Bug 22590 - ghostscript new security issue CVE-2016-10317
Summary: ghostscript new security issue CVE-2016-10317
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-02-14 12:37 CET by David Walser
Modified: 2018-02-25 18:32 CET (History)
6 users (show)

See Also:
Source RPM: ghostscript-9.22-2.mga7.src.rpm
CVE: CVE-2016-10317
Status comment:


Attachments

Description David Walser 2018-02-14 12:37:36 CET
openSUSE has issued an advisory on February 12:
https://lists.opensuse.org/opensuse-updates/2018-02/msg00039.html

The SUSE bug has a link to the upstream commit that fixed the issue:
https://bugzilla.suse.com/show_bug.cgi?id=1032230

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-02-14 12:37:53 CET

Whiteboard: (none) => MGA6TOO

David Walser 2018-02-14 12:39:11 CET

Status comment: (none) => Patches available from openSUSE and upstream

Comment 1 Marja Van Waes 2018-02-14 17:00:57 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Stig-Ørjan Smelror 2018-02-18 23:44:21 CET

CC: (none) => smelror
CVE: (none) => CVE-2016-10317
Assignee: pkg-bugs => smelror

Comment 2 Stig-Ørjan Smelror 2018-02-19 00:15:04 CET
Advisory
========

This update fixes CVE-2016-10317.

The fill_threshhold_buffer function in base/gxht_thresh.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted PostScript document.

References
==========
https://nvd.nist.gov/vuln/detail/CVE-2016-10317

Files
=====
The following files has been uploaded to core/updates_testing

ghostscript-9.22-1.2.mga6
ghostscript-X-9.22-1.2.mga6
ghostscript-common-9.22-1.2.mga6
ghostscript-doc-9.22-1.2.mga6
ghostscript-dvipdf-9.22-1.2.mga6
ghostscript-module-X-9.22-1.2.mga6

from ghostscript-9.22-1.2.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Assignee: smelror => qa-bugs

Comment 3 Stig-Ørjan Smelror 2018-02-19 00:16:37 CET
Cauldron has been updated to ghostscript-9.22-3.mga7.

Cheers,
Stig
Comment 4 Len Lawrence 2018-02-19 15:02:18 CET
Mageia 6 :: x86_64

The ghostscript packages updated cleanly.  Added whatever was missing.
Examined a postscript file.
$ gs tmp/abc-0.ps
GPL Ghostscript 9.22 (2017-10-04)
Copyright (C) 2017 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Querying operating system for font files...
Can't find (or can't open) font file /usr/share/ghostscript/9.22/Resource/Font/Gunplay3D.
Can't find (or can't open) font file Gunplay3D.
Loading Gunplay3D font from /usr/share/fonts/drakfont/tmp/tmp/gunplay3.ttf... 4323612 2917313 5752560 4394808 3 done.

A page of labels was displayed.
$ dvipdf docs/software/refcard.dvi refcard.pdf
There were warnings that the output would be of poor quality but with
$ xpdf refcard.pdf
the quality looked pretty good.  The result was a six page GNU Emacs Reference.

Copied local type1 fontfiles *.{afm,pfb} to /usr/share/fonts/default/ghostscript/ and moved to that directory and ran
$ sudo type1inst
to generate the Fontmap, etc files needed for the next test.

As user created a page of labels with various type1 fonts and printed it.
$ lpr -Pokda tmp/abc-0.ps 
It looked fine both on the screen and on paper.

Don't know what else can be done to test this.  It looks good to me.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 5 David Walser 2018-02-24 16:22:27 CET
Adding a Mageia 5 build for this update.  (Same version/release just with mga5).

Advisory:
========================

Updated ghostscript packages fix security vulnerability:

The fill_threshhold_buffer function in base/gxht_thresh.c in Artifex Software,
Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service
(heap-based buffer overflow and application crash) or possibly have unspecified
other impact via a crafted PostScript document (CVE-2016-10317).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10317
https://lists.opensuse.org/opensuse-updates/2018-02/msg00039.html

Status comment: Patches available from openSUSE and upstream => (none)
Severity: normal => major
Whiteboard: MGA6-64-OK => MGA5TOO MGA6-64-OK

Comment 6 Dave Hodgins 2018-02-24 20:35:33 CET
Advisory committed to svn.

Testing on Mageia 5 needed before validating.

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Thomas Andrews 2018-02-24 21:40:09 CET
Mageia 5 -> x86_64, real hardware. (Athlon X2 7750, nvidia340 graphics, atheros wifi)

Ghostscript and all other pending update packages installed cleanly.

Downloaded a three-page sample file from the Web, containing both text and graphics.

Loaded into GIMP, which I believe uses Ghostscript to render .ps files. File loaded as three layers, one for each page. Printed one page on an Officejet 6110 printer, looked good.

Loaded into Okular, which I believe also uses Ghostscript to render .ps files. Printed two pages on a Deskjet 5650 printer, using duplexer. All looked good.

I don't know how else to test this, either. Looks OK on MGA5.

CC: (none) => andrewsfarm
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK

Comment 8 Len Lawrence 2018-02-25 00:01:38 CET
@TJ comment 7:
Just checked okular under Mageia 5 and can confirm that ghostscript is involved.

cat trace | grep "ghost" | less

stat("/usr/share/fonts/default/ghostscript", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
open("/usr/share/fonts/default/ghostscript", O_RDONLY|O_CLOEXEC) = 6
access("/usr/lib64/kde4/okularGenerator_ghostview.so", R_OK) = 0
stat("/usr/lib64/kde4/okularGenerator_ghostview.so", {st_mode=S_IFREG|0755, st_size=58880, ...}) = 0

and these calls were noted also:
open("/lib64/libgs.so.9", O_RDONLY|O_CLOEXEC) = 12
open("/lib64/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = 12

Validating the update.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Len Lawrence 2018-02-25 00:12:28 CET
$ urpmq --requires-recursive okular | grep gs
also shows lib64gs9.
Comment 10 Mageia Robot 2018-02-25 18:32:26 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0142.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.