Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remote command execution via .rsdparams type confusion with a "/OutputFile (%pipe%" substring in a crafted .eps document that is an input to the gs program, as exploited in the wild in April 2017.
The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
| Link | Tags |
|---|---|
| http://www.debian.org/security/2017/dsa-3838 | third party advisory vendor advisory mailing list |
| https://bugzilla.suse.com/show_bug.cgi?id=1036453 | third party advisory issue tracking exploit vdb entry |
| https://access.redhat.com/errata/RHSA-2017:1230 | vendor advisory third party advisory |
| http://www.securityfocus.com/bid/98476 | third party advisory broken link vdb entry |
| https://www.exploit-db.com/exploits/41955/ | third party advisory exploit vdb entry |
| http://openwall.com/lists/oss-security/2017/04/28/2 | third party advisory patch mailing list |
| https://security.gentoo.org/glsa/201708-06 | vendor advisory third party advisory |
| https://bugzilla.redhat.com/show_bug.cgi?id=1446063 | third party advisory patch issue tracking vdb entry |
| https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=04b37bbce174eed24edec7ad5b920eb93db4d47d | broken link |
| https://bugs.ghostscript.com/show_bug.cgi?id=697808 | third party advisory issue tracking vdb entry |