Bug 31758

Summary: ghostscript new security issue CVE-2023-28879
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, fri, mageia, marja11, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: ghostscript-9.53.3-2.3.mga8.src.rpm CVE: CVE-2023-28879
Status comment:

Description David Walser 2023-04-05 02:13:22 CEST 
Debian-LTS has issued an advisory today (April 4):
https://www.debian.org/lts/security/2023/dla-3381

Mageia 8 is also affected.
David Walser 2023-04-05 02:13:30 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Marja Van Waes 2023-04-05 17:55:20 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2023-04-06 10:53:10 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode, TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte less than full, and one then tries to write an escaped character, two bytes are written. (CVE-2023-28879)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28879
https://www.debian.org/lts/security/2023/dla-3381
========================

Updated packages in core/updates_testing:
========================
ghostscript-9.53.3-2.4.mga8
ghostscript-X-9.53.3-2.4.mga8
ghostscript-common-9.53.3-2.4.mga8
ghostscript-dvipdf-9.53.3-2.4.mga8
ghostscript-doc-9.53.3-2.4.mga8
ghostscript-module-X-9.53.3-2.4.mga8
lib(64)gs9-9.53.3-2.4.mga8
lib(64)gs-devel-9.53.3-2.4.mga8
lib(64)ijs1-0.35-162.4.mga8
lib(64)ijs-devel-0.35-162.4.mga8

from SRPM:
ghostscript-9.53.3-2.4.mga8.src.rpm

CC: (none) => nicolas.salguero
CVE: (none) => CVE-2023-28879
Version: Cauldron => 8
Source RPM: ghostscript-10.00.0-5.mga9.src.rpm => ghostscript-9.53.3-2.3.mga8.src.rpm
Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Comment 3 David Walser 2023-04-06 18:51:19 CEST 
Debian has issued an advisory for this on April 5:
https://www.debian.org/security/2023/dsa-5383
Comment 4 Morgan Leijström 2023-04-07 08:51:31 CEST 
mga8-64 OK simple test

Clean update of the packages this system had installed, to

- ghostscript-9.53.3-2.4.mga8.x86_64
- ghostscript-common-9.53.3-2.4.mga8.x86_64
- ghostscript-module-X-9.53.3-2.4.mga8.x86_64
- lib64gs9-9.53.3-2.4.mga8.x86_64

rebooted

Printing works

$ gs some.pdf
opens that pdf in a window.

CC: (none) => fri

PC LX 2023-04-07 21:40:29 CEST

CC: (none) => mageia

Comment 5 Thomas Andrews 2023-04-09 16:14:19 CEST 
 An additional test using VirtualBox:

No installation issues in the MGA8-64 guest.

It was determined in Bug 22590 that Okular uses ghostscript libraries to render .ps files, so I loaded a simple .ps file from a shared folder on the host machine, which rendered correctly. I then saved a copy in the guest's home directory as a .ps file, closed Okular, and displayed the file using ghostscript-x's gs command. Looked good.

Giving this an OK, and validating. Advisory in comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2023-04-11 00:49:36 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2023-04-11 21:03:50 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0134.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 7 David Walser 2023-04-13 17:03:28 CEST 
More details about this were posted on oss-security yesterday:
https://www.openwall.com/lists/oss-security/2023/04/12/4