Bug 29453

Summary: ghostscript new security issue CVE-2021-3781
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, smelror, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: ghostscript-9.53.3-2.mga8.src.rpm CVE: CVE-2021-3781
Status comment:

Description David Walser 2021-09-10 18:21:26 CEST 
Ubuntu has issued an advisory today (September 10):
https://ubuntu.com/security/notices/USN-5075-1

Mageia 8 is also affected.
David Walser 2021-09-10 18:21:56 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from Ubuntu

Comment 1 Lewis Smith 2021-09-10 19:59:59 CEST 
Not officially your baby, Stig, but you have done most of the most recent commits to 'ghostscript'; so assigning this to you rather than everybody.

Assignee: bugsquad => smelror

Comment 2 David Walser 2021-09-12 18:40:07 CEST 
Debian has issued an advisory for this on September 10:
https://www.debian.org/security/2021/dsa-4972
Comment 3 David Walser 2021-09-15 15:57:42 CEST 
More references (this is apparently extremely serious):
https://bugs.ghostscript.com/show_bug.cgi?id=704342
https://therecord.media/ghostscript-zero-day-allows-full-server-compromises

CC: (none) => smelror
Assignee: smelror => pkg-bugs

Comment 4 David Walser 2021-09-15 16:09:12 CEST 
openSUSE has issued an advisory for this today (September 15):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M64NXCVRRUDYD4U65CYH2ROCOGMSYF3U/
Comment 5 Nicolas Salguero 2021-09-15 16:50:48 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Trivial -dSAFER bypass in 9.55. (CVE-2021-3781)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3781
https://ubuntu.com/security/notices/USN-5075-1
https://www.debian.org/security/2021/dsa-4972
https://bugs.ghostscript.com/show_bug.cgi?id=704342
https://therecord.media/ghostscript-zero-day-allows-full-server-compromises
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M64NXCVRRUDYD4U65CYH2ROCOGMSYF3U/
========================

Updated packages in core/updates_testing:
========================
ghostscript-9.53.3-2.1.mga8
ghostscript-common-9.53.3-2.1.mga8
ghostscript-doc-9.53.3-2.1.mga8
ghostscript-dvipdf-9.53.3-2.1.mga8
ghostscript-module-X-9.53.3-2.1.mga8
ghostscript-X-9.53.3-2.1.mga8
lib64gs9-9.53.3-2.1.mga8
lib64gs-devel-9.53.3-2.1.mga8
lib64ijs1-0.35-162.1.mga8
lib64ijs-devel-0.35-162.1.mga8

from SRPM:
ghostscript-9.53.3-2.1.mga8.src.rpm

CVE: (none) => CVE-2021-3781
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Source RPM: ghostscript-9.54.0-1.mga9.src.rpm => ghostscript-9.53.3-2.mga8.src.rpm
Whiteboard: MGA8TOO => (none)
Status comment: Patch available from Ubuntu => (none)
Version: Cauldron => 8
CC: (none) => nicolas.salguero

Comment 6 Len Lawrence 2021-09-15 20:56:54 CEST 
mga8, x86_64

CVE-2021-3781
https://bugs.ghostscript.com/show_bug.cgi?id=704342
Ran the exploit(?) as user and root with similar results.
# gs -dSAFER
GPL Ghostscript 9.53.3 (2020-10-01)
Copyright (C) 2020 Artifex Software, Inc.  All rights reserved.
This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY:
see the file COPYING for details.
GS>(%pipe%/tmp/&id)(w)file
GS<1>sh: line 1: /tmp/: Is a directory
uid=0(root) gid=0(root) groups=0(root)

After the update:
$ gs -dSAFER
GPL Ghostscript 9.53.3 (2020-10-01)
....
GS>(%pipe%/tmp/&id)(w)file
Error: /invalidfileaccess in --file--
Operand stack:
   (%pipe%/tmp/&id)   (w)
Execution stack:
.....
Current allocation mode is local
Last OS error: Permission denied
Current file position is 24

This looks similar to the upstream result which must be the afterwards case.
No exposure of user  uid/guid this time.
This is probably a good result.

Testing ghostscript later.

CC: (none) => tarazed25

Comment 7 Len Lawrence 2021-09-15 21:57:14 CEST 
Continuing:
$ gs abc-2.ps
GPL Ghostscript 9.53.3 (2020-10-01)
Copyright (C) 2020 Artifex Software, Inc.  All rights reserved.
This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY:
see the file COPYING for details.
Loading CharterBT-Roman font from /usr/share/fonts/default/ghostscript/bchr.pfa... 4408580 2777142 1710392 411483 3 done.
Querying operating system for font files...
Can't find (or can't open) font file /usr/share/ghostscript/9.53.3/Resource/Font//usr/share/.
Can't find (or can't open) font file BlueHighway.
Loading BlueHighway font from /usr/share/fonts/ttf/western/Bluehigh.ttf... 4562236 3040665 5139556 3709496 3 done.
>>showpage, press <return> to continue<<

GS>quit

That showed a page of address labels.
$ lpr -Pokda abc-2.ps
That printed the address labels on a single sheet.  The presumption is that CUPS  uses Ghostscript at some stage.
$ urpmq --whatrequires lib64gs9
ghostscript
ghostscript-X
gimp
lib64gs-devel
lib64gs9
lib64spectre1
texlive
$ urpmq --whatrequires-recursive lib64gs9 | sort -u
...
cups
cups2freefax
cups-drivers
cups-drivers-*
..............
hplip
hplip-gui
hplip-hpijs
hplip-hpijs-ppds
....
task-printing....

Reckon this is OK.

Whiteboard: (none) => MGA8-64-OK

Comment 8 Thomas Andrews 2021-09-17 13:57:15 CEST 
Validating. Advisory in Comment 5.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 9 David Walser 2021-09-20 20:55:05 CEST 
Fedora has issued an advisory for this today (September 20):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CUUU23H5AUDW3KBMY6WD4MQFZLMXYMIT/
Dave Hodgins 2021-09-22 21:10:23 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 10 Mageia Robot 2021-09-23 06:52:32 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0436.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED