CVE-2024-46956
Published: October 7, 2024Last modified: February 28, 2025
Description
An issue was discovered in psi/zfile.c in Artifex Ghostscript before 10.04.0. Out-of-bounds data access in filenameforall can lead to arbitrary code execution.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.8 |
| Attack Vector | LOCAL |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity impact | HIGH |
| Availability impact | HIGH |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | ghostscript | Fixed (10.01.2-r3) |
| Stream | ghostscript | Fixed (10.04.0-r0) |
References
- https://bugs.ghostscript.com/show_bug.cgi?id=707895
- https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f4151f12db32cd3ed26c24327de714bf2c3ed6ca
- https://github.com/ArtifexSoftware/ghostpdl/blob/master/doc/News.html
- https://lists.debian.org/debian-lts-announce/2024/11/msg00023.html
- https://www.suse.com/support/update/announcement/2024/suse-su-20243942-1/