Bug 25379 - ghostscript new security issues CVE-2019-1481[1237]
Summary: ghostscript new security issues CVE-2019-1481[1237]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO MGA7-64-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-08-29 13:25 CEST by David Walser
Modified: 2019-09-12 21:11 CEST (History)
7 users (show)

See Also:
Source RPM: ghostscript-9.27-3.mga8.src.rpm
CVE: CVE-2019-14811, CVE-2019-14812, CVE-2019-14813, CVE-2019-14817
Status comment:


Attachments

Description David Walser 2019-08-29 13:25:51 CEST
More security issues in Ghostscript have been announced on August 28:
https://www.openwall.com/lists/oss-security/2019/08/28/2

They have been fixed upstream in commits referenced in the message above.

Note that we have a pending update in Bug 25294 that is ready to be validated and pushed.

Mageia 6 and Mageia 7 are also affected.
David Walser 2019-08-29 13:26:00 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Marja Van Waes 2019-08-31 16:38:47 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing some submitters

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, marja11, nicolas.salguero, smelror

Comment 2 David Walser 2019-09-03 14:37:57 CEST
RedHat has issued an advisory for this on September 2:
https://access.redhat.com/errata/RHSA-2019:2586

Severity: major => critical

Comment 3 Nicolas Salguero 2019-09-09 12:27:05 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Safer Mode Bypass by .forceput Exposure in .pdf_hook_DSC_Creator. (CVE-2019-14811)

Safer Mode Bypass by .forceput Exposure in setuserparams. (CVE-2019-14812)

Safer Mode Bypass by .forceput Exposure in setsystemparams. (CVE-2019-14813)

Safer Mode Bypass by .forceput Exposure in .pdfexectoken and other procedures. (CVE-2019-14817)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14811
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14812
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14813
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14817
https://www.openwall.com/lists/oss-security/2019/08/28/2
https://access.redhat.com/errata/RHSA-2019:2586
========================

Updated packages in 6/core/updates_testing:
========================
ghostscript-9.26-1.6.mga6
ghostscript-dvipdf-9.26-1.6.mga6
ghostscript-common-9.26-1.6.mga6
ghostscript-X-9.26-1.6.mga6
ghostscript-module-X-9.26-1.6.mga6
lib(64)gs9-9.26-1.6.mga6
lib(64)gs-devel-9.26-1.6.mga6
lib(64)ijs1-0.35-143.6.mga6
lib(64)ijs-devel-0.35-143.6.mga6
ghostscript-doc-9.26-1.6.mga6

from SRPMS:
ghostscript-9.26-1.6.mga6.src.rpm

Updated packages in 7/core/updates_testing:
========================
ghostscript-9.27-1.3.mga7
ghostscript-dvipdf-9.27-1.3.mga7
ghostscript-common-9.27-1.3.mga7
ghostscript-X-9.27-1.3.mga7
ghostscript-module-X-9.27-1.3.mga7
lib(64)gs9-9.27-1.3.mga7
lib(64)gs-devel-9.27-1.3.mga7
lib(64)ijs1-0.35-147.3.mga7
lib(64)ijs-devel-0.35-147.3.mga7
ghostscript-doc-9.27-1.3.mga7

from SRPMS:
ghostscript-9.27-1.3.mga7.src.rpm

Version: Cauldron => 7
CVE: (none) => CVE-2019-14811, CVE-2019-14812, CVE-2019-14813, CVE-2019-14817
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED

Comment 4 Len Lawrence 2019-09-10 01:48:34 CEST
mga7, x86_64

Checked the CVEs - no reproducers available.

Clean update of the 10 packages.
Restarted cups server.
$ gs --version
9.27

Ran the following out of curiosity.  The "1183615869" still seems to mean something.
$ gs -dSAFER -dNODISPLAY
GPL Ghostscript 9.27 (2019-04-04)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY:
see the file COPYING for details.
GS>1183615869 internaldict /superexec known { (VULNERABLE\n) } { (SAFE\n) }
GS<3>ifelse print
SAFE
GS>quit

$ dvipdf refcard.dvi refcard.pdf
dvips: Font cmbx10 at 13824 not found; scaling 600 instead.
dvips: Such scaling will generate extremely poor output.
Page 1 may be too complex to print
Page 2 may be too complex to print
Page 5 may be too complex to print
Page 6 may be too complex to print
Warning:  no %%Page comments generated.

The PDF file matches the original DVI.

Set up HPLIP wifi printer HP Photosmart 5520 aka "okda".
Printing via cli worked fine.
$ lpr -Pokda report.25294
Printed an odt file from LO writer.

Viewed a locally generated postscript file with gs - graphics and text rendered fine.

It all works here for 64bit.

CC: (none) => tarazed25

Len Lawrence 2019-09-10 01:49:03 CEST

Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK

Comment 5 Len Lawrence 2019-09-10 02:09:30 CEST
mga6, x86_64

All packages updated cleanly.
$ gs --version
9.26

The wireless printer was already set up under HPLIP.
Ran the same tests as outlined in comment 4, with identical results.

OK for 64bit and can be validated, suggested advisory in comment 3, to be pushed to SVN.

Keywords: (none) => validated_update
Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA7-64-OK MGA6-64-OK
CC: (none) => sysadmin-bugs

Thomas Backlund 2019-09-12 18:38:20 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 6 Mageia Robot 2019-09-12 21:11:39 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0271.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.