Ubuntu has issued an advisory today (September 10): https://ubuntu.com/security/notices/USN-5075-1 Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Patch available from Ubuntu
Not officially your baby, Stig, but you have done most of the most recent commits to 'ghostscript'; so assigning this to you rather than everybody.
Assignee: bugsquad => smelror
Debian has issued an advisory for this on September 10: https://www.debian.org/security/2021/dsa-4972
More references (this is apparently extremely serious): https://bugs.ghostscript.com/show_bug.cgi?id=704342 https://therecord.media/ghostscript-zero-day-allows-full-server-compromises
CC: (none) => smelrorAssignee: smelror => pkg-bugs
openSUSE has issued an advisory for this today (September 15): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M64NXCVRRUDYD4U65CYH2ROCOGMSYF3U/
Suggested advisory: ======================== The updated packages fix a security vulnerability: Trivial -dSAFER bypass in 9.55. (CVE-2021-3781) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3781 https://ubuntu.com/security/notices/USN-5075-1 https://www.debian.org/security/2021/dsa-4972 https://bugs.ghostscript.com/show_bug.cgi?id=704342 https://therecord.media/ghostscript-zero-day-allows-full-server-compromises https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M64NXCVRRUDYD4U65CYH2ROCOGMSYF3U/ ======================== Updated packages in core/updates_testing: ======================== ghostscript-9.53.3-2.1.mga8 ghostscript-common-9.53.3-2.1.mga8 ghostscript-doc-9.53.3-2.1.mga8 ghostscript-dvipdf-9.53.3-2.1.mga8 ghostscript-module-X-9.53.3-2.1.mga8 ghostscript-X-9.53.3-2.1.mga8 lib64gs9-9.53.3-2.1.mga8 lib64gs-devel-9.53.3-2.1.mga8 lib64ijs1-0.35-162.1.mga8 lib64ijs-devel-0.35-162.1.mga8 from SRPM: ghostscript-9.53.3-2.1.mga8.src.rpm
CVE: (none) => CVE-2021-3781Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsSource RPM: ghostscript-9.54.0-1.mga9.src.rpm => ghostscript-9.53.3-2.mga8.src.rpmWhiteboard: MGA8TOO => (none)Status comment: Patch available from Ubuntu => (none)Version: Cauldron => 8CC: (none) => nicolas.salguero
mga8, x86_64 CVE-2021-3781 https://bugs.ghostscript.com/show_bug.cgi?id=704342 Ran the exploit(?) as user and root with similar results. # gs -dSAFER GPL Ghostscript 9.53.3 (2020-10-01) Copyright (C) 2020 Artifex Software, Inc. All rights reserved. This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY: see the file COPYING for details. GS>(%pipe%/tmp/&id)(w)file GS<1>sh: line 1: /tmp/: Is a directory uid=0(root) gid=0(root) groups=0(root) After the update: $ gs -dSAFER GPL Ghostscript 9.53.3 (2020-10-01) .... GS>(%pipe%/tmp/&id)(w)file Error: /invalidfileaccess in --file-- Operand stack: (%pipe%/tmp/&id) (w) Execution stack: ..... Current allocation mode is local Last OS error: Permission denied Current file position is 24 This looks similar to the upstream result which must be the afterwards case. No exposure of user uid/guid this time. This is probably a good result. Testing ghostscript later.
CC: (none) => tarazed25
Continuing: $ gs abc-2.ps GPL Ghostscript 9.53.3 (2020-10-01) Copyright (C) 2020 Artifex Software, Inc. All rights reserved. This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY: see the file COPYING for details. Loading CharterBT-Roman font from /usr/share/fonts/default/ghostscript/bchr.pfa... 4408580 2777142 1710392 411483 3 done. Querying operating system for font files... Can't find (or can't open) font file /usr/share/ghostscript/9.53.3/Resource/Font//usr/share/. Can't find (or can't open) font file BlueHighway. Loading BlueHighway font from /usr/share/fonts/ttf/western/Bluehigh.ttf... 4562236 3040665 5139556 3709496 3 done. >>showpage, press <return> to continue<< GS>quit That showed a page of address labels. $ lpr -Pokda abc-2.ps That printed the address labels on a single sheet. The presumption is that CUPS uses Ghostscript at some stage. $ urpmq --whatrequires lib64gs9 ghostscript ghostscript-X gimp lib64gs-devel lib64gs9 lib64spectre1 texlive $ urpmq --whatrequires-recursive lib64gs9 | sort -u ... cups cups2freefax cups-drivers cups-drivers-* .............. hplip hplip-gui hplip-hpijs hplip-hpijs-ppds .... task-printing.... Reckon this is OK.
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 5.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Fedora has issued an advisory for this today (September 20): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CUUU23H5AUDW3KBMY6WD4MQFZLMXYMIT/
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0436.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED