CVE-2024-46953

Name	CVE-2024-46953
Description	An issue was discovered in base/gsdevice.c in Artifex Ghostscript before 10.04.0. An integer overflow when parsing the filename format string (for the output filename) results in path truncation, and possible path traversal and code execution.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3965-1, DSA-5808-1, ELA-1243-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ghostscript (PTS)	jessie, jessie (lts)	9.26a~dfsg-0+deb8u13	fixed
	stretch (security)	9.26a~dfsg-0+deb9u9	vulnerable
	stretch (lts), stretch	9.26a~dfsg-0+deb9u13	fixed
	buster, buster (lts)	9.27~dfsg-2+deb10u10	fixed
	buster (security)	9.27~dfsg-2+deb10u9	vulnerable
	bullseye	9.53.3~dfsg-7+deb11u7	vulnerable
	bullseye (security)	9.53.3~dfsg-7+deb11u9	fixed
	bookworm	10.0.0~dfsg-11+deb12u5	vulnerable
	bookworm (security)	10.0.0~dfsg-11+deb12u6	fixed
	sid, trixie	10.04.0~dfsg-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
ghostscript	source	jessie	9.26a~dfsg-0+deb8u13	ELA-1243-1
ghostscript	source	stretch	9.26a~dfsg-0+deb9u13	ELA-1243-1
ghostscript	source	buster	9.27~dfsg-2+deb10u10	ELA-1243-1
ghostscript	source	bullseye	9.53.3~dfsg-7+deb11u9	DLA-3965-1
ghostscript	source	bookworm	10.0.0~dfsg-11+deb12u6	DSA-5808-1
ghostscript	source	(unstable)	10.04.0~dfsg-1

Notes

https://bugs.ghostscript.com/show_bug.cgi?id=707793
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=1f21a45df0fa3abec4cff12951022b192dda3c00
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=294a3755e33f453dd92e2a7c4cfceb087ac09d6a (ghostpdl-10.04.0)