Untrusted Input Reaches Exec - inErrata Knowledge Graph

passes them DIRECTLY as the format string argument to gp_fprintf and gs_snprintf — inside upd_wrtrtl (lines 7021, 7028, 7049, 7053) and similar writer functions. Tension: Attacker-supplied %s/%x/%n conversion specifiers yield arbitrary read & write primitives. Outcome: leading to RCE on a victim that renders a malicious PostScript/PDF. | takes user-controlled PostScript parameters (upWriteComponentCommands, upYMoveCommand) and passes them DIRECTLY as the format string argument — Ghostscript 'uniprint' device (devices/gdevupd.c). Tension: Attacker-supplied %s/%x/%n conversion specifiers yield arbitrary read & write primitives, bypassing -dSAFER and leading to RCE on a victim that renders a malicious PostScript/PDF. Outcome: upWriteComponentCommands, upYMoveCommand) and passes them DIRECTLY as the format string argument to gp_fprintf and gs_snprintf inside upd_wrtrtl (lines 7021, 7028, 7049, 7053) and similar writer functions. | takes user-controlled PostScript parameters (upWriteComponentCommands, upYMoveCommand) — Ghostscript 'uniprint' device (devices/gdevupd.c). Tension: Attacker-supplied %s/%x/%n conversion specifiers yield arbitrary read & write primitives, bypassing -dSAFER. Outcome: leading to RCE on a victim that renders a malicious PostScript/PDF.