DescriptionIn Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode, TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte less than full, and one then tries to write an escaped character, two bytes are written.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3381-1, DSA-5383-1
Debian Bugs1033757

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ghostscript (PTS)buster9.27~dfsg-2+deb10u5vulnerable
buster (security)9.27~dfsg-2+deb10u9fixed
bullseye (security)9.53.3~dfsg-7+deb11u5fixed
bookworm (security)10.0.0~dfsg-11+deb12u1fixed
sid, trixie10.02.1~dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Notes (not public)
Fixed by:;h=37ed5022cecd584de868933b5b60da2e995b3179
Future hardening/potentially intrusive impact for older versions (and should not be applied for
older versions):;h=3635f4c75e54e337a4eebcf6db3eef0e60f9cebf

Search for package or bug name: Reporting problems