Bug 25294

More details on the issue:
https://www.openwall.com/lists/oss-security/2019/08/12/4

Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing two submitters.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, nicolas.salguero, smelror

Done for mga6, mga7 and Cauldron!

CC: (none) => geiger.david68210

Advisory:
========================

Updated ghostscript packages fix security vulnerability:

It was found that the .buildfont1 procedure did not properly secure its
privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An
attacker could abuse this flaw by creating a specially crafted PostScript file
that could escalate privileges and access files outside of restricted areas
(CVE-2019-10216).

Also, the Mageia 7 update fixes a bounding box issue that affects klatexformula
(mga#24866).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10216
https://www.openwall.com/lists/oss-security/2019/08/12/4
https://access.redhat.com/errata/RHSA-2019:2462
https://bugs.mageia.org/show_bug.cgi?id=24866
https://bugs.mageia.org/show_bug.cgi?id=25294
========================

Updated packages in core/updates_testing:
========================
ghostscript-9.26-1.5.mga6
ghostscript-dvipdf-9.26-1.5.mga6
ghostscript-common-9.26-1.5.mga6
ghostscript-X-9.26-1.5.mga6
ghostscript-module-X-9.26-1.5.mga6
libgs9-9.26-1.5.mga6
libgs-devel-9.26-1.5.mga6
libijs1-0.35-143.5.mga6
libijs-devel-0.35-143.5.mga6
ghostscript-doc-9.26-1.5.mga6
ghostscript-9.27-1.2.mga7
ghostscript-dvipdf-9.27-1.2.mga7
ghostscript-common-9.27-1.2.mga7
ghostscript-X-9.27-1.2.mga7
ghostscript-module-X-9.27-1.2.mga7
lib64gs9-9.27-1.2.mga7
lib64gs-devel-9.27-1.2.mga7
lib64ijs1-0.35-147.2.mga7
lib64ijs-devel-0.35-147.2.mga7
ghostscript-doc-9.27-1.2.mga7

from SRPMS:
ghostscript-9.26-1.5.mga6.src.rpm
ghostscript-9.27-1.2.mga7.src.rpm

Version: Cauldron => 7
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO

Updated from release 1.4 to 1.5 on Mageia6.
Restarted CUPS server.
Used HP Photosmart5520 wireless printer.

No reproducers available.  Some online discussions are still not public.

Works with CUPS/HPLIP at the cli for gs and lpr, and from the gui for LibreOffice writer
and Firefox (essentially LO).

$ dvipdf refcard.dvi refcard.pdf
dvips: Font cmbx10 at 13824 not found; scaling 600 instead.
dvips: Such scaling will generate extremely poor output.
Page 1 may be too complex to print
Page 2 may be too complex to print
Page 5 may be too complex to print
Page 6 may be too complex to print
Warning:  no %%Page comments generated.

The generated PDF displays fine with xpdf or okular.

Tried this from an earlier bug report - don't know if the numbers are significant for
this version.

$ gs -dSAFER -dNODISPLAY
GPL Ghostscript 9.26 (2018-11-20)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>1183615869 internaldict /superexec known { (VULNERABLE\n) } { (SAFE\n) }
GS<3>ifelse print
SAFE
GS>quit

The "SAFE" came up without prompting.

This looks good for 64-bits.

CC: (none) => tarazed25
Whiteboard: MGA6TOO => MGA6TOO MGA6-64-OK

mga7, x86_64

HP Photosmart 5520 wifi printer
CUPS/HPLIP

Updated all the packages.

Printed a postscript file using lpr and viewed it with gs.
Printed an image with LibreOffice draw and an odt file with LO writer.

Converted a dvi file to a pdf using dvipdf.  Result was OK.

The SAFE test from comment 5 worked as before.

This is fine for 64bit.

Whiteboard: MGA6TOO MGA6-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0236.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED