ghostscript

A trivial sandbox (enabled with the -dSAFER option) escape security issue was found in the ghostscript interpreter by injecting a specially crafted pipe...

A way to escape the -dSAFER sandbox has been found in ghostscript before 9.50. The issue was still present in 9.50 but is mitigated by the recent -dSAFER rework.

Safer Mode Bypass by .forceput Exposure in .pdfexectoken and other procedures.

Safer Mode Bypass by .forceput Exposure in setsystemparams

Safer Mode Bypass by .forceput Exposure in setuserparams

Safer Mode Bypass by .forceput Exposure in .pdf_hook_DSC_Creator.

It was found that ghostscript could leak sensitive operators on the operand stack when a pseudo-operator pushes a subroutine. A specially crafted PostScript...

It was found that the forceput operator could be extracted from the DefineResource method using methods similar to the ones described in CVE-2019-6116. A...

It was found that the superexec operator was available in the internal dictionary.  A specially crafted PostScript file could use this flaw in order to, for...

Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving the 1Policy operator.

Artifex Ghostscript allows attackers to bypass a sandbox protection mechanism by leveraging exposure of system operators in the saved execution stack in an...

Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving errorhandler setup.

It was found that ghostscript did not properly validate the parameters passed to the .rsdparams and .eqproc functions. During its execution, a specially...