PatchSiren cyber security CVE debrief

CVE-2013-5653 Artifex CVE debrief

CVE-2013-5653 affects Ghostscript 9.10 and can defeat the expected -dSAFER sandboxing behavior in getenv and filenameforall, allowing data disclosure from crafted PostScript content. NVD classifies the issue as CWE-200 information disclosure with CVSS 5.5, and the record links to vendor and distro advisories and patches. Treat this as especially relevant anywhere Ghostscript processes untrusted documents.

Vendor: Artifex
Product: CVE-2013-5653
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-07
Original CVE updated: 2026-05-13
Advisory published: 2017-03-07
Advisory updated: 2026-05-13

Who should care

Administrators, security teams, and application owners that run Ghostscript 9.10 or package it through distributions such as Debian 8.0 or Red Hat-linked builds. This matters most in document-conversion, preview, and pipeline environments that accept PostScript or other untrusted input.

Technical summary

The NVD description says the getenv and filenameforall functions in Ghostscript 9.10 ignore the -dSAFER argument, so code expecting restricted access may still read data from the filesystem when processing a crafted PostScript file. The record maps the weakness to CWE-200 and provides a CVSS 3.0 vector of AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The supplied record also shows vendor and distribution references to patches and issue trackers, indicating this was addressed through updates rather than a configuration-only workaround.

Defensive priority

Medium overall, but prioritize higher in any environment that processes untrusted PostScript or PDF-derived content with Ghostscript 9.10.

Recommended defensive actions

Apply the vendor or distribution updates referenced by the Ghostscript, Red Hat, and Debian advisories in the supplied record.
Inventory systems and services that invoke Ghostscript 9.10, including batch conversion, preview, print, and upload-processing workflows.
Treat -dSAFER as unreliable on the affected release and avoid relying on it as the only control for untrusted documents.
Restrict Ghostscript processing to least-privilege accounts and isolate it from sensitive files and directories.
Review document-processing pipelines for exposure to crafted PostScript inputs and add validation, sandboxing, or service isolation where possible.
Confirm remediated package versions through your distribution’s advisory channel before re-enabling untrusted-document processing.

Evidence notes

Supported by the supplied NVD record and its linked references. The record states Ghostscript 9.10 ignores -dSAFER in getenv and filenameforall, classifies the issue as CWE-200, and assigns CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. References include official CVE/NVD records, Red Hat advisories, Debian DSA-3691, Openwall patch notices dated 2016-09-29, and Ghostscript issue trackers tagged with patches. The CVE was published 2017-03-07 and modified 2026-05-13 in the supplied timeline.

Official resources

CVE-2013-5653 CVE record
CVE.org
CVE-2013-5653 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch

The CVE record was published on 2017-03-07 and later modified on 2026-05-13 in the supplied timeline. The linked Openwall patch notices are dated 2016-09-29, indicating remediation activity predates the NVD publication in the provided data.