Bug 32260 - ghostpcl new security issue CVE-2023-38560
Summary: ghostpcl new security issue CVE-2023-38560
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-09-07 13:46 CEST by Nicolas Salguero
Modified: 2023-09-25 00:18 CEST (History)
5 users (show)

See Also:
Source RPM: ghostpcl-10.0.0-2.mga9.src.rpm
CVE:
Status comment:


Attachments
An old letter in PCL format (28.59 KB, application/vnd.hp-pcl)
2023-09-19 16:41 CEST, Thomas Andrews
Details

Description Nicolas Salguero 2023-09-07 13:46:20 CEST
An integer overflow flaw was found in pcl/pl/plfont.c:418 in pl_glyph_name in ghostscript. This issue may allow a local attacker to cause a denial of service via transforming a crafted PCL file to PDF format.
Nicolas Salguero 2023-09-07 13:47:18 CEST

Source RPM: (none) => ghostpcl-10.0.0-2.mga9.src.rpm
Whiteboard: (none) => MGA8TOO
Assignee: bugsquad => nicolas.salguero
CC: (none) => nicolas.salguero

Comment 1 Nicolas Salguero 2023-09-07 14:07:35 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An integer overflow flaw was found in pcl/pl/plfont.c:418 in pl_glyph_name in ghostscript. This issue may allow a local attacker to cause a denial of service via transforming a crafted PCL file to PDF format. (CVE-2023-38560)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38560
========================

Updated package in 8/core/updates_testing:
========================
ghostpcl-9.53.3-2.1.mga8

from SRPM:
ghostpcl-9.53.3-2.1.mga8.src.rpm

Updated package in 9/core/updates_testing:
========================
ghostpcl-10.0.0-2.1.mga9

from SRPM:
ghostpcl-10.0.0-2.1.mga9.src.rpm

Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED

Comment 2 Herman Viaene 2023-09-18 16:44:18 CEST
MGA8-64 Xfce on Acer Aspire 5253
No installation issues
Used sample file as indicated in bug 25780 Comment 2:
$ gpcl6 sample.pcl 
End of page 1, press <enter> to continue.
etc....
the file displays correctly page per page, OK.

CC: (none) => herman.viaene
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

Comment 3 Thomas Andrews 2023-09-19 03:37:24 CEST
MGA9-64 Plasma, i5-2500, Intel graphics, Acer 23.5-inch HD monitor. No installation issues.

I still have the Kelly.pcl file I generated for bug 25780 comment 3, but when I tried Herman's command this is what I get:

$ gpcl6 Kelly.pcl
%%BoundingBox: 28 537 458 772
%%HiResBoundingBox: 28.560001 537.960021 457.440017 771.240029
End of page 1, press <enter> to continue.

%%BoundingBox: 89 122 522 718
%%HiResBoundingBox: 89.880003 122.520005 521.760020 717.240027
End of page 2, press <enter> to continue.

There was no display of the file at all. Results were similar with Herman's sample.pcl file, except it was 20 pages long.

So, I tried another command, and this is what I got:

$ pcl2pdfwr Kelly.pcl Kelly.pdf
Usage for -d is -d<option>=[<integer>|<float>|null|true|false|name]

So, either the commands have had major changes in this version, or something is very broken.

CC: (none) => andrewsfarm

Comment 4 Herman Viaene 2023-09-19 08:47:19 CEST
TJ,
Can you attach that file? I would like to have a look.
Comment 5 Thomas Andrews 2023-09-19 14:20:49 CEST
I'm not at that computer right now, but I will. 

I'm on my Probook 6550b at the moment, which has both MGA8-64 and MGA9-64 Plasma installs in a multi-boot situation. I can confirm that the gpcl6 command works properly with the newly downloaded sample.pcl file on MGA8, but does not on MGA9. In fact, the ghostpcl version originally shipped with MGA9 doesn't work, either.
Comment 6 Thomas Andrews 2023-09-19 16:41:21 CEST
Created attachment 13999 [details]
An old letter in PCL format

This is a 2002 letter and envelope to the outdoor writer of our local newspaper, speculating on the intelligence of deer hunters on opening day of gun season. The original letter would have been written using Microsoft Word in Windows 98SE. (I had only been using Mandrake for a short time, and would not have been comfortable using it for this kind of thing yet.)

The writer has long since retired, the newspaper now has a different parent company, and the address has changed. But the question remains...
Comment 7 Thomas Andrews 2023-09-19 16:44:22 CEST
BTW, I'm aware that the letter includes my address. That's OK. I give my address out frequently. My business depends on me being easy to find.
Comment 8 Herman Viaene 2023-09-20 10:10:50 CEST
Using TJ's file:
$ gpcl6 Kelly.pcl 
End of page 1, press <enter> to continue.

End of page 2, press <enter> to continue.

Display is OK, no problems. I cann't see any reason to remove the OK.
Comment 9 Thomas Andrews 2023-09-20 13:27:11 CEST
OK for me too with Mageia 8. I'd be fine with sending the Mageia 8 update on its way.

Mageia 9, however, is a different story. I can't get that to work at all. The original ghostpcl for Mageia 9 doesn't work for me, either.

Nicolas, would it be possible to split this up, send the Mageia 8 update along, and just have a Mageia 9 bug?
Comment 10 Nicolas Salguero 2023-09-20 16:28:35 CEST
I tried to fix the problem with ghostpcl for Mageia 9.

Suggested advisory:
========================

The updated packages fix a security vulnerability:

An integer overflow flaw was found in pcl/pl/plfont.c:418 in pl_glyph_name in ghostscript. This issue may allow a local attacker to cause a denial of service via transforming a crafted PCL file to PDF format. (CVE-2023-38560)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38560
========================

Updated package in 8/core/updates_testing:
========================
ghostpcl-9.53.3-2.1.mga8

from SRPM:
ghostpcl-9.53.3-2.1.mga8.src.rpm

Updated package in 9/core/updates_testing:
========================
ghostpcl-10.0.0-2.2.mga9

from SRPM:
ghostpcl-10.0.0-2.2.mga9.src.rpm
Comment 11 Thomas Andrews 2023-09-21 03:18:59 CEST
MGA9-64 Plasma. No installation issues.

Tried the command again:

$ gpcl6 Kelly.pcl
End of page 1, press <enter> to continue.

End of page 2, press <enter> to continue.

Warning: Missing charsets in String to FontSet conversion
Warning: Cannot convert string "-efont-biwidth-medium-r-normal--16-*-*-*-*-*-iso10646-1,-gnu-unifont-medium-r-normal--16-*-*-*-*-*-iso10646-1,-adobe-helvetica-medium-r-normal--14-*-*-*-*-*-*-*,-jis-fixed-medium-r-*--16-*-*-*-*-*-jisx0208.1983-0,-*-*-medium-r-*--16-*-*-*-*-*-*-*,*" to type FontSet

I suspect the above warnings are due to the original being in an old Word format, with an old Windows font. The document was displayed, and was readable.

$ pcl2pdfwr Kelly.pcl Kelly.pdf

Kelly.pdf was created, with no warnings.

Looks OK to me now.

Validating. Advisory in comment 10.

Keywords: (none) => validated_update
Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
CC: (none) => sysadmin-bugs

Dave Hodgins 2023-09-22 02:23:15 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 12 Mageia Robot 2023-09-25 00:18:40 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0267.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.