In Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode, TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte less than full, and one then tries to write an escaped character, two bytes are written. https://bugs.ghostscript.com/show_bug.cgi?id=706494 https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=37ed5022cecd584de868933b5b60da2e995b3179 https://ghostscript.readthedocs.io/en/latest/News.html https://lists.debian.org/debian-lts-announce/2023/04/msg00003.html
Created ghostscript tracking bugs for this issue: Affects: fedora-all [bug 2184586]
https://offsec.almond.consulting/ghostscript-cve-2023-28879.html https://artifex.com/news/critical-security-vulnerability-fixed-in-ghostscript
Why AV -> L ? As per documentation [1] specially the "Invoking Ghostscript" section, Ghostscript can be used as a command line client just like any other command/executable or Ghostscript can also be used as a general engine inside other applications. Considering above use cases the "Attack vector" differs between being "Local" or "Network". If a custom application happens to be using the Python pillow library which internally uses the Ghostscript command line as shown in the original writeup [3] and accepts input over the network then there is a possibility of this being exploited over the network. However if this is not the case then attack vector can be considered "Local" someone needs to manually invoke the command line client on a given machine. [1] https://ghostscript.com/docs/9.54.0/Use.htm [2] https://github.com/python-pillow/Pillow/blob/main/src/PIL/EpsImagePlugin.py [3] https://offsec.almond.consulting/ghostscript-cve-2023-28879.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6544 https://access.redhat.com/errata/RHSA-2023:6544
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7053 https://access.redhat.com/errata/RHSA-2023:7053