| Summary: | ghostscript new security issue CVE-2016-10317 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, marja11, smelror, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA6-64-OK MGA5-64-OK | ||
| Source RPM: | ghostscript-9.22-2.mga7.src.rpm | CVE: | CVE-2016-10317 |
| Status comment: | |||
|
Description
David Walser
2018-02-14 12:37:36 CET
David Walser
2018-02-14 12:37:53 CET
Whiteboard:
(none) =>
MGA6TOO
David Walser
2018-02-14 12:39:11 CET
Status comment:
(none) =>
Patches available from openSUSE and upstream Assigning to all packagers collectively, since there is no registered maintainer for this package. Assignee:
bugsquad =>
pkg-bugs
Stig-Ørjan Smelror
2018-02-18 23:44:21 CET
CC:
(none) =>
smelror Advisory ======== This update fixes CVE-2016-10317. The fill_threshhold_buffer function in base/gxht_thresh.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted PostScript document. References ========== https://nvd.nist.gov/vuln/detail/CVE-2016-10317 Files ===== The following files has been uploaded to core/updates_testing ghostscript-9.22-1.2.mga6 ghostscript-X-9.22-1.2.mga6 ghostscript-common-9.22-1.2.mga6 ghostscript-doc-9.22-1.2.mga6 ghostscript-dvipdf-9.22-1.2.mga6 ghostscript-module-X-9.22-1.2.mga6 from ghostscript-9.22-1.2.mga6.src.rpm Version:
Cauldron =>
6 Cauldron has been updated to ghostscript-9.22-3.mga7. Cheers, Stig Mageia 6 :: x86_64
The ghostscript packages updated cleanly. Added whatever was missing.
Examined a postscript file.
$ gs tmp/abc-0.ps
GPL Ghostscript 9.22 (2017-10-04)
Copyright (C) 2017 Artifex Software, Inc. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Querying operating system for font files...
Can't find (or can't open) font file /usr/share/ghostscript/9.22/Resource/Font/Gunplay3D.
Can't find (or can't open) font file Gunplay3D.
Loading Gunplay3D font from /usr/share/fonts/drakfont/tmp/tmp/gunplay3.ttf... 4323612 2917313 5752560 4394808 3 done.
A page of labels was displayed.
$ dvipdf docs/software/refcard.dvi refcard.pdf
There were warnings that the output would be of poor quality but with
$ xpdf refcard.pdf
the quality looked pretty good. The result was a six page GNU Emacs Reference.
Copied local type1 fontfiles *.{afm,pfb} to /usr/share/fonts/default/ghostscript/ and moved to that directory and ran
$ sudo type1inst
to generate the Fontmap, etc files needed for the next test.
As user created a page of labels with various type1 fonts and printed it.
$ lpr -Pokda tmp/abc-0.ps
It looked fine both on the screen and on paper.
Don't know what else can be done to test this. It looks good to me.Whiteboard:
(none) =>
MGA6-64-OK Adding a Mageia 5 build for this update. (Same version/release just with mga5). Advisory: ======================== Updated ghostscript packages fix security vulnerability: The fill_threshhold_buffer function in base/gxht_thresh.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted PostScript document (CVE-2016-10317). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10317 https://lists.opensuse.org/opensuse-updates/2018-02/msg00039.html Status comment:
Patches available from openSUSE and upstream =>
(none) Advisory committed to svn. Testing on Mageia 5 needed before validating. CC:
(none) =>
davidwhodgins Mageia 5 -> x86_64, real hardware. (Athlon X2 7750, nvidia340 graphics, atheros wifi) Ghostscript and all other pending update packages installed cleanly. Downloaded a three-page sample file from the Web, containing both text and graphics. Loaded into GIMP, which I believe uses Ghostscript to render .ps files. File loaded as three layers, one for each page. Printed one page on an Officejet 6110 printer, looked good. Loaded into Okular, which I believe also uses Ghostscript to render .ps files. Printed two pages on a Deskjet 5650 printer, using duplexer. All looked good. I don't know how else to test this, either. Looks OK on MGA5. CC:
(none) =>
andrewsfarm @TJ comment 7: Just checked okular under Mageia 5 and can confirm that ghostscript is involved. cat trace | grep "ghost" | less stat("/usr/share/fonts/default/ghostscript", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 open("/usr/share/fonts/default/ghostscript", O_RDONLY|O_CLOEXEC) = 6 access("/usr/lib64/kde4/okularGenerator_ghostview.so", R_OK) = 0 stat("/usr/lib64/kde4/okularGenerator_ghostview.so", {st_mode=S_IFREG|0755, st_size=58880, ...}) = 0 and these calls were noted also: open("/lib64/libgs.so.9", O_RDONLY|O_CLOEXEC) = 12 open("/lib64/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = 12 Validating the update. Keywords:
(none) =>
validated_update $ urpmq --requires-recursive okular | grep gs also shows lib64gs9. An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0142.html Resolution:
(none) =>
FIXED |