Bug 22931 - ghostscript new security issue CVE-2018-10194
Summary: ghostscript new security issue CVE-2018-10194
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-04-21 18:44 CEST by David Walser
Modified: 2018-05-04 19:30 CEST (History)
5 users (show)

See Also:
Source RPM: ghostscript-9.22-1.2.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-04-21 18:44:33 CEST 
A security issue fixed upstream in Ghostscript 9.23 has been announced:
http://openwall.com/lists/oss-security/2018/04/19/5

Mageia 5 is also affected.
David Walser 2018-04-21 18:44:41 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2018-04-21 18:54:56 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, smelror

Comment 2 David Walser 2018-04-28 12:09:11 CEST 
Fedora has issued an advisory for this on April 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KAA4HM5ZWQWEFKXJK72E6S3MLTY2VN36/
Comment 3 David Walser 2018-05-01 18:06:34 CEST 
Ubuntu has issued an advisory for this on April 30:
https://usn.ubuntu.com/3636-1/
José Jorge 2018-05-02 07:46:11 CEST

CC: (none) => lists.jjorge
Assignee: pkg-bugs => lists.jjorge

José Jorge 2018-05-02 07:59:10 CEST

Status: NEW => ASSIGNED
Assignee: lists.jjorge => qa-bugs

Comment 4 José Jorge 2018-05-02 08:21:58 CEST 
Submitted version 9.23 as of it was in cauldron today to MGA6 and MGA5. MGA5 build failed, so at least for MGA6 it can be tested.

RPMS:
ghostscript-9.23-1.mga6.i586.rpm 
ghostscript-dvipdf-9.23-1.mga6.i586.rpm
ghostscript-common-9.23-1.mga6.i586.rpm
ghostscript-X-9.23-1.mga6.i586.rpm
ghostscript-module-X-9.23-1.mga6.i586.rpm
libgs9-9.23-1.mga6.i586.rpm
libgs-devel-9.23-1.mga6.i586.rpm
libijs1-0.35-127.mga6.i586.rpm
libijs-devel-0.35-127.mga6.i586.rpm

ghostscript-9.23-1.mga6.x86_64.rpm
ghostscript-dvipdf-9.23-1.mga6.x86_64.rpm
ghostscript-common-9.23-1.mga6.x86_64.rpm
ghostscript-X-9.23-1.mga6.x86_64.rpm
ghostscript-module-X-9.23-1.mga6.x86_64.rpm
lib64gs9-9.23-1.mga6.x86_64.rpm
lib64gs-devel-9.23-1.mga6.x86_64.rpm
lib64ijs1-0.35-127.mga6.x86_64.rpm
lib64ijs-devel-0.35-127.mga6.x86_64.rpm

ghostscript-doc-9.23-1.mga6.noarch.rpm
Comment 5 David Walser 2018-05-02 14:14:38 CEST 
Advisory to come later.

It looks like Mageia 5 maybe just needed an autoreconf, so trying that now.
Comment 6 David Walser 2018-05-02 15:12:13 CEST 
Yep, that worked.  Easy peasy.

ghostscript-9.23-1.mga5
ghostscript-dvipdf-9.23-1.mga5
ghostscript-common-9.23-1.mga5
ghostscript-X-9.23-1.mga5
ghostscript-module-X-9.23-1.mga5
libgs9-9.23-1.mga5
libgs-devel-9.23-1.mga5
libijs1-0.35-127.mga5
libijs-devel-0.35-127.mga5
ghostscript-doc-9.23-1.mga5

from ghostscript-9.23-1.mga5.src.rpm
Comment 7 David Walser 2018-05-02 15:13:43 CEST 
Advisory:
========================

Updated ghostscript packages fix security vulnerability:

The set_text_distance function in devices/vector/gdevpdts.c in the pdfwrite
component in Artifex Ghostscript through 9.22 does not prevent overflows in
text-positioning calculation, which allows remote attackers to cause a denial
of service (application crash) or possibly have unspecified other impact via a
crafted PDF document (CVE-2018-10194).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10194
http://openwall.com/lists/oss-security/2018/04/19/5
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KAA4HM5ZWQWEFKXJK72E6S3MLTY2VN36/
Comment 8 Len Lawrence 2018-05-02 18:10:03 CEST 
Mageia 6, x86_64

There is a test for the CVE but no reproducer file unfortunately.

Used gs to view a couple of PDF files, pressing return to click through the pages.

(Used drakfont to import some fonts and then copied them to /usr/share/fonts/default/ghostscript and executed type1inst in that directory.
LO could not see them until this was done.)

Used a local ruby/tk utility to generate a page of labels in a selected font.  Viewed that using gs and LibreOffice.
Command-line printing works fine.
$ lpr -Pokda ~/tmp/abc-0.ps
That looked just as it did in gs and LO.
$ lpr -Pokda refcard.pdf
That printed a two page PDF.

Generate a six-page PDF from a DVI file.
$ dvipdf refcard.dvi emacs.pdf
emacs.pdf can be viewed page by page in gs.  Checked it in xpdf also.

Don't know how to use gs for printing but the following seemed to generate data which might be a raster file.  The trick is to know what DEVICE to specify and that I cannot figure.
$ gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=~/tmp/whatever -dSAFER abc-0.ps -c quit

This all looks OK.

CC: (none) => tarazed25

Len Lawrence 2018-05-02 18:10:22 CEST

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Comment 9 Len Lawrence 2018-05-02 19:56:50 CEST 
Mageia 5, x86_64

Installed the packages as listed and ran similar tests to those in comment 8.
All ran fine.
There was something a little odd with gs when viewing a Linux Journal PDF from 2012.  It has 114 pages.  Typed quit after about 20 pages and it insisted in running through the remaining pages at high speed before quitting.

This update is OK.

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK

Comment 10 Lewis Smith 2018-05-04 10:35:16 CEST 
Advisory from comments 4, 6, 7.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2018-05-04 19:30:26 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0219.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.