HCE2-SA-2024-0280 Important HCE 2.0 Security Fix(es): Artifex Ghostscript before 10.03.0 has a heap-based overflow when PDFPassword (e.g., for runpdf) has a \000 byte in the middle. (CVE-2024-29509) Artifex Ghostscript before 10.03.0 sometimes has a stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters. (CVE-2024-29507) Artifex Ghostscript before 10.03.0 has a stack-based buffer overflow in the pdfi_apply_filter() function via a long PDF filter name. (CVE-2024-29506) An issue was discovered in Artifex Ghostscript before 10.03.1. Path traversal and command execution can occur (via a crafted PostScript document) because of path reduction in base/gpmisc.c. For example, restrictions on use of %pipe% can be bypassed via the aa/../%pipe%command# output filename. (CVE-2024-33869) Artifex Ghostscript before 10.03.0 has a heap-based pointer disclosure (observable in a constructed BaseFont name) in the function pdf_base_font_alloc. (CVE-2024-29508) Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device. (CVE-2024-29510) In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. NOTE: it is a documented risk that the IJS server can be specified on a gs command line (the IJS device inherently must execute a command to start the IJS server). (CVE-2023-43115) An issue was discovered in Artifex Ghostscript before 10.03.1. There is path traversal (via a crafted PostScript document) to arbitrary files if the current directory is in the permitted paths. For example, there can be a transformation of ../../foo to ./../../foo and this will grant access if ./ is permitted. (CVE-2024-33870) An issue was discovered in Artifex Ghostscript before 10.03.1. psi/zmisc1.c, when SAFER mode is used, allows eexec seeds other than the Type 1 standard. (CVE-2023-52722) Artifex Ghostscript before 10.03.1, when Tesseract is used for OCR, has a directory traversal issue that allows arbitrary file reading (and writing of error messages to arbitrary files) via OCRLanguage. For example, exploitation can use debug_file /tmp/out and user_patterns_file /etc/passwd. (CVE-2024-29511) HCE 2.0 ghostscript-9.55.0-6.r5.hce2.aarch64.rpm ghostscript-devel-9.55.0-6.r5.hce2.aarch64.rpm ghostscript-help-9.55.0-6.r5.hce2.noarch.rpm ghostscript-tools-dvipdf-9.55.0-6.r5.hce2.aarch64.rpm ghostscript-9.55.0-6.r5.hce2.x86_64.rpm ghostscript-devel-9.55.0-6.r5.hce2.x86_64.rpm ghostscript-tools-dvipdf-9.55.0-6.r5.hce2.x86_64.rpm