Debian-LTS has issued an advisory on August 20: https://www.debian.org/lts/security/2020/dla-2335 The issues are fixed upstream in 9.51.
No consistent maintainer for ghostscript, so assigning this globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A buffer overflow vulnerability in lprn_is_black() in contrib/lips4/gdevlprn.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. (CVE-2020-16287) A buffer overflow vulnerability in pj_common_print_page() in devices/gdevpjet.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. (CVE-2020-16288) A buffer overflow vulnerability in cif_print_page() in devices/gdevcif.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. (CVE-2020-16289) A buffer overflow vulnerability in jetp3852_print_page() in devices/gdev3852.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. (CVE-2020-16290) A buffer overflow vulnerability in contrib/gdevdj9.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. (CVE-2020-16291) A buffer overflow vulnerability in mj_raster_cmd() in contrib/japanese/gdevmjc.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. (CVE-2020-16292) A null pointer dereference vulnerability in compose_group_nonknockout_nonblend_isolated_allmask_common() in base/gxblend.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. (CVE-2020-16293) A buffer overflow vulnerability in epsc_print_page() in devices/gdevepsc.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. (CVE-2020-16294) A null pointer dereference vulnerability in clj_media_size() in devices/gdevclj.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. (CVE-2020-16295) A buffer overflow vulnerability in GetNumWrongData() in contrib/lips4/gdevlips.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. (CVE-2020-16296) A buffer overflow vulnerability in FloydSteinbergDitheringC() in contrib/gdevbjca.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. (CVE-2020-16297) A buffer overflow vulnerability in mj_color_correct() in contrib/japanese/gdevmjc.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. (CVE-2020-16298) A Division by Zero vulnerability in bj10v_print_page() in contrib/japanese/gdev10v.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. (CVE-2020-16299) A buffer overflow vulnerability in tiff12_print_page() in devices/gdevtfnx.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. (CVE-2020-16300) A buffer overflow vulnerability in okiibm_print_page1() in devices/gdevokii.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. (CVE-2020-16301) A buffer overflow vulnerability in jetp3852_print_page() in devices/gdev3852.c of Artifex Software GhostScript v9.50 allows a remote attacker to escalate privileges via a crafted PDF file. (CVE-2020-16302) A use-after-free vulnerability in xps_finish_image_path() in devices/vector/gdevxps.c of Artifex Software GhostScript v9.50 allows a remote attacker to escalate privileges via a crafted PDF file. (CVE-2020-16303) A buffer overflow vulnerability in image_render_color_thresh() in base/gxicolor.c of Artifex Software GhostScript v9.50 allows a remote attacker to escalate privileges via a crafted eps file. (CVE-2020-16304) A buffer overflow vulnerability in pcx_write_rle() in contrib/japanese/gdev10v.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. (CVE-2020-16305) A null pointer dereference vulnerability in devices/gdevtsep.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted postscript file. (CVE-2020-16306) A null pointer dereference vulnerability in devices/vector/gdevtxtw.c and psi/zbfont.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted postscript file. (CVE-2020-16307) A buffer overflow vulnerability in p_print_image() in devices/gdevcdj.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. (CVE-2020-16308) A buffer overflow vulnerability in lxm5700m_print_page() in devices/gdevlxm.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted eps file. (CVE-2020-16309) A division by zero vulnerability in dot24_print_page() in devices/gdevdm24.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. (CVE-2020-16310) A buffer overflow vulnerability in GetNumSameData() in contrib/lips4/gdevlips.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. (CVE-2020-17538) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16287 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16288 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16289 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16290 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16291 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16292 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16293 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16294 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16295 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16296 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16297 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16298 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16299 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16300 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16301 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16302 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16303 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16304 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16305 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16306 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16307 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16308 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16309 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16310 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17538 https://www.debian.org/lts/security/2020/dla-2335 ======================== Updated packages in core/updates_testing: ======================== ghostscript-9.27-1.5.mga7 ghostscript-dvipdf-9.27-1.5.mga7 ghostscript-common-9.27-1.5.mga7 ghostscript-X-9.27-1.5.mga7 ghostscript-module-X-9.27-1.5.mga7 lib(64)gs9-9.27-1.5.mga7 lib(64)gs-devel-9.27-1.5.mga7 lib(64)ijs1-0.35-147.5.mga7 lib(64)ijs-devel-0.35-147.5.mga7 ghostscript-doc-9.27-1.5.mga7 from SRPMS: ghostscript-9.27-1.5.mga7.src.rpm
Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsCC: (none) => nicolas.salguero
Updated packages in core/updates_testing: ======================== ghostscript-9.27-1.6.mga7 ghostscript-dvipdf-9.27-1.6.mga7 ghostscript-common-9.27-1.6.mga7 ghostscript-X-9.27-1.6.mga7 ghostscript-module-X-9.27-1.6.mga7 lib(64)gs9-9.27-1.6.mga7 lib(64)gs-devel-9.27-1.6.mga7 lib(64)ijs1-0.35-147.6.mga7 lib(64)ijs-devel-0.35-147.6.mga7 ghostscript-doc-9.27-1.6.mga7 from SRPMS: ghostscript-9.27-1.6.mga7.src.rpm
Just starting on the PoC trail. Reporting later.
CC: (none) => tarazed25
mga7, x64 CVE-2020-16287 https://bugs.ghostscript.com/show_bug.cgi?id=701785 $ gs -sOutputFile=tmp -sDEVICE=lips2p PoC.pdf GPL Ghostscript 9.27 (2019-04-04) Processing pages 1 through 1. Page 1 >>showpage, press <return> to continue<< >> quit $ cat tmp �21;240;0Jlips2p:2.3.6��11h�0q�2 I�80;5000;5000p�1v�2yGhostscript��11h�?2;3h�?1;4;5;6l�7 I�50k�0;2t�1572e�1572a�1;3t�1572k No abort so this may demonstrate buffer overflow only with gs+asan. Shall check all the CVEs but ignore any PoC which depends on asan.
mga7, x64 CVE-2020-16287 https://bugs.ghostscript.com/show_bug.cgi?id=701785 $ gs -sOutputFile=tmp -sDEVICE=lips2p PoC.pdf GPL Ghostscript 9.27 (2019-04-04) Processing pages 1 through 1. Page 1 >>showpage, press <return> to continue<< >> quit $ cat tmp �21;240;0Jlips2p:2.3.6��11h�0q�2 I�80;5000;5000p�1v�2yGhostscript��11h�?2;3h�?1;4;5;6l�7 I�50k�0;2t�1572e�1572a�1;3t�1572k No abort so this may demonstrate buffer overflow only with gs+asan. Shall check all the CVEs to see if there is anything useful for us.
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 25697 for test File thm.dvi no found anymore on site refered there. So at CLI $ gs --version 9.27 $ dvipdf hharvsamp.dvi hharvsamp.pdf Page 0 may be too complex to print Page 1 may be too complex to print Page 2 may be too complex to print Page 3 may be too complex to print Page 5 may be too complex to print Warning: no %%Page comments generated. Resulting pdf file displays OK with okular, showing mathematical symbols. Also installed wifi printer in MCC. When Len's tests work OK, no objections on OK'ing this update.
CC: (none) => herman.viaene
Created attachment 11821 [details] test dvi file
Thanks Herman. About two-thirds of the way through the pre-update tests. Definitely a two-day job.
All the CVEs have been addressed here and the results of the PoC tests show a clean bill of health for ghostscript after the updates. Adding the summary as an attachment later. This plus comment 7 is enough for the OK.
Whiteboard: (none) => MGA7-64-OK
Created attachment 11822 [details] Brief reports of PoC tests with a final summary
A thorough job, Gentlemen! Validating. Advisory in Comment 2, with updated file list in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0344.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
Debian has issued an advisory for this on August 25: https://www.debian.org/security/2020/dsa-4748