An integer overflow has been fixed upstream in Ghostscript: http://openwall.com/lists/oss-security/2015/07/23/14 The message above contains a link to the upstream commit to fix it. Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron. Waiting for the RedHat bug to be opened to the public before assigning to QA. The upstream bugs linked above have PoC information. Updated packages in core/updates_testing: ======================== ghostscript-9.10-2.1.mga4 ghostscript-dvipdf-9.10-2.1.mga4 ghostscript-common-9.10-2.1.mga4 ghostscript-X-9.10-2.1.mga4 ghostscript-module-X-9.10-2.1.mga4 libgs9-9.10-2.1.mga4 libgs-devel-9.10-2.1.mga4 libijs1-0.35-101.1.mga4 libijs-devel-0.35-101.1.mga4 ghostscript-doc-9.10-2.1.mga4 ghostscript-9.14-3.1.mga5 ghostscript-dvipdf-9.14-3.1.mga5 ghostscript-common-9.14-3.1.mga5 ghostscript-X-9.14-3.1.mga5 ghostscript-module-X-9.14-3.1.mga5 libgs9-9.14-3.1.mga5 libgs-devel-9.14-3.1.mga5 libijs1-0.35-107.1.mga5 libijs-devel-0.35-107.1.mga5 ghostscript-doc-9.14-3.1.mga5 from SRPMS: ghostscript-9.10-2.1.mga4.src.rpm ghostscript-9.14-3.1.mga5.src.rpm
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOOVersion: Cauldron => 5
URL: (none) => http://lwn.net/Vulnerabilities/652551/
Assigning to QA (RedHat bug is open now). Package list in Comment 1. Note the reference to PoC information in Comment 1. Advisory: ======================== Updated ghostscript packages fix security vulnerability: GhostScript is vulnerable to an integer overflow when processing a crafted PostScript file using the ps2pdf command (CVE-2015-3228). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3228 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-3228
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO => MGA4TOO advisoryCC: (none) => davidwhodgins
The link in Description points to two others: http://bugs.ghostscript.com/show_bug.cgi?id=696041 http://bugs.ghostscript.com/show_bug.cgi?id=696070 The first bug contains a reference to a test file 'test.ps' which needs a login to access; the second bug attachment 'test file' *can* be accessed. I shall attach it to *this* bug to help test it. I hope it is the same test file in both cases. Given the specially crafted test.ps file, $ ps2pdf test.ps should crash "Segmentation fault". However, trying it on Mageia 5 yielded for me: "Error: /VMerror in (binary token, type=128) VM status: 1 625439 1914128 Current allocation mode is local GPL Ghostscript 9.14: Unrecoverable error, exit code 1" The same using the more detailed command cited: $ /usr/bin/gs -P- -dSAFER -dCompatibilityLevel=1.4 -q -P- -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile=test.pdf -P- -dSAFER -dCompatibilityLevel=1.4 -c .setpdfwrite -f test.ps
CC: (none) => lewyssmith
Created attachment 6868 [details] Test file for Bug 16453 The test file cited in upstream bugs, to use with $ ps2pdf test.ps It should segfault. Apparently it is rubbish, so even after the update may yield errors.
Testing MGA5 x64 Before: ghostscript-common-9.14-3.mga5, ghostscript-module-X-9.14-3.mga5, ghostscript-fonts-8.11-19.mga5, ghostscript-9.14-3.mga5, lib64gs9-9.14-3.mga5 $ ps2pdf test.ps Error: /VMerror in (binary token, type=128) VM status: 1 625439 1914128 Current allocation mode is local GPL Ghostscript 9.14: Unrecoverable error, exit code 1 [rather than the segfault originally cited] After: ghostscript-common-9.14-3.1.mga5, ghostscript-module-X-9.14-3.1.mga5, ghostscript-fonts-8.11-19.mga5, ghostscript-9.14-3.1.mga5, lib64gs9-9.14-3.1.mga5 Exactly the same result. Errors are expected because the test file is rubbish. But what next?
Hope you don't mind Lewis. Having a look at the PoC on 64bit system. Straightforward gs ... [lcl@vega ~/Downloads]$ gs test.ps GPL Ghostscript 9.14 (2014-03-26) Copyright (C) 2014 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. Error: /VMerror in (binary token, type=128) VM status: 1 2537243 3833600 Current allocation mode is local GPL Ghostscript 9.14: Unrecoverable error, exit code 1 Using the gs command you cited gives substantially the same result as yours. Looking at test.ps in an editor shows ^@\200^@\200\377^?\377\377\343 which is all non-printing characters as far as I can see. I wonder how the postscript interpreter is supposed to deal with them. Maybe it has a binary read mode.
CC: (none) => tarazed25
On the other hand, this is a PoC so maybe the test file does not have to look like Postscript. It is rubbish and does cause an error. And shortly after that my whole system hung....
Len > Hope you don't mind Lewis. Having a look at the PoC on 64bit system. Not at all! Delighted to have company. Testing MGA4 x64 Again unable to reproduce the segfault, so that results before & after the update were the same. BEFORE: ghostscript-common-9.10-2.mga4, ghostscript-module-X-9.10-2.mga4, ghostscript-9.10-2.mga4, lib64gs9-9.10-2.mga4 $ ps2pdf test.ps Error: /VMerror in (binary token, type=128) VM status: 1 625351 1914128 Current allocation mode is local GPL Ghostscript 9.10: Unrecoverable error, exit code 1 AFTER: ghostscript-module-X-9.10-2.1.mga4, ghostscript-common-9.10-2.1.mga4, ghostscript-9.10-2.1.mga4, lib64gs9-9.10-2.1.mga4 $ ps2pdf test.ps Output identical to before. Nothing proven. Can anyone get the test file from: http://bugs.ghostscript.com/show_bug.cgi?id=696041 [Comment 1] in case it *is* different and yields the segfault?
Whiteboard: MGA4TOO advisory => MGA4TOO advisory feedback
I guess the test.ps that we can't access from the first upstream bug (which triggers a segfault) is not the same as the one on the second bug, and is not available. That's fine. We can OK this.
Whiteboard: MGA4TOO advisory feedback => MGA4TOO advisory
Whiteboard: MGA4TOO advisory => MGA4TOO advisory MGA4-64-OK
I also tested ps2pdf with an old PS file I had and the resulting PDF looks good. Mageia 4 i586.
Whiteboard: MGA4TOO advisory MGA4-64-OK => MGA4TOO advisory MGA4-64-OK MGA4-32-OK
Testing again Mageia 5 x64 (OK) Starting inadvertently with the *updated* packages: ghostscript-common-9.14-3.1.mga5 ghostscript-module-X-9.14-3.1.mga5 ghostscript-9.14-3.1.mga5 I did the follwoing tests: - $ ps2pdf test.ps which gave the same error as in Comments 5/8, so this is deemed OK. - Using Firefox 'print to file' (this page!) I first asked for a .ps file - a handy way to produce a PostScript file. Then repeated this to produce a .pdf file. Compared the two with a viewer to confirm their essential sameness. Used $ ps2pdf <postscript file .ps> <output file .pdf> Compared with a viewer, the PDF produced directly by Firefox and that produced via ps2pdf were essentially identical. So the program seems to work OK.
Whiteboard: MGA4TOO advisory MGA4-64-OK MGA4-32-OK => MGA4TOO advisory MGA4-64-OK MGA4-32-OK MGA5-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0308.html
Status: NEW => RESOLVEDResolution: (none) => FIXED