2295627 – (CVE-2024-29508) CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc()

Bug 2295627 (CVE-2024-29508) - CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc()

Summary: CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc()

Keywords:
Status:	NEW
Alias:	CVE-2024-29508
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2295703
Blocks:
TreeView+	depends on / blocked

Reported:	2024-07-03 18:53 UTC by OSIDB Bzimport
Modified:	2024-07-12 03:37 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Ghostscript. The`pdf_base_font_alloc` function used by the `pdfwrite` device will use a hexadecimal pointer representation for the constructed BaseFont name if the input name is empty. This flaw allows an attacker to obtain this pointer value by reading back to the output file after writing to a temporary writable and readable location.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-07-03 18:53:32 UTC

Artifex Ghostscript before 10.0.3.0 has a heap-based pointer disclosure (observable in a constructed BaseFont name) in the function pdf_base_font_alloc.

Note You need to log in before you can comment on or make changes to this bug.