In ghostscript before version 9.50, the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass -dSAFER restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges and access files outside of restricted areas.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Ghostscript | Artifex | * | 9.50 (excluding) |
| 3scale API Management 2.6 on RHEL 7 | RedHat | 3scale-amp26/3scale-operator:1.9-7 | * |
| 3scale API Management 2.6 on RHEL 7 | RedHat | 3scale-amp26/apicast-gateway:1.15-9 | * |
| 3scale API Management 2.6 on RHEL 7 | RedHat | 3scale-amp26/backend:1.9-24 | * |
| 3scale API Management 2.6 on RHEL 7 | RedHat | 3scale-amp26/operator:1.9-7 | * |
| 3scale API Management 2.6 on RHEL 7 | RedHat | 3scale-amp26/toolbox:1.2-5 | * |
| 3scale API Management 2.6 on RHEL 7 | RedHat | 3scale-amp26/zync:1.9-28 | * |
| Red Hat Enterprise Linux 7 | RedHat | ghostscript-0:9.25-2.el7_7.1 | * |
| Red Hat Enterprise Linux 8 | RedHat | ghostscript-0:9.25-2.el8_0.2 | * |
| Ghostscript | Ubuntu | bionic | * |
| Ghostscript | Ubuntu | devel | * |
| Ghostscript | Ubuntu | disco | * |
| Ghostscript | Ubuntu | trusty | * |
| Ghostscript | Ubuntu | xenial | * |