Bug 16453 - ghostscript new security issue CVE-2015-3228
Summary: ghostscript new security issue CVE-2015-3228
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/652551/
Whiteboard: MGA4TOO advisory MGA4-64-OK MGA4-32-O...
Keywords: validated_update
Depends on:
Reported: 2015-07-23 17:40 CEST by David Walser
Modified: 2015-08-10 16:33 CEST (History)
4 users (show)

See Also:
Source RPM: ghostscript-9.14-3.mga5.src.rpm
Status comment:

Test file for Bug 16453 (9 bytes, application/postscript)
2015-07-28 21:44 CEST, Lewis Smith

Description David Walser 2015-07-23 17:40:50 CEST
An integer overflow has been fixed upstream in Ghostscript:

The message above contains a link to the upstream commit to fix it.

Mageia 4 and Mageia 5 are also affected.


Steps to Reproduce:
David Walser 2015-07-23 17:41:15 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-07-23 18:18:29 CEST
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Waiting for the RedHat bug to be opened to the public before assigning to QA.

The upstream bugs linked above have PoC information.

Updated packages in core/updates_testing:

from SRPMS:

Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO
Version: Cauldron => 5

David Walser 2015-07-27 19:16:54 CEST

URL: (none) => http://lwn.net/Vulnerabilities/652551/

Comment 2 David Walser 2015-07-27 21:11:39 CEST
Assigning to QA (RedHat bug is open now).  Package list in Comment 1.  Note the reference to PoC information in Comment 1.


Updated ghostscript packages fix security vulnerability:

GhostScript is vulnerable to an integer overflow when processing a crafted
PostScript file using the ps2pdf command (CVE-2015-3228).


Assignee: bugsquad => qa-bugs

Dave Hodgins 2015-07-28 16:40:49 CEST

Whiteboard: MGA4TOO => MGA4TOO advisory
CC: (none) => davidwhodgins

Comment 3 Lewis Smith 2015-07-28 21:38:47 CEST
The link in Description points to two others:
The first bug contains a reference to a test file 'test.ps' which needs a login to access; the second bug attachment 'test file' *can* be accessed. I shall attach it to *this* bug to help test it. I hope it is the same test file in both cases.

Given the specially crafted test.ps file,
 $ ps2pdf test.ps
should crash "Segmentation fault". However, trying it on Mageia 5 yielded for me:
"Error: /VMerror in (binary token, type=128)
VM status: 1 625439 1914128
Current allocation mode is local
GPL Ghostscript 9.14: Unrecoverable error, exit code 1"
The same using the more detailed command cited:
 $ /usr/bin/gs -P- -dSAFER -dCompatibilityLevel=1.4 -q -P- -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile=test.pdf -P- -dSAFER -dCompatibilityLevel=1.4 -c .setpdfwrite -f test.ps

CC: (none) => lewyssmith

Comment 4 Lewis Smith 2015-07-28 21:44:04 CEST
Created attachment 6868 [details]
Test file for Bug 16453

The test file cited in upstream bugs, to use with
 $ ps2pdf test.ps
It should segfault. Apparently it is rubbish, so even after the update may yield errors.
Comment 5 Lewis Smith 2015-07-28 21:59:56 CEST
Testing MGA5 x64

Before: ghostscript-common-9.14-3.mga5, ghostscript-module-X-9.14-3.mga5, 
ghostscript-fonts-8.11-19.mga5, ghostscript-9.14-3.mga5, lib64gs9-9.14-3.mga5
 $ ps2pdf test.ps
Error: /VMerror in (binary token, type=128)
VM status: 1 625439 1914128
Current allocation mode is local
GPL Ghostscript 9.14: Unrecoverable error, exit code 1
[rather than the segfault originally cited]

After: ghostscript-common-9.14-3.1.mga5, ghostscript-module-X-9.14-3.1.mga5, 
ghostscript-fonts-8.11-19.mga5, ghostscript-9.14-3.1.mga5, lib64gs9-9.14-3.1.mga5
 Exactly the same result. Errors are expected because the test file is rubbish. But what next?
Comment 6 Len Lawrence 2015-07-28 22:09:15 CEST
Hope you don't mind Lewis.  Having a look at the PoC on 64bit system.
Straightforward gs ...
[lcl@vega ~/Downloads]$ gs test.ps
GPL Ghostscript 9.14 (2014-03-26)
Copyright (C) 2014 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Error: /VMerror in (binary token, type=128)
VM status: 1 2537243 3833600
Current allocation mode is local
GPL Ghostscript 9.14: Unrecoverable error, exit code 1

Using the gs command you cited gives substantially the same result as yours.

Looking at test.ps in an editor shows


which is all non-printing characters as far as I can see.  I wonder how the postscript interpreter is supposed to deal with them.  Maybe it has a binary read mode.

CC: (none) => tarazed25

Comment 7 Len Lawrence 2015-07-28 22:25:18 CEST
On the other hand, this is a PoC so maybe the test file does not have to look like Postscript.  It is rubbish and does cause an error.  And shortly after that my whole system hung....
Comment 8 Lewis Smith 2015-07-29 10:36:41 CEST
> Hope you don't mind Lewis.  Having a look at the PoC on 64bit system.
Not at all! Delighted to have company.

Testing MGA4 x64

Again unable to reproduce the segfault, so that results before & after the update were the same.

BEFORE: ghostscript-common-9.10-2.mga4, ghostscript-module-X-9.10-2.mga4, 
ghostscript-9.10-2.mga4, lib64gs9-9.10-2.mga4
 $ ps2pdf test.ps
 Error: /VMerror in (binary token, type=128)
 VM status: 1 625351 1914128
 Current allocation mode is local
 GPL Ghostscript 9.10: Unrecoverable error, exit code 1

AFTER: ghostscript-module-X-9.10-2.1.mga4, ghostscript-common-9.10-2.1.mga4,
ghostscript-9.10-2.1.mga4, lib64gs9-9.10-2.1.mga4
 $ ps2pdf test.ps
Output identical to before. Nothing proven.

Can anyone get the test file from:
 http://bugs.ghostscript.com/show_bug.cgi?id=696041 [Comment 1]
in case it *is* different and yields the segfault?
Lewis Smith 2015-08-02 21:52:35 CEST

Whiteboard: MGA4TOO advisory => MGA4TOO advisory feedback

Comment 9 David Walser 2015-08-02 22:03:05 CEST
I guess the test.ps that we can't access from the first upstream bug (which triggers a segfault) is not the same as the one on the second bug, and is not available.  That's fine.  We can OK this.

Whiteboard: MGA4TOO advisory feedback => MGA4TOO advisory

Lewis Smith 2015-08-02 22:06:52 CEST

Whiteboard: MGA4TOO advisory => MGA4TOO advisory MGA4-64-OK

Comment 10 David Walser 2015-08-02 22:16:11 CEST
I also tested ps2pdf with an old PS file I had and the resulting PDF looks good.  Mageia 4 i586.

Whiteboard: MGA4TOO advisory MGA4-64-OK => MGA4TOO advisory MGA4-64-OK MGA4-32-OK

Comment 11 Lewis Smith 2015-08-05 21:12:29 CEST
Testing again Mageia 5 x64 (OK)

Starting inadvertently with the *updated* packages:
I did the follwoing tests:

- $ ps2pdf test.ps
 which gave the same error as in Comments 5/8, so this is deemed OK.

- Using Firefox 'print to file' (this page!) I first asked for a .ps file - a handy way to produce a PostScript file.
Then repeated this to produce a .pdf file. Compared the two with a viewer to confirm their essential sameness.
 $ ps2pdf <postscript file .ps> <output file .pdf>
Compared with a viewer, the PDF produced directly by Firefox and that produced via ps2pdf were essentially identical.
So the program seems to work OK.

Whiteboard: MGA4TOO advisory MGA4-64-OK MGA4-32-OK => MGA4TOO advisory MGA4-64-OK MGA4-32-OK MGA5-64-OK

Dave Hodgins 2015-08-10 05:51:25 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2015-08-10 16:33:10 CEST
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.