CVE-2018-15910

Vulnerability

CVE-2018-15910 is a type confusion vulnerability in Artifex Ghostscript versions before 9.24. The flaw resides in the LockDistillerParams parameter, which can be exploited by supplying a specially crafted PostScript file. When parsed, the type confusion leads to memory corruption, enabling an attacker to crash the interpreter or execute arbitrary code. The -dSAFER sandbox, intended to restrict unsafe operations, is bypassed in this and related vulnerabilities [2][3].

Exploitation

An attacker requires the ability to supply a crafted PostScript file to Ghostscript or any application that leverages it (e.g., ImageMagick, evince, Okular, Nautilus) [2]. No authentication is needed; exploitation can be triggered remotely, for example by convincing a user to open a malicious file or by embedding the PostScript in a PDF. The type confusion occurs when the LockDistillerParams operator is invoked with a non-dictionary operand. Public exploit code is available [2].

Impact

Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary commands with the privileges of the Ghostscript process. This compromises confidentiality, integrity, and availability (CIA), potentially leading to full system compromise if the process runs with elevated privileges [2]. The CVSS base score is 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) [2].

Mitigation

The vulnerability is fixed in Ghostscript version 9.24, released in 2018-08-27. Red Hat Enterprise Linux 7 received a patched package (ghostscript-9.07-29.el7_5.2) via RHSA-2018:2918 [1]. Gentoo users should upgrade to >=app-text/ghostscript-gpl-9.26 [4]. There is no known workaround for unpatched versions [4].