CVE-2023-28879

NameCVE-2023-28879
DescriptionIn Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode, TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte less than full, and one then tries to write an escaped character, two bytes are written.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3381-1, DSA-5383-1, ELA-833-1
Debian Bugs1033757

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ghostscript (PTS)jessie, jessie (lts)9.26a~dfsg-0+deb8u13fixed
stretch (security)9.26a~dfsg-0+deb9u9vulnerable
stretch (lts), stretch9.26a~dfsg-0+deb9u13fixed
buster, buster (lts)9.27~dfsg-2+deb10u10fixed
buster (security)9.27~dfsg-2+deb10u9fixed
bullseye9.53.3~dfsg-7+deb11u7fixed
bullseye (security)9.53.3~dfsg-7+deb11u9fixed
bookworm10.0.0~dfsg-11+deb12u5fixed
bookworm (security)10.0.0~dfsg-11+deb12u6fixed
sid, trixie10.04.0~dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ghostscriptsourcejessie9.26a~dfsg-0+deb8u11ELA-833-1
ghostscriptsourcestretch9.26a~dfsg-0+deb9u11ELA-833-1
ghostscriptsourcebuster9.27~dfsg-2+deb10u7DLA-3381-1
ghostscriptsourcebullseye9.53.3~dfsg-7+deb11u4DSA-5383-1
ghostscriptsource(unstable)10.0.0~dfsg-111033757

Notes

https://bugs.ghostscript.com/show_bug.cgi?id=706494 (not public)
Fixed by: https://git.ghostscript.com/?p=ghostpdl.git;h=37ed5022cecd584de868933b5b60da2e995b3179
Future hardening/potentially intrusive impact for older versions (and should not be applied for
older versions):
https://git.ghostscript.com/?p=ghostpdl.git;h=3635f4c75e54e337a4eebcf6db3eef0e60f9cebf
https://www.openwall.com/lists/oss-security/2023/04/12/4
https://offsec.almond.consulting/ghostscript-cve-2023-28879.html

Search for package or bug name: Reporting problems