CVE-2023-43115

high

Published 2023-11-02 · Modified 2023-11-03

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.0

Description

Important: ghostscript security update

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description Ghostscript: GhostPDL can lead to remote code execution via crafted PostScript documents CVSS v3: 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Errata / fixed releases ProductPackageAdvisoryReleased Red Hat Enterprise Linux 9ghostscript-0:9.54.0-11.el9_2RHSA-2023:62652023-11-02T00:00:00Z Red Hat Enterprise Linux 9ghostscript-0:9.54.0-14.el9_3RHSA-2023:67322023-11-07T00:00:00Z Red…

Description

Ghostscript: GhostPDL can lead to remote code execution via crafted PostScript documents

CVSS v3: 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Errata / fixed releases

Product	Package	Advisory	Released
Red Hat Enterprise Linux 9	`ghostscript-0:9.54.0-11.el9_2`	RHSA-2023:6265	2023-11-02T00:00:00Z
Red Hat Enterprise Linux 9	`ghostscript-0:9.54.0-14.el9_3`	RHSA-2023:6732	2023-11-07T00:00:00Z
Red Hat Enterprise Linux 9.0 Extended Update Support	`ghostscript-0:9.54.0-7.el9_0.2`	RHSA-2023:5868	2023-10-18T00:00:00Z

Package state

Product	Package	State
Red Hat Enterprise Linux 6	`ghostscript`	Out of support scope
Red Hat Enterprise Linux 7	`ghostscript`	Not affected
Red Hat Enterprise Linux 8	`ghostscript`	Not affected
Red Hat Enterprise Linux 8	`gimp:flatpak/ghostscript`	Not affected

Apply commands

bash fix

Apply RHSA-2023:6265 for Red Hat Enterprise Linux 9

yum update -y ghostscript
# or:
dnf upgrade -y ghostscript

Affected

Vendor	Product	Version
redhat	Red Hat Enterprise Linux 7	`Not affected`
redhat	Red Hat Enterprise Linux 8	`Not affected`
redhat	Red Hat Enterprise Linux 8	`Not affected`

OS impact

SUSE Affected 1 release

Version	Status	Fixed in
—	Affected	—

AlmaLinux Fixed 1 release

Version	Status	Fixed in
9	Fixed	`ghostscript-tools-dvipdf-9.54.0-11.el9_2.aarch64.rpm`

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`10.02.0~dfsg-1`
sid	Fixed	`10.02.0~dfsg-1`
forky	Fixed	`10.02.0~dfsg-1`
bullseye	Fixed	`9.53.3~dfsg-7+deb11u6`
bookworm	Fixed	`10.0.0~dfsg-11+deb12u2`

Red Hat Fixed 1 release

Version	Status	Fixed in
9	Fixed	—

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.