CVE-2023-36664: 
Ghostscript vulnerability analysis and mitigation

Artifex Ghostscript through version 10.01.2 contains a security vulnerability identified as CVE-2023-36664. The vulnerability stems from mishandled permission validation for pipe devices, specifically when handling the %pipe% prefix or the | pipe character prefix. This vulnerability affects the GPL PostScript/PDF interpreter, which is widely used in various Linux distributions and systems (NVD, Debian Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High), with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates that while the attack requires local access and user interaction, it requires no privileges and can result in high impacts across confidentiality, integrity, and availability. The vulnerability is tracked as CWE-552, relating to Files or Directories Accessible to External Parties (NVD).

The vulnerability could result in the execution of arbitrary commands if malformed document files are processed, potentially leading to complete system compromise with high impacts on confidentiality, integrity, and availability (Debian Advisory).

Multiple vendors have released patches to address this vulnerability. Debian has fixed the issue in version 9.53.3~dfsg-7+deb11u5 for oldstable (bullseye) and version 10.0.0~dfsg-11+deb12u1 for stable (bookworm). Fedora has released updates for version 9.56.1-8.fc37 and 10.01.2-1.fc38. Gentoo users should upgrade to version 10.01.2 or later (Debian Advisory, Fedora Update, Gentoo Advisory).