CVE-2016-8602

Published: 12 October 2016

The .sethalftone5 function in psi/zht2.c in Ghostscript before 9.21 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Postscript document that calls .sethalftone5 with an empty operand stack.

Priority

CVSS 3 base score: 7.8

Status

Package	Release	Status
ghostscript Launchpad, Ubuntu, Debian	precise	Released (9.05~dfsg-0ubuntu4.4)
	trusty	Does not exist (trusty was released [9.10~dfsg-0ubuntu10.5])
	upstream	Needed
	xenial	Released (9.18~dfsg~0-0ubuntu2.2)
	yakkety	Released (9.19~dfsg+1-0ubuntu6.2)
	Patches: upstream: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8602
http://openwall.com/lists/oss-security/2016/10/11/7
https://ubuntu.com/security/notices/USN-3148-1
NVD
Launchpad
Debian

Bugs

http://bugs.ghostscript.com/show_bug.cgi?id=697203
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840451

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›