A security issue fixed upstream in Ghostscript has been announced: https://www.openwall.com/lists/oss-security/2019/01/23/5 Links to the upstream commits to fix the issue are in the message above. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some committers.
CC: (none) => mageia, marja11, nicolas.salguero, rverschelde, smelrorAssignee: bugsquad => pkg-bugs
Ubuntu and Debian have issued advisories for this on January 23 and 26: https://usn.ubuntu.com/3866-1/ https://www.debian.org/security/2019/dsa-4372
Suggested advisory: ======================== The updated packages fix a security vulnerability: Ghostscript could be made to crash, access files, or run programs if it opened a specially crafted file. (CVE-2019-6116) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6116 https://www.openwall.com/lists/oss-security/2019/01/23/5 https://usn.ubuntu.com/3866-1/ https://www.debian.org/security/2019/dsa-4372 ======================== Updated packages in core/updates_testing: ======================== ghostscript-9.26-1.2.mga6 ghostscript-dvipdf-9.26-1.2.mga6 ghostscript-common-9.26-1.2.mga6 ghostscript-X-9.26-1.2.mga6 ghostscript-module-X-9.26-1.2.mga6 lib(64)gs9-9.26-1.2.mga6 lib(64)gs-devel-9.26-1.2.mga6 lib(64)ijs1-0.35-143.2.mga6 lib(64)ijs-devel-0.35-143.2.mga6 ghostscript-doc-9.26-1.2.mga6 from SRPMS: ghostscript-9.26-1.2.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Source RPM: ghostscript-9.26-2.mga7.src.rpm => ghostscript-9.26-1.1.mga6.src.rpmStatus: NEW => ASSIGNEDCVE: (none) => CVE-2019-6116Version: Cauldron => 6Assignee: pkg-bugs => qa-bugs
Mageia 6, x86_64 *Before update* ghostscript-9.26-1.1.mga6 CVE-2019-6116 https://www.openwall.com/lists/oss-security/2019/01/23/5 Without sandbox: $ gs ghostscript_926_forceput_typecheck_example.ps [...] Stage 0: PDFfile Stage 1: q Stage 3: oget Stage 4: pdfemptycount Stage 5: gput Stage 6: resolvestream Stage 7: pdfopdict Stage 8: .pdfruncontext Stage 9: pdfdict Stage 10: /typecheck #1 Stage 10: /typecheck #2 Stage 11: Exploitation... Should now have complete control over ghostscript, attempting to read /etc/passwd... (root:x:0:0:root:/root:/bin/bash) Attempting to execute a shell command... uid=1000(lcl) gid=1000(lcl) groups=1000(lcl),946(qarepo),954(vboxusers),955(docker) All done. With sandbox: $ gs -dSAFER -f ghostscript-926-forceput.ps [...] Error: /undefinedfilename in (ghostscript-926-forceput.ps) Operand stack: Execution stack: %interp_exit .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- --nostringval-- false 1 %stopped_push Dictionary stack: --dict:959/1684(ro)(G)-- --dict:0/20(G)-- --dict:78/200(L)-- Current allocation mode is local Last OS error: No such file or directory GPL Ghostscript 9.26: Unrecoverable error, exit code 1 *After updates* $ gs -dSAFER -f ghostscript-926-forceput.ps [...] Error: /undefinedfilename in (ghostscript-926-forceput.ps) Operand stack: Execution stack: %interp_exit .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- --nostringval-- false 1 %stopped_push Dictionary stack: --dict:959/1684(ro)(G)-- --dict:0/20(G)-- --dict:78/200(L)-- Current allocation mode is local Last OS error: No such file or directory GPL Ghostscript 9.26: Unrecoverable error, exit code 1 At first sight it looks like this problem was fixed in version 9.26-1.1 but note that *without the sandbox* the exploit is still caught with the later version, so there is an improvement. $ gs ghostscript-926-forceput.ps [...] Error: /undefinedfilename in (ghostscript-926-forceput.ps) Operand stack: [...] GPL Ghostscript 9.26: Unrecoverable error, exit code 1 Quick tests: $ gs abc-0.ps [...] Querying operating system for font files... **** Warning: glyf overlaps cmap, truncating. **** Warning: glyf overlaps cmap, truncating. Can't find (or can't open) font file /usr/share/ghostscript/9.26/Resource/Font/BlueHighway. Can't find (or can't open) font file BlueHighway. Loading BlueHighway font from /usr/share/fonts/ttf/western/Bluehigh.ttf... 4770204 3090164 4207412 2809229 3 done. Loading Gemelli font from /usr/share/fonts/default/ghostscript/gemelli.pfb... 4780460 3177439 4247812 2836394 3 done. Loading MaxCircus font from /usr/share/fonts/default/ghostscript/maxcircus.pfb... 4806988 3285594 4288212 2850222 3 done. >>showpage, press <return> to continue<< GS>quit The page shows perfectly on the screen as a set of address labels and can be printed from the command line. $ lpr -Pokda abc-0.ps $ libreoffice --writer --invisible -p utility_qflash_uefi.pdf This printed a document on the default printer. Ran it under strace initially to look for signs of ghostscript interaction but could see none so ghostscript must come in later in the chain (-> CUPS -> rasterization?). $ dvipdf refcard.dvi refcard.pdf dvips: Font cmbx10 at 13824 not found; scaling 600 instead. dvips: Such scaling will generate extremely poor output. Page 1 may be too complex to print Page 2 may be too complex to print Page 5 may be too complex to print Page 6 may be too complex to print Warning: no %%Page comments generated. $ ll refcard* -rw-r--r-- 1 lcl lcl 15652 May 2 2018 refcard.dvi -rw-r--r-- 1 lcl lcl 403474 Jan 28 17:55 refcard.pdf The output file refcard.pdf looked perfect in xpdf. Good for 64-bits.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Re comment 4: The printer connection with ghostscript is through hplip which has ghostscript-common, lib64gs9 and other ghostscript dependencies.
Thanks for the rapid test, Len. Validating, advisory from comment 3.
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0056.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED