CVE-2023-38559

Ghostscript: out-of-bound read in base/gdevdevn.c:1973 in devn_pcx_write_rle could result in dos

Published: 8/1/2023 Last updated: 11/23/2024 Reserved: 7/20/2023

A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This issue may allow a local attacker to cause a denial of service via outputting a crafted PDF file for a DEVN device with gs.

CNA assigner: redhat (53f830b8-0a3f-465b-8143-3b8a9948e749) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	5.5	Medium	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Opam packages affected (1)

conf-ghostscript

Products affected (5)

Product	Vendor	Version
Red Hat Enterprise Linux 8	Red Hat	< *
Red Hat Enterprise Linux 9	Red Hat	n/a
Red Hat Enterprise Linux 6	Red Hat	11.5
Red Hat Enterprise Linux 7	Red Hat	11.6
Red Hat Enterprise Linux 8	Red Hat	11.7

References (15)

https://access.redhat.com/errata/RHSA-2023:6544
https://access.redhat.com/errata/RHSA-2023:7053
https://access.redhat.com/security/cve/CVE-2023-38559
https://bugs.ghostscript.com/show_bug.cgi?id=706897
https://bugzilla.redhat.com/show_bug.cgi?id=2224367
https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=d81b82c70bc1
https://access.redhat.com/errata/RHSA-2023:6544
https://access.redhat.com/errata/RHSA-2023:7053
https://access.redhat.com/security/cve/CVE-2023-38559
https://bugs.ghostscript.com/show_bug.cgi?id=706897
https://bugzilla.redhat.com/show_bug.cgi?id=2224367
https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=d81b82c70bc1
https://lists.debian.org/debian-lts-announce/2023/08/msg00006.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GBV6BTUREXM6DB3OGHGLMWGAZ3I45TXE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QH7ERAYSSXEYDWWY7LOV7CA5MIDZN3Z6/

Credits (1)

Red Hat would like to thank fullwaywang (Tencent) for reporting this issue.