Bug 24233

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing some committers.

CC: (none) => mageia, marja11, nicolas.salguero, rverschelde, smelror
Assignee: bugsquad => pkg-bugs

Ubuntu and Debian have issued advisories for this on January 23 and 26:
https://usn.ubuntu.com/3866-1/
https://www.debian.org/security/2019/dsa-4372

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Ghostscript could be made to crash, access files, or run programs if it opened a specially crafted file. (CVE-2019-6116)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6116
https://www.openwall.com/lists/oss-security/2019/01/23/5
https://usn.ubuntu.com/3866-1/
https://www.debian.org/security/2019/dsa-4372
========================

Updated packages in core/updates_testing:
========================
ghostscript-9.26-1.2.mga6
ghostscript-dvipdf-9.26-1.2.mga6
ghostscript-common-9.26-1.2.mga6
ghostscript-X-9.26-1.2.mga6
ghostscript-module-X-9.26-1.2.mga6
lib(64)gs9-9.26-1.2.mga6
lib(64)gs-devel-9.26-1.2.mga6
lib(64)ijs1-0.35-143.2.mga6
lib(64)ijs-devel-0.35-143.2.mga6
ghostscript-doc-9.26-1.2.mga6

from SRPMS:
ghostscript-9.26-1.2.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Source RPM: ghostscript-9.26-2.mga7.src.rpm => ghostscript-9.26-1.1.mga6.src.rpm
Status: NEW => ASSIGNED
CVE: (none) => CVE-2019-6116
Version: Cauldron => 6
Assignee: pkg-bugs => qa-bugs

Mageia 6, x86_64

*Before update*
ghostscript-9.26-1.1.mga6

CVE-2019-6116
https://www.openwall.com/lists/oss-security/2019/01/23/5
Without sandbox:
$ gs ghostscript_926_forceput_typecheck_example.ps
[...]
Stage 0: PDFfile
Stage 1: q
Stage 3: oget
Stage 4: pdfemptycount
Stage 5: gput
Stage 6: resolvestream
Stage 7: pdfopdict
Stage 8: .pdfruncontext
Stage 9: pdfdict
Stage 10: /typecheck #1
Stage 10: /typecheck #2
Stage 11: Exploitation...
Should now have complete control over ghostscript, attempting to read /etc/passwd...
(root:x:0:0:root:/root:/bin/bash)
Attempting to execute a shell command...
uid=1000(lcl) gid=1000(lcl) groups=1000(lcl),946(qarepo),954(vboxusers),955(docker)
All done.

With sandbox:
$ gs -dSAFER -f ghostscript-926-forceput.ps
[...]
Error: /undefinedfilename in (ghostscript-926-forceput.ps)
Operand stack:

Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   false   1   %stopped_push
Dictionary stack:
   --dict:959/1684(ro)(G)--   --dict:0/20(G)--   --dict:78/200(L)--
Current allocation mode is local
Last OS error: No such file or directory
GPL Ghostscript 9.26: Unrecoverable error, exit code 1

*After updates*

$ gs -dSAFER -f ghostscript-926-forceput.ps
[...]
Error: /undefinedfilename in (ghostscript-926-forceput.ps)
Operand stack:

Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   false   1   %stopped_push
Dictionary stack:
   --dict:959/1684(ro)(G)--   --dict:0/20(G)--   --dict:78/200(L)--
Current allocation mode is local
Last OS error: No such file or directory
GPL Ghostscript 9.26: Unrecoverable error, exit code 1

At first sight it looks like this problem was fixed in version 9.26-1.1 but note that *without the sandbox* the exploit is still caught with the later version, so there is an improvement.

$ gs ghostscript-926-forceput.ps
[...]
Error: /undefinedfilename in (ghostscript-926-forceput.ps)
Operand stack:
[...]
GPL Ghostscript 9.26: Unrecoverable error, exit code 1

Quick tests:

$ gs abc-0.ps
[...]
Querying operating system for font files...
**** Warning: glyf overlaps cmap, truncating.
**** Warning: glyf overlaps cmap, truncating.
Can't find (or can't open) font file /usr/share/ghostscript/9.26/Resource/Font/BlueHighway.
Can't find (or can't open) font file BlueHighway.
Loading BlueHighway font from /usr/share/fonts/ttf/western/Bluehigh.ttf... 4770204 3090164 4207412 2809229 3 done.
Loading Gemelli font from /usr/share/fonts/default/ghostscript/gemelli.pfb... 4780460 3177439 4247812 2836394 3 done.
Loading MaxCircus font from /usr/share/fonts/default/ghostscript/maxcircus.pfb... 4806988 3285594 4288212 2850222 3 done.
>>showpage, press <return> to continue<<

GS>quit

The page shows perfectly on the screen as a set of address labels and can be printed from the command line.
$ lpr -Pokda abc-0.ps

$ libreoffice --writer --invisible -p utility_qflash_uefi.pdf 
This printed a document on the default printer.  Ran it under strace initially to look for signs of ghostscript interaction but could see none so ghostscript must come in later in the chain (-> CUPS -> rasterization?).

$ dvipdf refcard.dvi refcard.pdf
dvips: Font cmbx10 at 13824 not found; scaling 600 instead.
dvips: Such scaling will generate extremely poor output.
Page 1 may be too complex to print
Page 2 may be too complex to print
Page 5 may be too complex to print
Page 6 may be too complex to print
Warning:  no %%Page comments generated.
$ ll refcard*
-rw-r--r-- 1 lcl lcl  15652 May  2  2018 refcard.dvi
-rw-r--r-- 1 lcl lcl 403474 Jan 28 17:55 refcard.pdf

The output file refcard.pdf looked perfect in xpdf.

Good for 64-bits.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Re comment 4:

The printer connection with ghostscript is through hplip which has ghostscript-common, lib64gs9 and other ghostscript dependencies.

Thanks for the rapid test, Len. Validating, advisory from comment 3.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0056.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED