Fedora has issued an advisory on November 15: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2QUCMGMEGU4TK3I5424ZFZYFJHEQRF4P/ The issues are fixed in 9.22. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some committers.
Assignee: bugsquad => pkg-bugsCC: (none) => anaselli, cjw, joequant, lmenut, mageia, mageia, marja11, olav, thierry.vignaud
CVE-2017-11714 was already fixed in bug 21630
CC: (none) => nicolas.salguero
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Multiple use-after-free vulnerabilities in the gx_image_enum_begin function in base/gxipixel.c in Ghostscript before ecceafe3abba2714ef9b432035fe0739d9b1a283 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PostScript document. (CVE-2017-6196) Integer overflow in the mark_curve function in Artifex Ghostscript 9.21 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via a crafted PostScript document. (CVE-2017-7948) The mark_line_tr function in gxscanc.c in Artifex Ghostscript 9.21 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PostScript document. (CVE-2017-8908) libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and Ghostscript, has a NULL pointer dereference in the jbig2_huffman_get function in jbig2_huffman.c. For example, the jbig2dec utility will crash (segmentation fault) when parsing an invalid file. (CVE-2017-9216) The xps_load_sfnt_name function in xps/xpsfont.c in Artifex Ghostscript GhostXPS 9.21 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact via a crafted document. (CVE-2017-9610) The xps_load_sfnt_name function in xps/xpsfont.c in Artifex Ghostscript GhostXPS 9.21 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted document. (CVE-2017-9618) The xps_true_callback_glyph_name function in xps/xpsttf.c in Artifex Ghostscript GhostXPS 9.21 allows remote attackers to cause a denial of service (Segmentation Violation and application crash) via a crafted file. (CVE-2017-9619) The xps_select_font_encoding function in xps/xpsfont.c in Artifex Ghostscript GhostXPS 9.21 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact via a crafted document, related to the xps_encode_font_char_imp function. (CVE-2017-9620) The xps_decode_font_char_imp function in xps/xpsfont.c in Artifex Ghostscript GhostXPS 9.21 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact via a crafted document. (CVE-2017-9740) References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2QUCMGMEGU4TK3I5424ZFZYFJHEQRF4P/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6196 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7948 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8908 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9216 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9610 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9618 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9619 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9620 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9740 ======================== Updated packages in 5/core/updates_testing: ======================== ghostscript-9.22-1.mga5 ghostscript-dvipdf-9.22-1.mga5 ghostscript-common-9.22-1.mga5 ghostscript-X-9.22-1.mga5 ghostscript-module-X-9.22-1.mga5 lib(64)gs9-9.22-1.mga5 lib(64)gs-devel-9.22-1.mga5 lib(64)ijs1-0.35-124.mga5 lib(64)ijs-devel-0.35-124.mga5 ghostscript-doc-9.22-1.mga5 from SRPMS: ghostscript-9.22-1.mga5.src.rpm Updated packages in 6/core/updates_testing: ======================== ghostscript-9.22-1.mga6 ghostscript-dvipdf-9.22-1.mga6 ghostscript-common-9.22-1.mga6 ghostscript-X-9.22-1.mga6 ghostscript-module-X-9.22-1.mga6 lib(64)gs9-9.22-1.mga6 lib(64)gs-devel-9.22-1.mga6 lib(64)ijs1-0.35-124.mga6 lib(64)ijs-devel-0.35-124.mga6 ghostscript-doc-9.22-1.mga6 from SRPMS: ghostscript-9.22-1.mga6.src.rpm
Status: NEW => ASSIGNEDSource RPM: ghostscript-9.20-4.mga7.src.rpm => ghostscript-9.20-3.1.mga6.src.rpmWhiteboard: MGA6TOO, MGA5TOO => MGA5TOOVersion: Cauldron => 6Assignee: pkg-bugs => qa-bugs
Intending to test this for Mageia 6 x86_64. Just checking the CVEs noted that one of them talks about a problem with inkscape and the texttext plugin. Launched inkscape and checked extensions but did not recognize texttext. Anybody know how to get hold of texttext plugin or how to check if it is installed (from within inkscape)?
CC: (none) => tarazed25
Mageia 6 on x86_64 real hardware Investigated the POCs accessed through the CVE links listed. All had originally been tested in an ASAN framework - not an option for QA. Recorded the results before updating and ran the same tests afterwards. Since there was no difference between the before and after results no conclusions can be drawn, so the POCs are not worth following up. Report attached for completeness.
Created attachment 9807 [details] List of POCs for various CVEs The recommendation is that these tests not be run.
Advisory from comment 3 uploaded. @Nicolas CVE-2017-11714 is in the bug title, but not the Advisory. Should this be?
Keywords: (none) => advisoryCC: (none) => lewyssmith
Lewis, see Comment 2.
Utility tests of ghostscript. lib64gs9 is required by ghostscript, and the Gimp. Best to simply exercize the ghostscript utilities and check printer output. The commandline utility gs displays postscript documents fine, text and colour graphics. Invoked via LibreOffice/CUPS to print a document. Printing from the commandline with lpr worked fine as well. Tried gsdj and gxps but could not figure out how to use them in spite of the man command. gxps needs an XPS file anyway. For general use Ghostscript is working fine.
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
Mageia 6 for i586 in virtualbox Updated all the packages. Printed an odt file from LibreOffice to network printer. Viewed various Postscript files using gs on the commandline. $ lpr -Pokda report.go Wifi printing from the commandline worked fine. Good for 32 bits.
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA6-32-OK
Testing M6/64 Thanks Len for letting us off the PoCs. Updated to: - ghostscript-9.22-1.mga6.x86_64 - ghostscript-common-9.22-1.mga6.x86_64 - ghostscript-module-X-9.22-1.mga6.x86_64 - lib64gs9-9.22-1.mga6.x86_64 - lib64ijs1-0.35-124.mga6.x86_64 Commands to play with: gsc (= 'gs'), font2c, gsbj, gsdj, gsdj500, gslj, gslp, gsnd, lprsetup.sh, pdf2dsc, pdf2ps, pf2afm, pfbtopfa, pphs, printafm, ps2ascii, ps2epsi, ps2pdf, ps2pdf12, ps2pdf13, ps2pdf14, ps2pdfpress, ps2pdfwr, ps2ps, ps2ps2, unix-lpr.sh, wftopfa + real printing. $ ps2pdf Used Firefox print (to file) to create a PostScript file of this page; then ps2pdf'd it (rapid). The two forms are sensibly the same. $ pdf2ps Converted a native PDF document to PS (slow); the output is nominally the same, but ropey quality. I think I have noted this before. $ ps2pdf12 $ ps2pdf13 $ ps2pdf14 Converted the source Postscript file to PDF 1.2, 1.3, 1.4. In each case (rapid) the result was essentially identical. $ strace ps2pdf14 gstest.ps gstest14.pdf 2>&1 | grep libgs open("/lib64/libgs.so.9", O_RDONLY|O_CLOEXEC) = 3 shows the library is being used. I 'exported as PDF' from LibreOffice Writer an .odt document; result good. Having the cups-pdf pseudo printer installed, 'printing' from Writer the same document to this 'printer' yielded a good PDF result. This is not the same as the previous test. A bit of real printing to an Epson D92 was OK. All in all, this update looks good for M6/64. Will try M5/64 similarly.
Trying this on Mageia 5 as well. Thanks for reminding us about ps2pdf etc.
Mageia 5 for x86_64 After the update tried the pdf/ps commands. $ pdf2ps MicroSoftAppraisal.pdf $ gs MicroSoftAppraisal.ps Stepped through the pages using the return key. All looked good. Converted back again. $ ps2pdf14 MicroSoftAppraisal.ps The resulting PDF looked good in xpdf with no loss of quality. No font2c installed. $ pphs Threads.pdf Error: /invalidfileaccess in --file-- ................. Reading an odt file with libreoffice and exporting it as a pdf worked very well. Libreoffice and lpr print correctly to an HP wireless printer. Display font metrics for a Postscript font. $ printafm Larabiefont | less StartFontMetrics 2.0 FontName Larabiefont UnderlineThickness 0.02 FullName Larabiefont ItalicAngle 0.0 FamilyName Larabiefont Notice by Ray Larabie - freeware rlarabie@hotmail.com Version Macromedia Fontographer 4.1 2/23/98 IsFixedPitch true UnderlinePosition -0.133 FontBBox 0 0 1 1 StartCharMetrics 176 C 32 ; WX 528 ; N space ; B 528 0 528 0 ; C 33 ; WX 528 ; N exclam ; B 203 6 322 631 ; C 34 ; WX 528 ; N quotedbl ; B 139 338 390 631 ; C 35 ; WX 528 ; N numbersign ; B 25 -59 503 703 ; C 36 ; WX 528 ; N dollar ; B 72 -64 455 711 ; C 37 ; WX 528 ; N percent ; B 19 -45 508 686 ; C 38 ; WX 528 ; N ampersand ; B 62 8 465 631 ; ......................... $ ps2ascii mondorescue-howto.pdf test.txt $ less test.txt MondoRescueHOWTO Utilisation and Configuration of Mondo and Mindi under Linux (Version 3.0.3-r3026) BrunoCornec MondoRescueProject bruno@mondorescue.org ConorDaly MondoRescueProject conor.daly_at_met.ie in its latest version the 2012-07-17 MondoRescue HOWTO: Utilisation and Configuration of Mondo and Mindi under Linux (Version 3.0.3-r3026) byBrunoCornec byConorDaly Published in its latest version the 2012-07-17 Copyright © 2000-2006 Bruno Cornec ................................ Good enough I would say.
Whiteboard: MGA5TOO MGA6-64-OK MGA6-32-OK => MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK
Installed and tested without issues. The following packages were updated. lib64gs9-9.22-1.mga5.x86_64 ghostscript-common-9.22-1.mga5.x86_64 ghostscript-9.22-1.mga5.x86_64 lib64ijs1-0.35-124.mga5.x86_64 System: Mageia 5, x86_64, Intel CPU. The following command were run on a bunch of ps/pdf files and all output files were checked with okular or kwrite. No problems found. $ pdf2ps test.pdf test.pdf.ps $ ps2pdf test.ps test.ps.pdf $ ps2ascii test.ps test.ps.txt $ strace ps2pdf14 test.ps test.ps.pdf 2>&1 | grep libgs open("/lib64/libgs.so.9", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = 3 $ printafm Larabiefont | head StartFontMetrics 2.0 FontName Larabiefont FullName Larabiefont ItalicAngle 0.0 FamilyName Larabiefont Notice by Ray Larabie - freeware rlarabie@hotmail.com Version Macromedia Fontographer 4.1 2/23/98 IsFixedPitch true UnderlinePosition -0.133 UnderlineThickness 0.02
CC: (none) => mageia
MGA5-32 on Dell Latitude D600 Xfce No installation issues. Followed Len's examples in Comment 13, starting with a pdf file created by LibreOffice om a M6 deskop in a stable configuration. $ pdf2ps kursustekst.pdf , result shows OK in atril-viewer $ gs kursustekst.ps GPL Ghostscript 9.22 (2017-10-04) Copyright (C) 2017 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. Querying operating system for font files... Can't find (or can't open) font file /usr/share/ghostscript/9.22/Resource/Font/DejaVuSans. Can't find (or can't open) font file DejaVuSans. Loading DejaVuSans font from /usr/share/fonts/TTF/dejavu/DejaVuSans.ttf... 4036664 2628272 11713088 7377682 1 done. and more of those, but the document shows OK I renamed the original pdf and then ps2pdf14 kursustekst.ps , result shows OK in atril-viewer pphs kursustekstorig.pdf Error: /invalidfileaccess in --file-- and some more $ printafm Larabiefont | less , similar output as above But the ps2ascii produces: $ less kurstext.txt "kurstext.txt" may be a binary file. See it anyway? and mousepad does show unreadable stuff. In all enough to go.
Whiteboard: MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK => MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK MGA5-32-OKCC: (none) => herman.viaene
Thanks to all the testers. Validating this.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0430.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
Unfortunately, version 9.22 is not only a bug fix release, but drop various features and is breaking backward compatibility :(((( xdvi is broken now... https://bugs.mageia.org/show_bug.cgi?id=22183 https://bugs.archlinux.org/task/56284
CC: (none) => eatdirt
Also fixed in this update: - CVE-2018-11645
(In reply to David Walser from comment #19) > Also fixed in this update: > - CVE-2018-11645 https://www.debian.org/security/2018/dsa-4336