Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remote command execution via .rsdparams type confusion with a "/OutputFile (%pipe%" substring in a crafted .eps document that is an input to the gs program, as exploited in the wild in April 2017.
The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
| Link | Tags |
|---|---|
| http://www.debian.org/security/2017/dsa-3838 | vendor advisory mailing list third party advisory |
| https://bugzilla.suse.com/show_bug.cgi?id=1036453 | vdb entry exploit third party advisory issue tracking |
| https://access.redhat.com/errata/RHSA-2017:1230 | third party advisory vendor advisory |
| http://www.securityfocus.com/bid/98476 | broken link third party advisory vdb entry |
| https://www.exploit-db.com/exploits/41955/ | third party advisory vdb entry exploit |
| http://openwall.com/lists/oss-security/2017/04/28/2 | patch mailing list third party advisory |
| https://security.gentoo.org/glsa/201708-06 | third party advisory vendor advisory |
| https://bugzilla.redhat.com/show_bug.cgi?id=1446063 | patch vdb entry third party advisory issue tracking |
| https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=04b37bbce174eed24edec7ad5b920eb93db4d47d | broken link |
| https://bugs.ghostscript.com/show_bug.cgi?id=697808 | third party advisory vdb entry issue tracking |