CVE-2013-5653

Published: 31 December 2013

The getenv and filenameforall functions in Ghostscript 9.10 ignore the "-dSAFER" argument, which allows remote attackers to read data via a crafted postscript file.

Priority

CVSS 3 base score: 5.5

Status

Package	Release	Status
ghostscript Launchpad, Ubuntu, Debian	precise	Released (9.05~dfsg-0ubuntu4.4)
	trusty	Does not exist (trusty was released [9.10~dfsg-0ubuntu10.5])
	upstream	Needs triage
	xenial	Released (9.18~dfsg~0-0ubuntu2.2)
	yakkety	Released (9.19~dfsg+1-0ubuntu6.2)

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5653
http://bugs.ghostscript.com/show_bug.cgi?id=694724
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ab109aaeb3ddba59518b036fb288402a65cf7ce8
http://seclists.org/oss-sec/2016/q3/651
https://ubuntu.com/security/notices/USN-3148-1
NVD
Launchpad
Debian

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839118

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›