Vulnerability Details : CVE-2009-4270
Stack-based buffer overflow in the errprintf function in base/gsmisc.c in ghostscript 8.64 through 8.70 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PDF file, as originally reported for debug logging code in gdevcups.c in the CUPS output driver.
Vulnerability category: OverflowExecute codeDenial of service
Products affected by CVE-2009-4270
- cpe:2.3:a:ghostscript:ghostscript:8.64:*:*:*:*:*:*:*
- cpe:2.3:a:ghostscript:ghostscript:8.70:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2009-4270
2.54%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2009-4270
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST |
CWE ids for CVE-2009-4270
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2009-4270
-
Red Hat 2009-12-22Not vulnerable. This issue did not affect the versions of ghostscript as shipped with Red Hat Enterprise Linux 3, 4, or 5.
References for CVE-2009-4270
-
http://www.securityfocus.com/bid/37410
Exploit
-
http://www.ubuntu.com/usn/USN-961-1
USN-961-1: Ghostscript vulnerabilities | Ubuntu security notices
-
http://www.mandriva.com/security/advisories?name=MDVSA-2010:135
Mandriva
-
http://www.mandriva.com/security/advisories?name=MDVSA-2010:134
mandriva.com
-
http://www.openwall.com/lists/oss-security/2009/12/18/1
oss-security - possible vulnerability in ghostscript >= 8.64
-
http://www.vupen.com/english/advisories/2009/3597
Site en constructionVendor Advisory
-
http://www.openwall.com/lists/oss-security/2009/12/18/2
oss-security - Re: possible vulnerability in ghostscript >= 8.64
-
http://bugs.ghostscript.com/show_bug.cgi?id=690829
690829 – buffer overflow in errprintf
-
http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:014
-
https://bugzilla.redhat.com/show_bug.cgi?id=540760
540760 – (CVE-2009-4270) CVE-2009-4270 ghostscript buffer overflow in cups output driver
-
http://security.gentoo.org/glsa/glsa-201412-17.xml
GPL Ghostscript: Multiple vulnerabilities (GLSA 201412-17) — Gentoo security
Jump to