From:https://insomniasec.com/blog/ghostscript-cve-2020-15900 Summary Insomnia Security found a buffer length calculation flaw in a non-standard Postscript operator in Ghostscript, which allows the creation of a 4GB "string" reference overlapping with other memory structures. This was introduced in Ghostscript 9.50 and is present in the latest official 9.52 release. By reading and writing through this string reference, heap content can be directly manipulated, resulting in arbitrary read/write of memory. By reading and writing only data memory (i.e. no direct injection of shellcode), Insomnia Security found the sandbox can be reliably disabled, and dangerous Postscript functionality made available. This includes arbitrary file reading and writing, as well as OS command execution in environments with this enabled (Linux, some Windows environments). Exploitation using standard memory corruption techniques would also be viable. Reproducible: Always Steps to Reproduce: See https://insomniasec.com/blog/ghostscript-cve-2020-15900 Actual Results: # LC_ALL=C eix -v ghostscript * app-text/ghostscript-gpl Available versions: 9.50 IUSE (all versions): X cups dbus gtk static-libs tiff unicode L10N="de ja ko zh-CN zh-TW" Installed versions: Version: 9.50 Date: 07:57:42 08/10/20 USE: dbus unicode -X -cups -gtk -static-libs -tiff L10N="-de -ja -ko -zh-CN -zh-TW" DEPEND: app-text/libpaper media-libs/fontconfig >=media-libs/freetype-2.4.9:2/2= >=media-libs/jbig2dec-0.16:0/0.18= >=media-libs/lcms-2.6:2 >=media-libs/libpng-1.6.2:0/16= >=media-libs/openjpeg-2.1.0:2/7= >=sys-libs/zlib-1.2.7 virtual/jpeg:0 sys-apps/dbus net-dns/libidn:0/12= RDEPEND: ${DEPEND} app-text/poppler-data >=media-fonts/urw-fonts-2.4.9 BDEPEND: virtual/pkgconfig >=app-portage/elt-patches-20170815 || ( >=sys-devel/automake-1.16.1:1.16 >=sys-devel/automake-1.15.1:1.15 ) >=sys-devel/autoconf-2.69 >=sys-devel/libtool-2.4 SRC_URI: EAPI: 7 Best versions/slot: 9.50 Homepage: https://ghostscript.com/ Description: Interpreter for the PostScript language and PDF License: AGPL-3 CPL-1.0
CVE: https://security-tracker.debian.org/tracker/CVE-2020-15900 Additional: In Russian language (where I found off information) https://www.opennet.ru/opennews/art.shtml?num=53480
Some other resources with information about CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-15900 https://nvd.nist.gov/vuln/detail/CVE-2020-15900
This appears to be a duplicate of bug 734322.
(In reply to John Helmert III (ajak) from comment #3) > This appears to be a duplicate of bug 734322. Agreed. Thanks for the report though! *** This bug has been marked as a duplicate of bug 734322 ***