CVE-2021-3781

NameCVE-2021-3781
DescriptionA trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDSA-4972-1
Debian Bugs994011

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ghostscript (PTS)buster9.27~dfsg-2+deb10u5fixed
buster (security)9.27~dfsg-2+deb10u6fixed
bullseye (security), bullseye9.53.3~dfsg-7+deb11u2fixed
bookworm, sid9.56.1~dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ghostscriptsourcestretch(not affected)
ghostscriptsourcebuster(not affected)
ghostscriptsourcebullseye9.53.3~dfsg-7+deb11u1DSA-4972-1
ghostscriptsource(unstable)9.53.3~dfsg-8994011

Notes

[buster] - ghostscript <not-affected> (Vulnerable code introduced later)
[stretch] - ghostscript <not-affected> (Vulnerable code introduced later)
https://twitter.com/ducnt_/status/1434534373416574983
https://github.com/duc-nt/RCE-0-day-for-GhostScript-9.50
https://bugs.ghostscript.com/show_bug.cgi?id=704342
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a9bd3dec9fde03327a4a2c69dad1036bf9632e20

Search for package or bug name: Reporting problems