Two security issues have been fixed upstream in Ghostscript: https://www.openwall.com/lists/oss-security/2019/03/21/1 The commits to fix them are linked from the message above. They are also fixed in 9.27. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
RedHat has issued an advisory for this on March 21: https://access.redhat.com/errata/RHSA-2019:0633
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing two submitters.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11, nicolas.salguero, smelror
Suggested advisory: ======================== The updated packages fix security vulnerabilities: It was found that the superexec operator was available in the internal dictionary. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. (CVE-2019-3835) It was found that the forceput operator could be extracted from the DefineResource method using methods similar to the ones described in CVE-2019-6116. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. (CVE-2019-3838) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3835 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3838 https://www.openwall.com/lists/oss-security/2019/03/21/1 https://access.redhat.com/errata/RHSA-2019:0633 ======================== Updated package in core/updates_testing: ======================== ghostscript-9.26-1.3.mga6 ghostscript-dvipdf-9.26-1.3.mga6 ghostscript-common-9.26-1.3.mga6 ghostscript-X-9.26-1.3.mga6 ghostscript-module-X-9.26-1.3.mga6 lib(64)gs9-9.26-1.3.mga6 lib(64)gs-devel-9.26-1.3.mga6 lib(64)ijs1-0.35-143.3.mga6 lib(64)ijs-devel-0.35-143.3.mga6 ghostscript-doc-9.26-1.3.mga6 from SRPMS: ghostscript-9.26-1.3.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDCVE: (none) => CVE-2019-3835, CVE-2019-3838
Source RPM: ghostscript-9.26-3.mga7.src.rpm => ghostscript-9.26-1.2.mga6.src.rpm
mga6, x86_64 Checked for reproducers but all that is available is a vulnerability check. CVE-2019-3835 : superexec operator is available https://www.openwall.com/lists/oss-security/2019/03/21/1 $ gs -dSAFER -dNODISPLAY [...] GS>1183615869 internaldict /superexec known { (VULNERABLE\n) } { (SAFE\n) } ifelse print VULNERABLE GS>quit No test for CVE-2019-3838 : forceput in DefineResource is still accessible Updated the 10 packages. $ gs -dSAFER -dNODISPLAY GS>1183615869 internaldict /superexec known { (VULNERABLE\n) } { (SAFE\n) } ifelse print SAFE GS>quit gs tests: $ gs abc-0.ps This displayed correctly a page of labels in ComicSansMS font. $ lpr -Pokda abc-0.ps prints the document OK. $ dvipdf refcard.dvi refcard.pdf dvips: Font cmbx10 at 13824 not found; scaling 600 instead. dvips: Such scaling will generate extremely poor output. Page 1 may be too complex to print Page 2 may be too complex to print Page 5 may be too complex to print Page 6 may be too complex to print Warning: no %%Page comments generated. $ ll refcard* -rw-r--r-- 1 lcl lcl 15652 May 2 2018 refcard.dvi -rw-r--r-- 1 lcl lcl 403474 Mar 26 20:41 refcard.pdf refcard.pdf is a six-page document which can be viewed in okular. It renders perfectly. This all looks good for 64-bits.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Did the same SAFE test in 32 bits, it is ok.
Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OKCC: (none) => lists.jjorge
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0130.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED