Bug 25294 - ghostscript new security issue CVE-2019-10216
Summary: ghostscript new security issue CVE-2019-10216
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO MGA6-64-OK MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 24866
  Show dependency treegraph
 
Reported: 2019-08-12 19:18 CEST by David Walser
Modified: 2019-08-31 15:24 CEST (History)
7 users (show)

See Also:
Source RPM: ghostscript-9.27-1.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 9.28


Attachments

Description David Walser 2019-08-12 19:18:24 CEST
RedHat has issued an advisory today (August 12):
https://access.redhat.com/errata/RHSA-2019:2462

The issue is fixed upstream in 9.28.

Mageia 6 and Mageia 7 are also affected.
David Walser 2019-08-12 19:18:37 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO
Status comment: (none) => Fixed upstream in 9.28

Comment 1 David Walser 2019-08-13 00:47:35 CEST
More details on the issue:
https://www.openwall.com/lists/oss-security/2019/08/12/4
Comment 2 Marja Van Waes 2019-08-14 07:36:50 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing two submitters.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, nicolas.salguero, smelror

David Walser 2019-08-19 19:38:42 CEST

Blocks: (none) => 24866

Comment 3 David GEIGER 2019-08-20 10:23:46 CEST
Done for mga6, mga7 and Cauldron!

CC: (none) => geiger.david68210

Comment 4 David Walser 2019-08-20 12:42:00 CEST
Advisory:
========================

Updated ghostscript packages fix security vulnerability:

It was found that the .buildfont1 procedure did not properly secure its
privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An
attacker could abuse this flaw by creating a specially crafted PostScript file
that could escalate privileges and access files outside of restricted areas
(CVE-2019-10216).

Also, the Mageia 7 update fixes a bounding box issue that affects klatexformula
(mga#24866).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10216
https://www.openwall.com/lists/oss-security/2019/08/12/4
https://access.redhat.com/errata/RHSA-2019:2462
https://bugs.mageia.org/show_bug.cgi?id=24866
https://bugs.mageia.org/show_bug.cgi?id=25294
========================

Updated packages in core/updates_testing:
========================
ghostscript-9.26-1.5.mga6
ghostscript-dvipdf-9.26-1.5.mga6
ghostscript-common-9.26-1.5.mga6
ghostscript-X-9.26-1.5.mga6
ghostscript-module-X-9.26-1.5.mga6
libgs9-9.26-1.5.mga6
libgs-devel-9.26-1.5.mga6
libijs1-0.35-143.5.mga6
libijs-devel-0.35-143.5.mga6
ghostscript-doc-9.26-1.5.mga6
ghostscript-9.27-1.2.mga7
ghostscript-dvipdf-9.27-1.2.mga7
ghostscript-common-9.27-1.2.mga7
ghostscript-X-9.27-1.2.mga7
ghostscript-module-X-9.27-1.2.mga7
lib64gs9-9.27-1.2.mga7
lib64gs-devel-9.27-1.2.mga7
lib64ijs1-0.35-147.2.mga7
lib64ijs-devel-0.35-147.2.mga7
ghostscript-doc-9.27-1.2.mga7

from SRPMS:
ghostscript-9.26-1.5.mga6.src.rpm
ghostscript-9.27-1.2.mga7.src.rpm

Version: Cauldron => 7
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO

Comment 5 Len Lawrence 2019-08-20 16:49:12 CEST
Updated from release 1.4 to 1.5 on Mageia6.
Restarted CUPS server.
Used HP Photosmart5520 wireless printer.

No reproducers available.  Some online discussions are still not public.

Works with CUPS/HPLIP at the cli for gs and lpr, and from the gui for LibreOffice writer
and Firefox (essentially LO).

$ dvipdf refcard.dvi refcard.pdf
dvips: Font cmbx10 at 13824 not found; scaling 600 instead.
dvips: Such scaling will generate extremely poor output.
Page 1 may be too complex to print
Page 2 may be too complex to print
Page 5 may be too complex to print
Page 6 may be too complex to print
Warning:  no %%Page comments generated.

The generated PDF displays fine with xpdf or okular.

Tried this from an earlier bug report - don't know if the numbers are significant for
this version.

$ gs -dSAFER -dNODISPLAY
GPL Ghostscript 9.26 (2018-11-20)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>1183615869 internaldict /superexec known { (VULNERABLE\n) } { (SAFE\n) }
GS<3>ifelse print
SAFE
GS>quit

The "SAFE" came up without prompting.

This looks good for 64-bits.

CC: (none) => tarazed25
Whiteboard: MGA6TOO => MGA6TOO MGA6-64-OK

Comment 6 Len Lawrence 2019-08-22 22:00:01 CEST
mga7, x86_64

HP Photosmart 5520 wifi printer
CUPS/HPLIP

Updated all the packages.

Printed a postscript file using lpr and viewed it with gs.
Printed an image with LibreOffice draw and an odt file with LO writer.

Converted a dvi file to a pdf using dvipdf.  Result was OK.

The SAFE test from comment 5 worked as before.

This is fine for 64bit.

Whiteboard: MGA6TOO MGA6-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK

Thomas Backlund 2019-08-31 13:10:42 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 7 Mageia Robot 2019-08-31 15:24:27 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0236.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.