Bug 29860 - ghostscript new security issues CVE-2021-45944 and CVE-2021-45949
Summary: ghostscript new security issues CVE-2021-45944 and CVE-2021-45949
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-01-08 17:49 CET by David Walser
Modified: 2022-01-11 08:14 CET (History)
7 users (show)

See Also:
Source RPM: ghostscript-9.53.3-2.1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-01-08 17:49:06 CET
Debian has issued an advisory today (January 8):
https://www.debian.org/security/2022/dsa-5038

The issues are fixed upstream in 9.55.0.
David Walser 2022-01-08 17:49:20 CET

CC: (none) => nicolas.salguero
Status comment: (none) => Fixed upstream in 9.55.0

Comment 1 Nicolas Lécureuil 2022-01-08 23:27:55 CET
Patches added in mga8:

src:
    - ghostscript-9.53.3-2.1.mga8

CC: (none) => mageia
Status comment: Fixed upstream in 9.55.0 => (none)
Assignee: bugsquad => qa-bugs

Comment 2 David Walser 2022-01-09 00:01:22 CET
ghostscript-doc-9.53.3-2.1.mga8
ghostscript-module-X-9.53.3-2.1.mga8
libijs-devel-0.35-162.1.mga8
libgs-devel-9.53.3-2.1.mga8
ghostscript-common-9.53.3-2.1.mga8
ghostscript-X-9.53.3-2.1.mga8
libgs9-9.53.3-2.1.mga8
libijs1-0.35-162.1.mga8
ghostscript-9.53.3-2.1.mga8
ghostscript-dvipdf-9.53.3-2.1.mga8

from ghostscript-9.53.3-2.1.mga8.src.rpm
Comment 3 Len Lawrence 2022-01-09 13:45:27 CET
mga8, x64
ghostscript working fine before updates.
Installed all ten update packages.

Extract from `urpmq --whatrequires ghostscript | sort -u` 
atril
cups-drivers
cups-filters
cups-pdf
evince
gmt
gv
hplip-hpijs
latex2html
lilypond
openlp
postscript-ppds
printer-filters
pstotext
scribus
task-printing
texlive
transfig

Ran gs against a Postscript file and checked the trace.
$ strace -o gs.trace gsticket.ps
$ grep libgs gs.trace
openat(AT_FDCWD, "/lib64/libgs.so.9", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = 3

Experiments with CUPS lpr and LibreOffice writer provide no convincing evidence that ghostscript is used at all.  This is very confusing.

Installed lilypond.
$ strace -o lily.trace lilypond lily-0dae7688.ly
That seemed to go OK.  Various files were generated, *.[eps,pdf,texi,tex,count].
$ gs lily-0dae7688.pdf
produced a window containing a musical score with title "Ghostscript".

$ grep lib lily.trace | egrep -v "fontconfig|output|eration"
Nothing in the output pointed to ijs or gs9.

$ strace -o atril.trace atril PythonUnlocked.pdf
atril worked as expected, hyperlinks from the index as well.  Printed the current page and exited.
Again no sign of the ghostscript libraries being accessed.

We shall have to carry on without evidence.  Taking it on trust that the applications listed do in fact use ghostscript at some level.  If anybody objects to the OK feel free to remove it.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2022-01-09 16:43:23 CET
We have a problem here. Hoping to find a way to give Len some confirmation, I installed ghostscript-X. At its simplest, that displays a rendering of a .ps or .pdf file with the command "gs <filename>". 

After checking the current version, I used qarepo to get the packages from Comment 2. But, when I went to use MCC to update them, there was nothing to update. I searched for the last update of Ghostscript, and found that the packages from Bug 29453 Comment 5 are the same version numbers as those we are asked to test here.

Nicolas, this needs to have the version number bumped.

Rescinding the OK, and applying the feedback flag.

CC: (none) => andrewsfarm
Keywords: (none) => feedback
Whiteboard: MGA8-64-OK => (none)

Comment 5 David Walser 2022-01-09 17:02:48 CET
Confirmed; the other Nicolas incorrectly placed a subrel at the top of the spec file in the previous update.  That one should be removed and the new one incremented.
Comment 6 Nicolas Lécureuil 2022-01-09 17:57:09 CET
ok done and pushed.


src:
    - ghostscript-9.53.3-2.2.mga8
Nicolas Lécureuil 2022-01-09 17:57:35 CET

Keywords: feedback => (none)

Comment 7 Len Lawrence 2022-01-09 18:23:34 CET
Don't know how I missed that TJ.  Well spotted.  Four hours work down the drain.
Waiting for the mirror to sync.
Comment 8 David Walser 2022-01-09 18:46:12 CET
ghostscript-doc-9.53.3-2.2.mga8
ghostscript-common-9.53.3-2.2.mga8
ghostscript-module-X-9.53.3-2.2.mga8
libijs-devel-0.35-162.2.mga8
libgs-devel-9.53.3-2.2.mga8
libgs9-9.53.3-2.2.mga8
ghostscript-X-9.53.3-2.2.mga8
libijs1-0.35-162.2.mga8
ghostscript-9.53.3-2.2.mga8
ghostscript-dvipdf-9.53.3-2.2.mga8

from ghostscript-9.53.3-2.2.mga8.src.rpm
Comment 9 Morgan Leijström 2022-01-09 23:23:48 CET
Quick test
OK printing using latest Canon UFRII driver, and also via Boomaga.
(I am not sure they use ghostscript, but I know Canon CQue do)

CC: (none) => fri

Comment 10 Len Lawrence 2022-01-09 23:46:41 CET
Reinstalled the updates.  All good.
The simple print tests work and gs displays Postscript.  atril displays PDFs.
CUPS lpr prints plain text and pdf files OK.
From a *.ly file lilypond generated musical scores in a variety of output formats, some of which could be handled by gs.  The pdf files were printed using lpr.
Passing this on the basis that at least four utilities can deal with text, pdf and ps files with no regressions and also Morgan's tests.

Whiteboard: (none) => MGA8-64-OK

Comment 11 Thomas Andrews 2022-01-10 00:18:29 CET
Looks like we have it this time, guys. Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-01-11 01:28:04 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 12 Mageia Robot 2022-01-11 08:14:03 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0012.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.