata-xmlrpc 2023-11-14 15:19:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7053 https://access.redhat.com/errata/RHSA-2023:7053


Note You need to log in before you can comment on or make changes to this bug.