CVE-2018-16513

Impact:
Important
Public Date:
2018-08-21
CWE:
CWE-253
Bugzilla:
1619750: CVE-2018-16513 ghostscript: setcolor missing type check (699655)
It was discovered that the ghostscript did not properly validate the operands passed to the setcolor function. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.

Find out more about CVE-2018-16513 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue did not affect the versions of ghostscript as shipped with Red Hat Enterprise Linux 5, 6, and 7.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 7.3
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Impact Low
Availability Impact Low

Affected Packages State

Platform Package State
Red Hat OpenShift Enterprise 3.2 mediawiki Not affected
Red Hat OpenShift Enterprise 3.1 mediawiki Not affected
Red Hat OpenShift Enterprise 3.0 mediawiki Not affected
Red Hat OpenShift Container Platform 3.9 mediawiki Not affected
Red Hat OpenShift Container Platform 3.7 mediawiki Not affected
Red Hat OpenShift Container Platform 3.6 mediawiki Not affected
Red Hat OpenShift Container Platform 3.5 mediawiki Not affected
Red Hat OpenShift Container Platform 3.4 mediawiki Not affected
Red Hat OpenShift Container Platform 3.3 mediawiki Not affected
Red Hat OpenShift Container Platform 3.11 mediawiki Not affected
Red Hat OpenShift Container Platform 3.10 mediawiki Not affected
Red Hat Enterprise Linux 8 ghostscript Not affected
Red Hat Enterprise Linux 7 ghostscript Not affected
Red Hat Enterprise Linux 6 ghostscript Not affected

Acknowledgements

Red Hat would like to thank Tavis Ormandy (Google Project Zero) for reporting this issue.

External References

Last Modified