Ghostscript CVE-2018-19134 Remote Code Execution Vulnerability

Ghostscript is prone to a remote code-execution vulnerability.

Attackers can exploit this issue to execute arbitrary code or crash the affected application, resulting in denial-of-service conditions.

Information

Bugtraq ID: 106278
Class: Unknown
CVE: CVE-2018-19134

Remote: Yes
Local: No
Published: Dec 20 2018 12:00AM
Updated: Dec 20 2018 12:00AM
Credit: Semmle
Vulnerable: Redhat Enterprise Linux 6
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Redhat Enterprise Linux 5
Ghostscript Ghostscript 8.15.2
Ghostscript Ghostscript 8.0.1
Ghostscript Ghostscript 9.24
+ CubeSoft CubePDF 1.0 RC 13
Ghostscript Ghostscript 9.23
Ghostscript Ghostscript 9.20
Ghostscript Ghostscript 9.19
Ghostscript Ghostscript 9.18
Ghostscript Ghostscript 9.10
Ghostscript Ghostscript 9.05
Ghostscript Ghostscript 9.04
Ghostscript Ghostscript 8.71
Ghostscript Ghostscript 8.70
Ghostscript Ghostscript 8.64
Ghostscript Ghostscript 8.61
Ghostscript Ghostscript 8.60
Ghostscript Ghostscript 8.57
Ghostscript Ghostscript 8.56
Ghostscript Ghostscript 8.54
Ghostscript Ghostscript 8.15
Ghostscript Ghostscript 8 64
Ghostscript Ghostscript 7.07
Ghostscript Ghostscript 7.05
Artifex Ghostscript 9.25
Artifex Ghostscript 9.22
Artifex Ghostscript 9.21

Not Vulnerable:

Exploit

The researcher who discovered this issue has created a proof-of-concept. Please see the references for more information.

References:

• Bug 1655599 (CVE-2018-19134) - CVE-2018-19134 ghostscript: Type confusion in set (Red Hat Bugzilla)
  
• CVE-2018-19134 (Red Hat Bugzilla)
  
• Ghostscript Homepage (Ghostscript)
  
• PS interpreter - check the Implementation of a Pattern before use (Ghostscript)
  
• Vulnerabilities in Ghostscript Interpreter Used to Process Postscript and PDF Fi (Semmle)
  

Source: www.securityfocus.com