Ghostscript 9.24 has been released today (September 3), including all of the security fixes upstream has committed so far:
https://www.ghostscript.com/doc/9.24/News.htm

Summary: ghostscrew new security issue CVE-2018-15909 => ghostscript new security issue CVE-2018-15909

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing two committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, nicolas.salguero, smelror

Fixed in ghostscript-9.24-2.mga7 in Cauldron.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Advisory
========

Ghostscript has been updated to fix CVE-2018-15909, a type confusion using the .shfill operator could be used by attackers able to supply crafted PostScript files to crash the interpreter or potentially execute code.

References
==========

https://cve.circl.lu/cve/CVE-2018-15909

Files
=====

Uploaded to core/updates_testing

ghostscript-9.24-1.mga6
ghostscript-common-9.24-1.mga6
ghostscript-debuginfo-9.24-1.mga6
ghostscript-doc-9.24-1.mga6
ghostscript-dvipdf-9.24-1.mga6
ghostscript-module-X-9.24-1.mga6
ghostscript-X-9.24-1.mga6
lib64gs9-9.24-1.mga6
lib64gs-devel-9.24-1.mga6
lib64ijs1-0.35-132.mga6
lib64ijs-devel-0.35-132.mga6

from ghostscript-9.24-1.mga6.src.rpm

Assignee: pkg-bugs => qa-bugs

Hi,

I updated ghostscript packages in my system and I got a segmentation fault when trying to print a PDF file.  I got the same problem with pdf2ps:
"""
  ./base/gsicc_manage.c:1244: gsicc_open_search(): Could not find ps_gray.icc 
+ ./base/gsicc_manage.c:255: gsicc_initialize_iccsmask(): failed to load gray smask profile
   **** Error reading a content stream. The page may be incomplete.
               Output may be incorrect.
   **** Error: File did not complete the page properly and may be damaged.
               Output may be incorrect.
Segmentation fault (core dumped)
"""

With ghostscript 9.23, I had no problem with the file.

Best regards,

Nico.

I found this bug report from Arch Linux: https://bugs.archlinux.org/task/59952.

It really seems that version 9.24 cannot find ICC profiles which are in /usr/share/ghostscript/9.24/iccprofiles.

There are some more fixes in git that we will want.

Following my investigations: what is strange is that it fails to find "ps_gray.icc" but, before that, succeeds to find "default_*.icc" and "lab.icc".

"ps_gray.icc" is the same as in version 9.23 and has the same file permissions as all other ICC files in /usr/share/ghostscript/9.24/iccprofiles.

The issue I encountered was introduced by this commit:
http://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=d224b4abec1d0bd991028b7e38e95d47b7a834f4

To be more precise, by the part:
"""
-        str = sfopen(buffer, "r", mem_gc);
-        gs_free_object(mem_gc, buffer, "gsicc_open_search");
-        if (str != NULL) {
-            *strp = str;
-            return 0;
+
+        if (gs_check_file_permission(mem_gc, buffer, strlen(buffer), "r") >= 0) {
+            str = sfopen(buffer, "r", mem_gc);
+            gs_free_object(mem_gc, buffer, "gsicc_open_search");
+            if (str != NULL) {
+                *strp = str;
+                return 0;
+            }
+        }
+        else {
+            gs_free_object(mem_gc, buffer, "gsicc_open_search");
"""

When I tried a build of version 9.24 that reverts only that part of the commit, the problem is over.   So I added a patch to our SVN for that.

I dont think reverting that is the way to go as it was done as part of security hardening...

Looking in upstream git I guess theese could help:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=bc3df0773fccf4b4906a3e59652ad646ea0fee91
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c8c01f8c4164bc10281d9e8f87cf96314d93104b
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=13418541a5ae19b15f51cbb87faf344902f5af98

Before reverting, I tried with a build of the latest snapshot (which contains those commits) and the problem was still there.

Are you sure about the 2 last commits ? they only got added ~3 hours ago, and your revert is ~4 huors ago

More CVEs assigned:
http://openwall.com/lists/oss-security/2018/09/06/3

Also see earlier in the thread.  Several CVEs are missing from our advisory.

(In reply to Thomas Backlund from comment #11)
> Are you sure about the 2 last commits ? they only got added ~3 hours ago,
> and your revert is ~4 huors ago

You were right.  I did not see that the last two commits were after my tests.  With the three commits, my problem is over.

So ghostscript-9.24-1.1.mga6 removes my patch and contains the three commits.

Regarding the advisory, according to http://openwall.com/lists/oss-security/2018/09/06/3, for one issue (699663), CVE was requested but not assigned yet so we may want to wait a little.

Have you added the commit referenced here and any other security-relevant post-9.24 fixes in git?
http://www.openwall.com/lists/oss-security/2018/09/05/3

Arrgh !

So ghostscript-9.24-1.2.mga6 will also include commits for:
- Bug 699699 : Crash upon bogus input argument
- Bug 699714: retain .LockSafetyParams through failed .installpagedevice
- Bug 699719: Fix @ files in arg handling
- Bug 699711: Review arg_next to ensure that NULL arg returns are coped with
- Fix SEGV seen in all-devices test with plank examples/ridt91.eps
- Bug 699718: Ensure stack space is available before gsrestore call out
and the two other commits :
- PostScript interpreter - More places where exec stack is not restored
- Silence a coverity warning

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

In Artifex Ghostscript 9.23 before 2018-08-23, attackers are able to supply malicious PostScript files to bypass .tempfile restrictions and write files. (CVE-2018-15908)

In Artifex Ghostscript 9.23 before 2018-08-24, a type confusion using the .shfill operator could be used by attackers able to supply crafted PostScript files to crash the interpreter or potentially execute code. (CVE-2018-15909)

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use a type confusion in the LockDistillerParams parameter to crash the interpreter or execute code. (CVE-2018-15910)

In Artifex Ghostscript 9.23 before 2018-08-24, attackers able to supply crafted PostScript could use uninitialized memory access in the aesdecode operator to crash the interpreter or potentially execute code. (CVE-2018-15911)

An issue was discovered in Artifex Ghostscript before 9.24. Incorrect "restoration of privilege" checking during handling of /invalidaccess exceptions could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction. (CVE-2018-16509)

An issue was discovered in Artifex Ghostscript before 9.24. Incorrect exec stack handling in the "CS" and "SC" PDF primitives could be used by remote attackers able to supply crafted PDFs to crash the interpreter or possibly have unspecified other impact. (CVE-2018-16510)

An issue was discovered in Artifex Ghostscript before 9.24. A type confusion in "ztype" could be used by remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact. (CVE-2018-16511)

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use a type confusion in the setcolor function to crash the interpreter or possibly have unspecified other impact. (CVE-2018-16513)

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use incorrect access checking in temp file handling to disclose contents of files on the system otherwise not readable. (CVE-2018-16539)

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files to the builtin PDF14 converter could use a use-after-free in copydevice handling to crash the interpreter or possibly have unspecified other impact. (CVE-2018-16540)

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use incorrect free logic in pagedevice replacement to crash the interpreter. (CVE-2018-16541)

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use insufficient interpreter stack-size checking during error handling to crash the interpreter. (CVE-2018-16542)

In Artifex Ghostscript before 9.24, gssetresolution and gsgetresolution allow attackers to have an unspecified impact. (CVE-2018-16543)

Bug 699663 : .setdistillerkeys memory corruption. (CVE Requested)

Bug 699699 : Crash upon bogus input argument

Bug 699714: retain .LockSafetyParams through failed .installpagedevice

Bug 699719: Fix @ files in arg handling

Bug 699711: Review arg_next to ensure that NULL arg returns are coped with

Fix SEGV seen in all-devices test with plank examples/ridt91.eps

Bug 699718: Ensure stack space is available before gsrestore call out

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15908
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15909
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15910
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15911
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16509
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16510
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16511
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16513
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16539
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16540
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16541
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16542
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16543
http://openwall.com/lists/oss-security/2018/09/05/3
http://openwall.com/lists/oss-security/2018/09/06/3
========================

Updated packages in core/updates_testing:
========================
ghostscript-9.24-1.2.mga6
ghostscript-dvipdf-9.24-1.2.mga6
ghostscript-common-9.24-1.2.mga6
ghostscript-X-9.24-1.2.mga6
ghostscript-module-X-9.24-1.2.mga6
lib(64)gs9-9.24-1.2.mga6
lib(64)gs-devel-9.24-1.2.mga6
lib(64)ijs1-0.35-132.2.mga6
lib(64)ijs-devel-0.35-132.2.mga6
ghostscript-doc-9.24-1.2.mga6

from SRPMS:
ghostscript-9.24-1.2.mga6.src.rpm

Mageia 6, x86_64

Followed the CVE links before updating and found little useful as far as reproducers are concerned.

CVE-2018-16509
At http://www.openwall.com/lists/oss-security/2016/09/29/3 there is a postscript file named test.gif (or whatever) which is supposed to provide an exploit using ImageMagick.
$ convert test.gif png:test.png
convert: profile 'icc': 'RGB ': RGB color space not permitted on grayscale PNG `test.png' @ warning/png.c/MagickPNGWarningHandler/1665.
$ hexdump test.png
$ hexdump /etc/passwd
I tried it but could not find any correspondence between the hexdump of test.png and the hexdump of /etc/passw.  The exploit is supposed to show that the converted file contains the first line of the passwd file.  There was nothing in the terminal either.

Another one was found at https://seclists.org/oss-sec/2018/q3/142 :
$ convert shellexec.jpeg whatever.gif
uid=1000(lcl) gid=1000(lcl) groups=1000(lcl),954(mysql),1001(libvirt)
convert: FailedToExecuteCommand `'gs' -sstdout=%stderr -dQUIET -dSAFER .......

which is more successful.

$ convert shellexec.jpeg whatever.gif
Error: /invalidaccess in --.putdeviceprops--
Operand stack:
[...]
Current file position is 176
GPL Ghostscript 9.24: Unrecoverable error, exit code 1
convert: no images defined `whatever.gif' @ error/convert.c/ConvertImageCommand/3258.

The exploit has been taken care of this time.

CC: (none) => tarazed25

Created attachment 10361 [details]
Testcase for CVE-2018-16509

It does not work for us:
$ convert test.gif png:test.png

Created attachment 10362 [details]
Second testcase for CVE-2018-16509

$ convert shellexec.jpeg whatever.gif
This does show the exploit.

Is the commit referenced in this post:
http://openwall.com/lists/oss-security/2018/09/09/1

and the second commit in this post:
http://openwall.com/lists/oss-security/2018/09/09/2

included in this?  It didn't look it (the first one from the second message is).

This is all a bit too complex for me.  I don't understand the question.
I just searched through the CVEs for anything that looks like an up-to-date POC.  There are a lot of references to earlier test cases which I ignored on the assumption that they referred to issues which had been dealt with in earlier updates.  

http://git.ghostscript.com/?p=ghostpdl.git&a=commitdiff&h=5812b1b78fc4
is referenced in http://openwall.com/lists/oss-security/2018/09/09/1

http://openwall.com/lists/oss-security/2018/09/09/2
This refers to the 5812b1b78fc4 commitdiff but also says "previous".

Tried the 
$ gs -dSAFER bug699718.txt
test in 9.23 and that displayed a line from /etc/passwd.
After updating this gives:
Error: /invalidaccess in --setdevice--

So this is also a legitimate test then but I have no idea how to align it with a specific commit.

That's enough for me just now - it is the middle of the night here.

(In reply to David Walser from comment #20)
> Is the commit referenced in this post:
> http://openwall.com/lists/oss-security/2018/09/09/1
> 
> and the second commit in this post:
> http://openwall.com/lists/oss-security/2018/09/09/2
> 
> included in this?  It didn't look it (the first one from the second message
> is).

There was missing some commits.

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

In Artifex Ghostscript 9.23 before 2018-08-23, attackers are able to supply malicious PostScript files to bypass .tempfile restrictions and write files. (CVE-2018-15908)

In Artifex Ghostscript 9.23 before 2018-08-24, a type confusion using the .shfill operator could be used by attackers able to supply crafted PostScript files to crash the interpreter or potentially execute code. (CVE-2018-15909)

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use a type confusion in the LockDistillerParams parameter to crash the interpreter or execute code. (CVE-2018-15910)

In Artifex Ghostscript 9.23 before 2018-08-24, attackers able to supply crafted PostScript could use uninitialized memory access in the aesdecode operator to crash the interpreter or potentially execute code. (CVE-2018-15911)

An issue was discovered in Artifex Ghostscript before 9.24. Incorrect "restoration of privilege" checking during handling of /invalidaccess exceptions could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction. (CVE-2018-16509)

An issue was discovered in Artifex Ghostscript before 9.24. Incorrect exec stack handling in the "CS" and "SC" PDF primitives could be used by remote attackers able to supply crafted PDFs to crash the interpreter or possibly have unspecified other impact. (CVE-2018-16510)

An issue was discovered in Artifex Ghostscript before 9.24. A type confusion in "ztype" could be used by remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact. (CVE-2018-16511)

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use a type confusion in the setcolor function to crash the interpreter or possibly have unspecified other impact. (CVE-2018-16513)

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use incorrect access checking in temp file handling to disclose contents of files on the system otherwise not readable. (CVE-2018-16539)

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files to the builtin PDF14 converter could use a use-after-free in copydevice handling to crash the interpreter or possibly have unspecified other impact. (CVE-2018-16540)

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use incorrect free logic in pagedevice replacement to crash the interpreter. (CVE-2018-16541)

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use insufficient interpreter stack-size checking during error handling to crash the interpreter. (CVE-2018-16542)

In Artifex Ghostscript before 9.24, gssetresolution and gsgetresolution allow attackers to have an unspecified impact. (CVE-2018-16543)

Bug 699663 : .setdistillerkeys memory corruption. (CVE Requested)

Bug 699699 : Crash upon bogus input argument

Bug 699714: retain .LockSafetyParams through failed .installpagedevice

Bug 699719: Fix @ files in arg handling

Bug 699711: Review arg_next to ensure that NULL arg returns are coped with

Fix SEGV seen in all-devices test with plank examples/ridt91.eps

Bug 699718: Ensure stack space is available before gsrestore call out

Bug 699708 (part 1): 'Hide' non-replaceable error handlers for SAFER

Bug 699707: Security review bug - continuation procedures

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15908
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15909
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15910
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15911
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16509
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16510
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16511
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16513
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16539
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16540
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16541
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16542
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16543
http://openwall.com/lists/oss-security/2018/09/05/3
http://openwall.com/lists/oss-security/2018/09/06/3
http://openwall.com/lists/oss-security/2018/09/09/1
http://openwall.com/lists/oss-security/2018/09/09/2
========================

Updated packages in core/updates_testing:
========================
ghostscript-9.24-1.4.mga6
ghostscript-dvipdf-9.24-1.4.mga6
ghostscript-common-9.24-1.4.mga6
ghostscript-X-9.24-1.4.mga6
ghostscript-module-X-9.24-1.4.mga6
lib(64)gs9-9.24-1.4.mga6
lib(64)gs-devel-9.24-1.4.mga6
lib(64)ijs1-0.35-132.2.mga6
lib(64)ijs-devel-0.35-132.2.mga6
ghostscript-doc-9.24-1.4.mga6

from SRPMS:
ghostscript-9.24-1.4.mga6.src.rpm

Ran the full update from 9.24-1.2 to 9.24-1.4. 

https://seclists.org/oss-sec/2018/q3/142
Dated:2018-08-21
The author has detected some exploits *recently.

Not entirely certain now that this is CVE-2018-16509 but the CVE quotes the URL given above.  It looks more like CVE-2018-16539.
"1. /invalidaccess checks stop working after a failed restore" (??)
$ gs -q -sDEVICE=ppmraw -dSAFER -sOutputFile=/dev/null
Tried this and gs realized that something was wrong and spewed out errors.
But, this was without the "failed restore" whatever that is.
The original test upstream quotes a line from /etc/passwd.
The author also points out that ImageMagick can be a common vector in attacks via ghostscript and that enforcing file header checking on untrusted source files can help mitigate that.
e.g. convert gif:some.gif somegif.jpg, or even
$ convert gif:some.gif jpg:somegif.jpg
It would be difficult to find a comprehensive replacement for ImageMagick.
His test uses shellexec.jpeg:
$ convert shellexec.jpeg whatever.gif
[...]
GPL Ghostscript 9.24: Unrecoverable error, exit code 1
convert: no images defined `whatever.gif' @ error/convert.c/ConvertImageCommand/3258.

<upstream result is a line from /etc/passwd>


CVE-2018-15908
https://seclists.org/oss-sec/2018/q3/142
"4. .tempfile permissions don't seem to work"
$ strace -fefile gs -sDEVICE=ppmraw -dSAFER
execve("/usr/bin/gs", ["gs", "-sDEVICE=ppmraw", "-dSAFER"], 0x7ffefe909378 /* 84 vars */) = 0
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
[...]
GS>(/proc/self/cwd/hello) (w) .tempfile
Error: /invalidfileaccess in --.tempfile--
Operand stack:
   (/proc/self/cwd/hello)   (w)
[...]
Dictionary stack:
   --dict:969/1684(ro)(G)--   --dict:0/20(G)--   --dict:78/200(L)--
Current allocation mode is local
Last OS error: No such file or directory
Current file position is 37
GS<2>quit
+++ exited with 0 +++

Interpreting this as a good result.


https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908305
Debian bug report #908305 was forwarded to https://bugs.ghostscript.com/show_bug.cgi?id=699663
under CVE-2018-16585.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16585
Bug 699663 : .setdistillerkeys memory corruption

https://seclists.org/oss-sec/2018/q3/142 -> comment 2.
"2. setcolor claims"
$ gs -q -sDEVICE=ppmraw -dSAFER
GS><< /Whatever 16#414141414141 >> setpattern
Error: /undefined in --setpattern--
[...]
Last OS error: No such file or directory
Current file position is 43
GS<1>quit

And no segfault.  Good.  Bug 699748 but which CVE?

https://seclists.org/oss-sec/2018/q3/142 -> comment 3.
$ gs -q -sDEVICE=ppmraw -dSAFER
GS><< /LockDistillerParams 16#4141414141414141 >> .setdistillerparams
Error: /typecheck in --setdistillerparams--
[...]
Last OS error: No such file or directory
Current file position is 67
GS<1>quit
$
No segfault which is good.

Used gs to view postscript and pdf files.
There might be a regression in gs because the pages of a PDF could be displayed sequentially using Return but they overlaid the previous pages.

Ran the commands listed in https://bugs.mageia.org/show_bug.cgi?id=22931.

Printing from the command-line works fine.
$ lpr -Pokda ~/tmp/abc-0.ps

$ lpr -Pokda refcard.pdf
That printed a two page PDF.

$ dvipdf refcard.dvi
dvips: Font cmbx10 at 13824 not found; scaling 600 instead.
dvips: Such scaling will generate extremely poor output.
Page 1 may be too complex to print
Page 2 may be too complex to print
Page 5 may be too complex to print
Page 6 may be too complex to print
Warning:  no %%Page comments generated.

refcard.pdf displayed perfectly in okular - no problem with quality.

There are a number of utility data files associated with ghostscript but it is not clear how to use them.

$ locate align.ps
/usr/share/alignmargins/align.ps
/usr/shaalign.ps

The contents can be printed but not as an image+text.  It displays correctly  in gs so presumably could be printed by gs.  Never had any luck printing anything via gs.

$ ps2epsi align.ps
$ file align.epsi
align.epsi: PostScript document text conforming DSC level 2.0, type EPS
$ ll align.epsi
-rw-r--r-- 1 lcl lcl 1040538 Sep 10 18:20 align.epsi

lpr justs prints the header and leaves.  LO crashes but offers recovery.

$ libreoffice --writer align.epsi
:1: parser error : Document is empty
%!PS-Adobe-2.0 EPSF-1.2
^

Usage is actually shown in gs when the file is displayed.  This reveals that the user should create a PS file containing:
'<< /.HWMargins [ml mb mr mt] /Margins [x y] >> setpagedevice'
where x and y are calculated from the horizontal and vertical margins and the m parameters are the left, bottom, right and top margins in points.
That file should be part of the print command line to ensure that the required margins are applied to the file being printed.  I might experiment with that sometime.

Most of this looks OK for 64-bits but the failure of gs to display successive pages of a PDF clearly is of concern.

Could somebody else confirm that regression please?

Correction to comment 25, not that it matters:

$ locate align.ps
/usr/share/alignmargins/align.ps
/usr/share/ghostscript/9.24/lib/align.ps

CVE-2018-16802 is also fixed by this update:
https://www.openwall.com/lists/oss-security/2018/09/11/1

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

In Artifex Ghostscript 9.23 before 2018-08-23, attackers are able to supply malicious PostScript files to bypass .tempfile restrictions and write files. (CVE-2018-15908)

In Artifex Ghostscript 9.23 before 2018-08-24, a type confusion using the .shfill operator could be used by attackers able to supply crafted PostScript files to crash the interpreter or potentially execute code. (CVE-2018-15909)

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use a type confusion in the LockDistillerParams parameter to crash the interpreter or execute code. (CVE-2018-15910)

In Artifex Ghostscript 9.23 before 2018-08-24, attackers able to supply crafted PostScript could use uninitialized memory access in the aesdecode operator to crash the interpreter or potentially execute code. (CVE-2018-15911)

An issue was discovered in Artifex Ghostscript before 9.24. Incorrect "restoration of privilege" checking during handling of /invalidaccess exceptions could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction. (CVE-2018-16509)

An issue was discovered in Artifex Ghostscript before 9.24. Incorrect exec stack handling in the "CS" and "SC" PDF primitives could be used by remote attackers able to supply crafted PDFs to crash the interpreter or possibly have unspecified other impact. (CVE-2018-16510)

An issue was discovered in Artifex Ghostscript before 9.24. A type confusion in "ztype" could be used by remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact. (CVE-2018-16511)

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use a type confusion in the setcolor function to crash the interpreter or possibly have unspecified other impact. (CVE-2018-16513)

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use incorrect access checking in temp file handling to disclose contents of files on the system otherwise not readable. (CVE-2018-16539)

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files to the builtin PDF14 converter could use a use-after-free in copydevice handling to crash the interpreter or possibly have unspecified other impact. (CVE-2018-16540)

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use incorrect free logic in pagedevice replacement to crash the interpreter. (CVE-2018-16541)

In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use insufficient interpreter stack-size checking during error handling to crash the interpreter. (CVE-2018-16542)

In Artifex Ghostscript before 9.24, gssetresolution and gsgetresolution allow attackers to have an unspecified impact. (CVE-2018-16543)

An issue was discovered in Artifex Ghostscript before 9.25. Incorrect "restoration of privilege" checking when running out of stack during exception handling could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction. This is due to an incomplete fix for CVE-2018-16509. (CVE-2018-16802)

Bug 699663 : .setdistillerkeys memory corruption. (CVE Requested)

Bug 699699 : Crash upon bogus input argument

Bug 699719: Fix @ files in arg handling

Bug 699711: Review arg_next to ensure that NULL arg returns are coped with

Fix SEGV seen in all-devices test with plank examples/ridt91.eps

Bug 699708 (part 1): 'Hide' non-replaceable error handlers for SAFER

Bug 699707: Security review bug - continuation procedures

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15908
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15909
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15910
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15911
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16509
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16510
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16511
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16513
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16539
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16540
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16541
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16542
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16543
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16802
http://openwall.com/lists/oss-security/2018/09/05/3
http://openwall.com/lists/oss-security/2018/09/06/3
http://openwall.com/lists/oss-security/2018/09/09/1
http://openwall.com/lists/oss-security/2018/09/09/2
http://openwall.com/lists/oss-security/2018/09/11/1

Summary: ghostscript new security issue CVE-2018-1590[89], CVE-2018-1591[01], CVE-2018-16509, CVE-2018-1651[013], CVE-2018-16539, CVE-2018-1654[0-3] => ghostscript new security issue CVE-2018-1590[89], CVE-2018-1591[01], CVE-2018-16509, CVE-2018-1651[013], CVE-2018-16539, CVE-2018-1654[0-3], CVE-2018-16802

Debian has issued an advisory for this on September 7:
https://www.debian.org/security/2018/dsa-4288

Fedora has issued an advisory for this today (September 11):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KMQ2Q6CJ5UIX5AEI5FWF5WYHUYTVUH2I/

Follow-on from comment #24.

Note that the gs PDF problem affects Mageia Cauldron as well but not Mageia 5 ghostscript 9.23.1 tested in virtualbox so it looks like a definite regression.

re comment #28:
"Fix SEGV seen in all-devices test with plank examples/ridt91.eps"
Not familiar with these tests but the ridt91.eps file presents no problem to gs or to CUPS printing.

On the basis that ghostscript works in most cases it is probably better to let this go and perhaps raise a bug on the gs/PDF regression.  After all, who would normally reach for gs when needing to read PDFs?  It is a trivial case.

Upstream solved the PDF regression in gs with this commit: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ba8eda9d8c62e34ce3fed2d22647797e29494eb7

Updated packages in core/updates_testing:
========================
ghostscript-9.24-1.5.mga6
ghostscript-dvipdf-9.24-1.5.mga6
ghostscript-common-9.24-1.5.mga6
ghostscript-X-9.24-1.5.mga6
ghostscript-module-X-9.24-1.5.mga6
lib(64)gs9-9.24-1.5.mga6
lib(64)gs-devel-9.24-1.5.mga6
lib(64)ijs1-0.35-132.5.mga6
lib(64)ijs-devel-0.35-132.5.mga6
ghostscript-doc-9.24-1.5.mga6

from SRPMS:
ghostscript-9.24-1.5.mga6.src.rpm

Thanks Nicolas.  Withdrawing the the OK with a view to running the tests again.  Later.

Whiteboard: MGA6-64-OK => (none)

Updated the ten packages.
Checked the use of gs to view PDFs and can confirm that the issue is fixed.
Shall check Cauldron later.
Tried dvipdf to convert a DVI file to PDF format.  Viewed the result successfully with gs.
Command-line printing with lpr and LO worked fine for a PostScript file.

MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Ref Comment 25 above: copied /usr/share/alignmargins/align.ps to ~/Documenten, then
[xxx@yyy Documenten]$ ps2epsi align.ps
Error: /typecheck in --get--
Operand stack:
   600   0
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   false   1   %stopped_push   2015   1   4   %oparray_pop   2014   1   4   %oparray_pop   1998   1   4   %oparray_pop   1884   1   4   %oparray_pop   --nostringval--   %errorexec_pop   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   --nostringval--   false   1   %stopped_push   --nostringval--
Dictionary stack:
   --dict:985/1684(ro)(G)--   --dict:0/20(G)--   --dict:82/200(L)--   --dict:5/30(L)--   --dict:33/60(L)--
Current allocation mode is local
GPL Ghostscript 9.24: Unrecoverable error, exit code 1

CC: (none) => herman.viaene

Cauldron is fixed as well.

Whiteboard: (none) => MGA6-64-OK

Replying to comment #37.
$ gs align.ps
should work.
Tried
$ ps2epsi align.ps
here and saw exactly the same messages as posted above.
A file align.epsi is produced but it seems to be missing part of the prologue
There is no proper header so it is probably not a good candidate for epsi conversion.  I would not worry about it.

Testing above commands with ps file exported by gimp from a bmp file. All seems to work OK.

Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK

Ghostscript 9.25 contains these fixes:
https://www.ghostscript.com/doc/9.25/News.htm

So what would be best to do? 

Pass this along with the fixes it includes, and do version 9.25 with another bug, or keep this in limbo waiting for 9.25 to be built?

CC: (none) => andrewsfarm

"Pass this along with the fixes it includes, and do version 9.25 with another bug" sounds good.

OK then, validating...

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0378.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Also fixed in this update:
- CVE-2018-16585
- CVE-2018-17183

(In reply to David Walser from comment #46)
> Also fixed in this update:
> - CVE-2018-16585
> - CVE-2018-17183

https://lists.opensuse.org/opensuse-updates/2018-10/msg00022.html