Bug 23659 - ghostscript new security issue CVE-2018-17961 and CVE-2018-18073
Summary: ghostscript new security issue CVE-2018-17961 and CVE-2018-18073
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-09 21:58 CEST by David Walser
Modified: 2018-10-17 00:54 CEST (History)
4 users (show)

See Also:
Source RPM: ghostscript-9.24-8.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-10-09 21:58:03 CEST
A security issue fixed upstream in Ghostscript has been announced:
https://www.openwall.com/lists/oss-security/2018/10/09/4

The commits that fixed the issue are linked from the message above.

Mageia 6 is also affected.
David Walser 2018-10-09 21:58:12 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-10-10 00:36:18 CEST
Bug 23526, our previous update, didn't mention:
CVE-2018-11645
CVE-2018-16585
CVE-2018-17183

Ubuntu has issued advisories for those on September 19 and October 1:
https://usn.ubuntu.com/3768-1/
https://usn.ubuntu.com/3773-1/
Comment 2 Marja Van Waes 2018-10-10 06:10:46 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing two committers.

CC: (none) => marja11, nicolas.salguero, smelror
Assignee: bugsquad => pkg-bugs

Comment 3 Nicolas Salguero 2018-10-10 15:12:08 CEST
Suggested advisory:
========================

The updated packages fix many bugs and a security vulnerability:

Bypassing executeonly to escape -dSAFER sandbox. (CVE-2018-17961)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17961
https://www.openwall.com/lists/oss-security/2018/10/09/4
========================

Updated packages in core/updates_testing:
========================
ghostscript-9.25-1.mga6
ghostscript-dvipdf-9.25-1.mga6
ghostscript-common-9.25-1.mga6
ghostscript-X-9.25-1.mga6
ghostscript-module-X-9.25-1.mga6
lib(64)gs9-9.25-1.mga6
lib(64)gs-devel-9.25-1.mga6
lib(64)ijs1-0.35-140.mga6
lib(64)ijs-devel-0.35-140.mga6
ghostscript-doc-9.25-1.mga6

from SRPMS:
ghostscript-9.25-1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 6

Nicolas Salguero 2018-10-10 15:12:40 CEST

Assignee: pkg-bugs => qa-bugs

Comment 4 David Walser 2018-10-10 16:19:13 CEST
What about Comment 1?

Keywords: (none) => feedback

Comment 5 Nicolas Salguero 2018-10-10 16:40:57 CEST
(In reply to David Walser from comment #4)
> What about Comment 1?

According to MITRE:
- CVE-2018-11645: Ghostscript before 9.21rc1
- CVE-2018-16585: Ghostscript before 9.24
- CVE-2018-17183: Ghostscript before 9.25 but the commit linked to that CVE was already in our ghostscript-9.24 package.
Comment 6 David Walser 2018-10-10 17:40:05 CEST
Thanks!

Keywords: feedback => (none)

Comment 7 David Walser 2018-10-11 23:02:01 CEST
One more commit is necessary:
https://www.openwall.com/lists/oss-security/2018/10/11/3

Keywords: (none) => feedback

Comment 8 David Walser 2018-10-11 23:05:57 CEST
And yet another needed commit with a new CVE:
https://www.openwall.com/lists/oss-security/2018/10/10/12

Summary: ghostscript new security issue CVE-2018-17961 => ghostscript new security issue CVE-2018-17961 and CVE-2018-18073

Comment 9 Nicolas Salguero 2018-10-12 09:49:54 CEST
Suggested advisory:
========================

The updated packages fix many bugs and security vulnerabilities:

Bypassing executeonly to escape -dSAFER sandbox. (CVE-2018-17961)

Saved execution stacks can leak operator arrays. (CVE-2018-18073)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17961
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18073
https://www.openwall.com/lists/oss-security/2018/10/09/4
https://www.openwall.com/lists/oss-security/2018/10/11/3
https://www.openwall.com/lists/oss-security/2018/10/10/12
========================

Updated packages in core/updates_testing:
========================
ghostscript-9.25-1.1.mga6
ghostscript-dvipdf-9.25-1.1.mga6
ghostscript-common-9.25-1.1.mga6
ghostscript-X-9.25-1.1.mga6
ghostscript-module-X-9.25-1.1.mga6
lib(64)gs9-9.25-1.1.mga6
lib(64)gs-devel-9.25-1.1.mga6
lib(64)ijs1-0.35-140.1.mga6
lib(64)ijs-devel-0.35-140.1.mga6
ghostscript-doc-9.25-1.1.mga6

from SRPMS:
ghostscript-9.25-1.1.mga6.src.rpm
Nicolas Salguero 2018-10-12 09:50:51 CEST

Keywords: feedback => (none)

Comment 10 Len Lawrence 2018-10-12 13:02:15 CEST
Mageia 6, x86_64
Topped up the pre-update packages.

Before update:

CVE-2018-17961
https://www.openwall.com/lists/oss-security/2018/10/10/12
$ gs -dSAFER -sDEVICE=ppmraw
GS>{ null .setglobal } stopped clear
GS>$error /estack get ==
[--%interp_exit-- .runexec2 -file- {--dup-- null --ne-- {--exec-- true} {--pop-- false} --ifelse--} null 2 --%stopped_push-- -file- {prompt {(%statementedit)
[...]
null 2 --%stopped_push-- -file- false 1 --%stopped_push-- 1916 1 3 --%oparray_pop-- {-dict- /FontDirectory --.currentglobal-- {-dict-} {/LocalFontDirectory --.systemvar--} --ifelse-- --.forceput-- --pop--}]
GS>quit

Quoting the reference above:
"Once you have a reference to forceput, you can do anything you like, see
the exploit for CVE-2018-18073 as an example of abusing forceput to get
arbitrary filesystem access."
I could not find that exploit but updating solved the problem.

Waiting for the mirrors to sync.  Tested the earlier update.  When the new files appear I will run through the same tests again and report any differences in behaviour.    
After the first update you can access the error stack safely:
$ gs -dSAFER -sDEVICE=ppmraw
GPL Ghostscript 9.25 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>{ null .setglobal } stopped clear
GS>$error /estack get ==
[--%interp_exit-- .runexec2 -file- --.setglobal-- null 2 --%stopped_push-- -file- --.setglobal-- --%loop_continue-- --.setglobal-- --.setglobal-- false 1 --%stopped_push-- .runexec2 -file- --.setglobal-- null 2 --%stopped_push-- -file- false 1 --%stopped_push-- 1920 1 3 --%oparray_pop-- --.setglobal--]
GS>

Ran a few simple tests of gs.
Displayed a postscript file.
$ gs abc-0.ps
GPL Ghostscript 9.25 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Querying operating system for font files...
Can't find (or can't open) font file /usr/share/ghostscript/9.25/Resource/Font/BorzoiRegular.
Can't find (or can't open) font file BorzoiRegular.
Loading BorzoiRegular font from /home/lcl/.local/share/fonts/BorzoiRegular.pfb... 4495204 2874741 3183244 1851046 3 done.
>>showpage, press <return> to continue<<

GS>quit

LibreOffice has ghostscript support.
The same file displayed OK with that.
Browsed an e-book pdf file with gs, hitting return to turn the pages.  On quit it insisted on flicking through the rest of the 832 pages.

Converted a dvi file to a pdf.
$ dvipdf refcard.dvi refcard.pdf
dvips: Font cmbx10 at 13824 not found; scaling 600 instead.
dvips: Such scaling will generate extremely poor output.
Page 1 may be too complex to print
Page 2 may be too complex to print
Page 5 may be too complex to print
Page 6 may be too complex to print
Warning:  no %%Page comments generated.

In fact it reproduced perfectly in okular - no loss of quality.

Looks OK for 64-bits.

CC: (none) => tarazed25

Comment 11 Len Lawrence 2018-10-13 11:24:52 CEST
CVE-2018-18073 has reserved status; no details of possible exploits available.

Passing it on.

Whiteboard: (none) => MGA6-64-OK

Comment 12 David Walser 2018-10-17 00:54:12 CEST
Ugh, another commit is needed for CVE-2018-18284:
https://www.openwall.com/lists/oss-security/2018/10/16/2

Can we add it in?

Note You need to log in before you can comment on or make changes to this bug.