Your submission was sent successfully! Close

CVE-2019-14869

Published: 14 November 2019

A flaw was found in all versions of ghostscript 9.x before 9.50, where the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges within the Ghostscript and access files outside of restricted areas or execute commands.

Priority

High

CVSS 3 base score: 8.8

Status

Package Release Status
ghostscript
Launchpad, Ubuntu, Debian
bionic
Released (9.26~dfsg+0-0ubuntu0.18.04.12)
disco
Released (9.26~dfsg+0-0ubuntu7.4)
eoan
Released (9.27~dfsg+0-0ubuntu3.1)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial
Released (9.26~dfsg+0-0ubuntu0.16.04.12)
Patches:
upstream: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904772c5f0aa1140032746e5a0abfc40f4cef