Bugzilla – Bug 1136756
VUL-0: CVE-2017-15652: ghostscript,ghostscript-library: obtain sensitive information by opening a ps file
Last modified: 2020-06-29 06:39:34 UTC
CVE-2017-15652 Artifex Ghostscript 9.22 is affected by: Obtain Information. The impact is: obtain sensitive information. The component is: affected source code file, affected function, affected executable, affected libga (imagemagick used that). The attack vector is: Someone must open a postscript file though ghostscript. Because of imagemagick also use libga, so it was affected as well. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15652 http://www.cvedetails.com/cve/CVE-2017-15652/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15652 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2fc463d0e https://bugs.ghostscript.com/show_bug.cgi?id=698676
Version 9.23 fixes the issue. Thus SLE15 and and SLE12 are not affected. SLE11-SP1 tracked as affected.
Upstream fix at [1] while the POC is attached [1] http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2fc463d0e
Created attachment 806372 [details] POC
released