Vulnerability Details : CVE-2017-9835
The gs_alloc_ref_array function in psi/ialloc.c in Artifex Ghostscript 9.21 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted PostScript document. This is related to a lack of an integer overflow check in base/gsalloc.c.
Vulnerability category: OverflowDenial of service
Products affected by CVE-2017-9835
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:artifex:ghostscript:9.21:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-9835
0.74%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 78 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-9835
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2017-9835
-
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-9835
-
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=cfde94be1d4286bc47633c6e6eaf4e659bd78066
git.ghostscript.com Git - ghostpdl.git/commitThird Party Advisory
-
http://www.debian.org/security/2017/dsa-3986
Debian -- Security Information -- DSA-3986-1 ghostscriptThird Party Advisory
-
https://bugs.ghostscript.com/show_bug.cgi?id=697985
697985 – heap-buffer-overflow in gs_alloc_ref_array(ialloc.c)Exploit;Issue Tracking;Third Party Advisory
-
https://security.gentoo.org/glsa/201811-12
GPL Ghostscript: Multiple vulnerabilities (GLSA 201811-12) — Gentoo securityThird Party Advisory
-
http://www.securityfocus.com/bid/99991
Artifex Ghostscript CVE-2017-9835 Heap Buffer Overflow VulnerabilityThird Party Advisory;VDB Entry
Jump to