ghostscript: CVE-2018-17961: bypassing executeonly to escape -dSAFER sandbox

Debian Bug report logs - #910678
ghostscript: CVE-2018-17961: bypassing executeonly to escape -dSAFER sandbox

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ghostscript: CVE-2018-17961: bypassing executeonly to escape -dSAFER sandbox

Date: Tue, 09 Oct 2018 21:09:58 +0200

Source: ghostscript
Version: 9.25~dfsg-2
Severity: grave
Tags: patch security upstream
Justification: user security hole

Hi,

The following vulnerability was published for ghostscript.

CVE-2018-17961[0]:
ghostscript: bypassing executeonly to escape -dSAFER sandbox

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-17961
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17961
[1] https://www.openwall.com/lists/oss-security/2018/10/09/4
[2] https://bugs.chromium.org/p/project-zero/issues/detail?id=1682

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 910678-close@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <dr@jones.dk>

To: 910678-close@bugs.debian.org

Subject: Bug#910678: fixed in ghostscript 9.25~dfsg-3

Date: Thu, 18 Oct 2018 22:51:56 +0000

Source: ghostscript
Source-Version: 9.25~dfsg-3

We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 910678@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated ghostscript package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 19 Oct 2018 00:11:32 +0200
Source: ghostscript
Binary: ghostscript ghostscript-x ghostscript-doc libgs9 libgs9-common libgs-dev ghostscript-dbg
Architecture: source
Version: 9.25~dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description:
 ghostscript - interpreter for the PostScript language and for PDF
 ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug symbo
 ghostscript-doc - interpreter for the PostScript language and for PDF - Documentati
 ghostscript-x - interpreter for the PostScript language and for PDF - X11 support
 libgs-dev  - interpreter for the PostScript language and for PDF - Development
 libgs9     - interpreter for the PostScript language and for PDF - Library
 libgs9-common - interpreter for the PostScript language and for PDF - common file
Closes: 910678 910758 911175
Changes:
 ghostscript (9.25~dfsg-3) unstable; urgency=medium
 .
   * Add patches cherry-picked upstream to fix execution issues.
     + Implement .currentoutputdevice operator
     + Change "executeonly" to throw typecheck on gstatetype and
       devicetype objects
     + Undefine some additional internal operators.
     + Fix handling of .needinput if used from interpreter
     + Ensure all errors are included from initialization
     + setundercolorremoval memory corruption
     + copydevice fails after stack device copies invalidated
     + add operand checking to .setnativefontmapbuilt
     + add object type check for AES key
     + Add parameter type checking on .bigstring
     + zparse_dsc_comments can crash with invalid dsc_state
     + Catch errors in setpagesize, .setpagesize and setpagedevice and
       cleanup
     + Catch errors and cleanup stack on statusdict page size definitions
     + Add parameter checking in setresolution
     + device subclass open_device call must return child code
     + fix DSC comment parsing in pdfwrite
     + Check all uses of dict_find* to ensure 0 return properly handled
     + permit Mod and CreDate pdfmarks in PDF 2.0 in pdfwrite
     + Avoid overrunning non terminated string buffer.
     + Prevent SEGV in gs_setdevice_no_erase.
     + Fix uninitialised value for render_cond.
     + Hide the .needinput operator
     + filenameforall calls bad iodev with insufficent scratch
     + Improve hiding of security critical custom operators
     + Prevent SEGV after calling gs_image_class_1_simple.
     + don't push userdict in preparation for Type 1 fonts
     + add control over hiding error handlers.
     + For hidden operators, pass a name object to error handler.
     + Explicitly exclude /unknownerror from the SAFERERRORLIST
     + don't include operator arrays in execstack output
     + Make .forceput unavailable from '.policyprocs' helper dictionary
     + .loadfontloop must be an operator
     + font parsing - prevent SEGV in .cffparse
     Closes: Bug#910678, #910758, #911175
     (CVE-2018-17961, CVE-2018-18073, CVE-2018-18284).
     Thanks to Salvatore Bonaccorso.
   * Unfuzz patches.
   * Declare compliance with Debian Policy 4.2.1.
   * Update symbols: 1 private added.
Checksums-Sha1:
 2a5c3e83d158aeca87e4077719924efff95ee084 2720 ghostscript_9.25~dfsg-3.dsc
 f82c55f48dc57af9eb460b7ea6f77ef186df7657 132580 ghostscript_9.25~dfsg-3.debian.tar.xz
 58bba3739d90587c06983c208792a50640a9c835 11625 ghostscript_9.25~dfsg-3_amd64.buildinfo
Checksums-Sha256:
 df9cd4c6d6572127f1cab968519b7d9c154cf452ca61ade5de0b0d489813b118 2720 ghostscript_9.25~dfsg-3.dsc
 5cac2f3fc568c3be3006abd590f478c70df2970739e6916e1f9519483f4e7b32 132580 ghostscript_9.25~dfsg-3.debian.tar.xz
 cf52b3e657033486565dcf9d396e9d1d12cd659053d4cdf7157d71139a27918a 11625 ghostscript_9.25~dfsg-3_amd64.buildinfo
Files:
 bcf7ddc5b2d5cece29577526ac7e7d2e 2720 text optional ghostscript_9.25~dfsg-3.dsc
 9d7dd39fe9df5ab52e2f7bdea6e8070e 132580 text optional ghostscript_9.25~dfsg-3.debian.tar.xz
 001ce1e5e9e68a9be4b45c4efffafd7e 11625 text optional ghostscript_9.25~dfsg-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlvJBbAACgkQLHwxRsGg
ASHxnQ//RghFthcm5HmeF/qNT1WzEHxfq8Wv8LVepBMWod33iJCWAzEE1bRc7GKc
rzB7t5nhRJApUNgveH6qebYtBHvk0+OairnrzBT5jtiCIs7GcIMusL/uy36bi17J
+fRWp+f7e35ezJqNlE1yJpu+SbgUmgRRgf8j5gGi4Cg/hg1ATrDehQ1llwtdnZ5T
Tvd8u0Y848GNqur0HctcycBplbw1xbfH6dL9L+uhEmA2vMZSFDXKEP13qnh4nZcl
W28QqoeFUJhS/Zv/fJliF+OOLMUNfdi9FVTNcmFfXUIn+JfCG7KXFWbmxG2M5D+k
lwJPHTLIyDtL0XJfe/cvAQ33a2pO6Xvl8rvvTrTtFGOxlscTyewJX1+uThzZSv2n
kee+KtbF/WBzduxcFraEJ132p++5fLlXP37uNAxIsdxxfZFk+Opdgxr7aHmNvsdy
0kZ0evXhKHWfVDvE1tZZJofpHD6UFJKxxY3gxF2QmMAdX+sZSnsJc7actxEDk3qR
DQOruTas+l82tDelLs90xHRgCdX50CUziOc2fPzlt80vqeVVXvNQtEhUdzQsND3F
CHC9NCongmlrk1N4BeHpK8U5MJdxN3XMETckpGTUo4u38tZePVOCYbaUUgaCadh8
73jXeWfe6sFdbvpM2LZUjQtQxDUJ7chddlRBAawKapWd4YT+sTQ=
=14qD
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.