Debian Bug report logs -
#859662
ghostscript: CVE-2016-10217
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#859662; Package src:ghostscript.
(Wed, 05 Apr 2017 17:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Printing Team <debian-printing@lists.debian.org>.
(Wed, 05 Apr 2017 17:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ghostscript
Version: 9.20~dfsg-3
Severity: important
Tags: upstream security
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=697456
Hi,
the following vulnerability was published for ghostscript.
CVE-2016-10217[0]:
| The pdf14_open function in base/gdevp14.c in Artifex Software, Inc.
| Ghostscript 9.20 allows remote attackers to cause a denial of service
| (use-after-free and application crash) via a crafted file that is
| mishandled in the color management module.
To verify with an ASAN build of ghostscript:
----cut---------cut---------cut---------cut---------cut---------cut-----
# LD_LIBRARY_PATH=./sobin ./debian/tmp/usr/bin/gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER /root/gs_uaf_pdf14_cleanup_parent_color_profiles -c quit
GPL Ghostscript 9.20 (2016-09-26)
Copyright (C) 2016 Artifex Software, Inc. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
=================================================================
==4082==ERROR: AddressSanitizer: heap-use-after-free on address 0x62a00053b840 at pc 0x7f9c09ebff67 bp 0x7ffe337bb2a0 sp 0x7ffe337bb298
READ of size 8 at 0x62a00053b840 thread T0
#0 0x7f9c09ebff66 in pdf14_cleanup_parent_color_profiles base/gdevp14.c:2016
#1 0x7f9c09eefcef in pdf14_device_finalize base/gdevp14.c:8293
#2 0x7f9c0a7fd262 in restore_finalize psi/isave.c:952
#3 0x7f9c0a7fc066 in alloc_restore_step_in psi/isave.c:759
#4 0x7f9c0a7fcbfb in alloc_restore_all psi/isave.c:886
#5 0x7f9c0a700455 in gs_main_finit psi/imain.c:978
#6 0x7f9c0a700a74 in gs_to_exit_with_code psi/imain.c:1013
#7 0x7f9c0a700a9b in gs_to_exit psi/imain.c:1018
#8 0x7f9c0a70b97b in gsapi_exit psi/iapi.c:561
#9 0x557197880114 in main psi/dxmainc.c:90
#10 0x7f9c0976b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#11 0x55719787fd29 in _start (/root/ghostscript-9.20~dfsg/debian/tmp/usr/bin/gs+0xd29)
0x62a00053b840 is located 5696 bytes inside of 20048-byte region [0x62a00053a200,0x62a00053f050)
freed by thread T0 here:
#0 0x7f9c0b8b7a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
#1 0x7f9c0a4c960f in gs_heap_free_object base/gsmalloc.c:348
#2 0x7f9c0a46655d in alloc_free_clump base/gsalloc.c:2593
#3 0x7f9c0a45f7d1 in free_all_not_allocator base/gsalloc.c:1000
#4 0x7f9c0a45cf20 in clump_splay_app base/gsalloc.c:602
#5 0x7f9c0a45fa30 in i_free_all base/gsalloc.c:1036
#6 0x7f9c0a7fd475 in restore_free psi/isave.c:989
#7 0x7f9c0a7fc7b8 in restore_space psi/isave.c:847
#8 0x7f9c0a7fc220 in alloc_restore_step_in psi/isave.c:784
#9 0x7f9c0a7fcbfb in alloc_restore_all psi/isave.c:886
#10 0x7f9c0a700455 in gs_main_finit psi/imain.c:978
#11 0x7f9c0a700a74 in gs_to_exit_with_code psi/imain.c:1013
#12 0x7f9c0a700a9b in gs_to_exit psi/imain.c:1018
#13 0x7f9c0a70b97b in gsapi_exit psi/iapi.c:561
#14 0x557197880114 in main psi/dxmainc.c:90
#15 0x7f9c0976b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
previously allocated by thread T0 here:
#0 0x7f9c0b8b7d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x7f9c0a4c8aac in gs_heap_alloc_bytes base/gsmalloc.c:183
#2 0x7f9c0a46560b in alloc_acquire_clump base/gsalloc.c:2430
#3 0x7f9c0a4651c0 in alloc_add_clump base/gsalloc.c:2379
#4 0x7f9c0a4635d3 in alloc_obj base/gsalloc.c:1991
#5 0x7f9c0a46097c in i_alloc_struct base/gsalloc.c:1229
#6 0x7f9c0a7dbb9c in gs_istate_alloc psi/zgstate.c:590
#7 0x7f9c0a4ea417 in gstate_clone base/gsstate.c:1008
#8 0x7f9c0a4e6eaf in gs_gsave base/gsstate.c:325
#9 0x7f9c0a4e712a in gs_gsave_for_save base/gsstate.c:370
#10 0x7f9c0a7879a0 in zsave psi/zvmem.c:84
#11 0x7f9c0a6f3b8a in z2save psi/zdevice2.c:219
#12 0x7f9c0a721f63 in interp psi/interp.c:1310
#13 0x7f9c0a71d2eb in gs_call_interp psi/interp.c:511
#14 0x7f9c0a71cc52 in gs_interpret psi/interp.c:468
#15 0x7f9c0a6fb8d2 in gs_main_interpret psi/imain.c:245
#16 0x7f9c0a6fe323 in gs_main_run_string_end psi/imain.c:663
#17 0x7f9c0a6fdf6a in gs_main_run_string_with_length psi/imain.c:621
#18 0x7f9c0a6fdedc in gs_main_run_string psi/imain.c:603
#19 0x7f9c0a705d7c in run_string psi/imainarg.c:977
#20 0x7f9c0a705b87 in runarg psi/imainarg.c:967
#21 0x7f9c0a705539 in argproc psi/imainarg.c:900
#22 0x7f9c0a701d22 in gs_main_init_with_args psi/imainarg.c:238
#23 0x7f9c0a70b18e in gsapi_init_with_args psi/iapi.c:353
#24 0x5571978800d4 in main psi/dxmainc.c:86
#25 0x7f9c0976b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-use-after-free base/gdevp14.c:2016 in pdf14_cleanup_parent_color_profiles
Shadow bytes around the buggy address:
0x0c548009f6b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c548009f6c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c548009f6d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c548009f6e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c548009f6f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c548009f700: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
0x0c548009f710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c548009f720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c548009f730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c548009f740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c548009f750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4082==ABORTING
----cut---------cut---------cut---------cut---------cut---------cut-----
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-10217
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10217
[1] https://bugs.ghostscript.com/show_bug.cgi?id=697456
[2] http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=90fd0c7ca3efc1ddff64a86f4104b13b3ac969eb
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#859662; Package src:ghostscript.
(Fri, 28 Apr 2017 05:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>.
(Fri, 28 Apr 2017 05:15:03 GMT) (full text, mbox, link).
Message #10 received at 859662@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 859662 + patch
Control: tags 859662 + pending
Control: tags 859666 + pending
Control: tags 859694 + pending
Control: tags 859696 + pending
Control: tags 861295 + patch
Control: tags 861295 + pending
Dear maintainer,
I've prepared an NMU for ghostscript (versioned as 9.20~dfsg-3.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Actually if possible and you agree on the debdiff/patchset an upload
earlier than the delay would be good in the light of #861295.
Regards,
Salvatore
[ghostscript-9.20~dfsg-3.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 859662-submit@bugs.debian.org.
(Fri, 28 Apr 2017 05:15:03 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 859662-submit@bugs.debian.org.
(Fri, 28 Apr 2017 05:15:04 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 28 Apr 2017 09:06:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 28 Apr 2017 09:06:05 GMT) (full text, mbox, link).
Message #19 received at 859662-close@bugs.debian.org (full text, mbox, reply):
Source: ghostscript
Source-Version: 9.20~dfsg-3.1
We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 859662@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ghostscript package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 28 Apr 2017 06:50:05 +0200
Source: ghostscript
Binary: ghostscript ghostscript-x ghostscript-doc libgs9 libgs9-common libgs-dev ghostscript-dbg
Architecture: all source
Version: 9.20~dfsg-3.1
Distribution: unstable
Urgency: high
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 859662 859666 859694 859696 861295
Description:
ghostscript - interpreter for the PostScript language and for PDF
ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug symbo
ghostscript-doc - interpreter for the PostScript language and for PDF - Documentati
ghostscript-x - interpreter for the PostScript language and for PDF - X11 support
libgs-dev - interpreter for the PostScript language and for PDF - Development
libgs9 - interpreter for the PostScript language and for PDF - Library
libgs9-common - interpreter for the PostScript language and for PDF - common file
Changes:
ghostscript (9.20~dfsg-3.1) unstable; urgency=high
.
* Non-maintainer upload.
* -dSAFER bypass and remote command execution via a "/OutputFile (%pipe%"
substring (CVE-2017-8291) (Closes: #861295)
* use the correct param list enumerator (CVE-2017-5951) (Closes: #859696)
* fix crash with bad data supplied to makeimagedevice (CVE-2016-10220)
(Closes: #859694)
* Avoid divide by 0 in scan conversion code (CVE-2016-10219)
(Closes: #859666)
* Dont create new ctx when pdf14 device reenabled (CVE-2016-10217)
(Closes: #859662)
Checksums-Sha1:
27beb46933666fd84a822dc2f11043dd9816582e 3025 ghostscript_9.20~dfsg-3.1.dsc
ff6c9d1f36d0f4baff2f1fca1bfdbe36f2cadf75 114264 ghostscript_9.20~dfsg-3.1.debian.tar.xz
38aba5ecd413b0fe8d6f233de1987b18ee43edbb 5630604 ghostscript-doc_9.20~dfsg-3.1_all.deb
fd085947763beac463eb617ef0c19458bdf40f86 5160310 libgs9-common_9.20~dfsg-3.1_all.deb
Checksums-Sha256:
7eea1566d95e1970a46635aee3ff6d8cc528907bb0ff3815df7d5430e5bc9158 3025 ghostscript_9.20~dfsg-3.1.dsc
d1d7e8f06ada9ec035e7f8394f9a52b793619cb1d11aaa03fa87b3caeee5ccc1 114264 ghostscript_9.20~dfsg-3.1.debian.tar.xz
9463f519c4fd20eabcecd9fbd5801fca7376f32ce1ca4946acbd5133d1e6be25 5630604 ghostscript-doc_9.20~dfsg-3.1_all.deb
975eb0dee2daec3abec78a5a711a266e62c097f022bd311c81eec482021469f8 5160310 libgs9-common_9.20~dfsg-3.1_all.deb
Files:
e175a069819fb9b4427d067224117197 3025 text optional ghostscript_9.20~dfsg-3.1.dsc
0c1e846432225a349fc8c2468782e348 114264 text optional ghostscript_9.20~dfsg-3.1.debian.tar.xz
58c815ac983e543243491b7868dbb1fc 5630604 doc optional ghostscript-doc_9.20~dfsg-3.1_all.deb
553fdff0bcc31e300f5c935379b2cecf 5160310 libs optional libgs9-common_9.20~dfsg-3.1_all.deb
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlkCzw9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EvcIP/2pqibgJm2OGBXZg/D4AfLfufCIlLz2e
mGWTBipJa1zcWX42jQ57bsKaQ2va7C2FFOTwDUumOKlo/TqwOmYV3irwqr2I3ihI
ILvE7CzgLf/Rfaem6BuCqUtRU0oop58iFHHp93XYvJ7wlklh6Lz7bvkzowp6ca0H
20BF4trrm9eLuT8aiPyogmvqer63IGpIgG1SbuZUE9AB0i4NgsvUZkrPd5CQN73v
ctYGACXejCIU/YF6QvmFT1i0joeideS1dNJRrxesY7f2S5cSEbEh7pueiCV9vf15
tE+iRZ7W+NoeTJwHgh5bDYL71mCCfPeD3CtSGcVqVWCVw10IP2yD8OnU8ie030cX
oslYjp3XIDtaaxzfF+MIEz7ha6hM1FQOxtQAMJhdHM9PGY0baJf0+dwa/YF/n/mO
WRAguwFnPV5cQYcyqPV1tHUkdSdQsCFu+gZfIb7SEK/b3RV8PfqdDnzSOr53V31Q
dyzhDp28lGHgymCkY19gl9WHszKWumj3OddBc6Kk9q7UHpeKmkMK9R7PYBoZUKqL
YD54sgg0tAByfyJT/wzJpkS5F4L2Z2kfyCiOCfv1bVMp1IEJy/3+iZdmm9sIl5y2
5JtyQ3rocStOHnodpIf9Ni+L9RFAmQa2xeAwRfyPsKnGY8fvdy9FumSrBXJlNyi6
5RSYeXgZB7Pm
=D0ON
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 21 Jun 2017 07:28:08 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:29:16 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon