Bug 32237

Summary: ghostscript new security issue CVE-2023-38559
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, luigiwalser, mageia, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK
Source RPM: ghostscript-10.00.0-6.1.mga9.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 32070    

Description Nicolas Salguero 2023-09-04 16:40:26 CEST 
Ubuntu has issued an advisory on August 17:
https://ubuntu.com/security/notices/USN-6297-1

Mageia 8 and 9 are also affected.
Nicolas Salguero 2023-09-04 16:41:12 CEST

Source RPM: (none) => ghostscript-10.00.0-6.1.mga9.src.rpm
Assignee: bugsquad => nicolas.salguero
CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA9TOO, MGA8TOO

Nicolas Salguero 2023-09-05 09:06:44 CEST

Summary: ghostscript new security issue CVE-2023-38559 => ghostscript new security issues CVE-2023-38559 and CVE-2023-38560

Comment 1 Nicolas Salguero 2023-09-05 11:59:58 CEST 
CVE-2023-38560 affects some code not present in ghostscript (pcl)

Summary: ghostscript new security issues CVE-2023-38559 and CVE-2023-38560 => ghostscript new security issue CVE-2023-38559

Nicolas Salguero 2023-09-05 12:05:05 CEST

Blocks: (none) => 32070

Comment 2 Nicolas Salguero 2023-09-05 13:12:51 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix). (CVE-2023-36664)

A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This issue may allow a local attacker to cause a denial of service via outputting a crafted PDF file for a DEVN device with gs. (CVE-2023-38559)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36664
https://www.debian.org/security/2023/dsa-5446
https://ubuntu.com/security/notices/USN-6213-1
https://bugs.mageia.org/show_bug.cgi?id=32070
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38559
https://ubuntu.com/security/notices/USN-6297-1
========================

Updated packages in 8/core/updates_testing:
========================
ghostscript-9.53.3-2.6.mga8
ghostscript-X-9.53.3-2.6.mga8
ghostscript-common-9.53.3-2.6.mga8
ghostscript-doc-9.53.3-2.6.mga8
ghostscript-dvipdf-9.53.3-2.6.mga8
ghostscript-module-X-9.53.3-2.6.mga8
lib(64)gs-devel-9.53.3-2.6.mga8
lib(64)gs9-9.53.3-2.6.mga8
lib(64)ijs-devel-0.35-162.6.mga8
lib(64)ijs1-0.35-162.6.mga8

from SRPM:
ghostscript-9.53.3-2.6.mga8.src.rpm

Updated packages in 9/core/updates_testing:
========================
ghostscript-10.00.0-6.2.mga9
ghostscript-X-10.00.0-6.2.mga9
ghostscript-common-10.00.0-6.2.mga9
ghostscript-doc-10.00.0-6.2.mga9
ghostscript-dvipdf-10.00.0-6.2.mga9
ghostscript-module-X-10.00.0-6.2.mga9
lib(64)gs10-10.00.0-6.2.mga9
lib(64)gs-devel-10.00.0-6.2.mga9
lib(64)ijs1-0.35-173.1.mga9
lib(64)ijs-devel-0.35-173.1.mga9

from SRPM:
ghostscript-10.00.0-6.2.mga9.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 9
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO

Comment 3 David Walser 2023-09-05 13:41:34 CEST 
*** Bug 32070 has been marked as a duplicate of this bug. ***

CC: (none) => luigiwalser

Nicolas Salguero 2023-09-05 15:52:09 CEST

Assignee: nicolas.salguero => qa-bugs

PC LX 2023-09-06 11:16:06 CEST

CC: (none) => mageia

Comment 4 Herman Viaene 2023-09-06 16:02:21 CEST 
MGA8-64 Xfce on Acer Aspire 5253
No installation issues.
Ref bug 31758 Comment 5:
Used okular and the gs command to display some device's pdf manual and all worked OK.

CC: (none) => herman.viaene
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

Comment 5 Len Lawrence 2023-09-07 17:13:52 CEST 
Mageia9, x86_64
qarepo could not find the last two packages in the list.  The chosen mirror contained the next version, 2.  Retried with the corrected package names and all was well.
lib64ijs-devel-0.35-173.2.mga9.x86_64.rpm
lib64ijs1-0.35-173.2.mga9.x86_64.rpm

Ran MageiaUpdate.

$ lilypond input_regression_les-nereides.ly
GNU LilyPond 2.24.1 (running Guile 2.2)
Processing `input_regression_les-nereides.ly'
Parsing...
Interpreting music...
Preprocessing graphical objects...
Finding the ideal number of pages...
Fitting music on 1 page...
Drawing systems...
Converting to `input_regression_les-nereides.pdf'...
Success: compilation successfully completed

Viewed the resulting PDF file in okular and gs - it displayed a few bars of a musical score.  Printed that from the file menu in okular.

Viewed an encapsulated postscript file with gs then printed it via CUPS.
$ lpr -Pokda abc-0.ps
That delivered a sheet of postal labels in the Gemelli font.

This looks good for Mageia9.

Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
CC: (none) => tarazed25

Comment 6 Nicolas Salguero 2023-09-07 17:19:09 CEST 
Oops ! You are right: I forgot to increase the sub release number in my comment 2. Sorry!
Comment 7 Thomas Andrews 2023-09-08 00:21:53 CEST 
Validating. Advisory in comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-09-11 02:46:09 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2023-09-11 15:09:54 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0260.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED