Debian Bug report logs -
#907332
ghostscript has a new code execution issue, even when used with -dSAFER
Reported by: Nicolas Braud-Santoni <nicoo@debian.org>
Date: Sun, 26 Aug 2018 17:12:01 UTC
Severity: grave
Tags: security, upstream
Found in versions ghostscript/9.20~dfsg-1, ghostscript/9.22~dfsg-2.1
Fixed in version ghostscript/9.22~dfsg-3
Done: Jonas Smedegaard <dr@jones.dk>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#907332; Package ghostscript.
(Sun, 26 Aug 2018 17:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Nicolas Braud-Santoni <nicolas@braud-santoni.eu>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Printing Team <debian-printing@lists.debian.org>.
(Sun, 26 Aug 2018 17:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ghostscript
Version: 9.22~dfsg-2.1
Severity: grave
Tags: security buster sid
Justification: user security hole
Hi,
Tavis Ormandy disclosed a new ghoscript security issue, leading directly to code
execution: http://openwall.com/lists/oss-security/2018/08/21/2
I don't think this is [CVE-2018-11645], as it's supposedly fixed in buster, and
I was able to reproduce the issue on my system:
> $ gs -q -sDEVICE=ppmraw -dSAFER -sOutputFile=/dev/null < exploit.ps
> GS>GS>GS>GS>GS<1>uid=1000(nicoo) gid=1000(nicoo) groups=1000(nicoo),4(adm),5(tty),20(dialout),27(sudo),44(video),46(plugdev),104(input),113(sbuild),115(wireshark)
>
> $ convert exploit.jpg exploit.gif :(
> uid=1000(nicoo) gid=1000(nicoo) groups=1000(nicoo),4(adm),5(tty),20(dialout),27(sudo),44(video),46(plugdev),104(input),113(sbuild),115(wireshark)
> convert-im6.q16: FailedToExecuteCommand `'gs' -sstdout=%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 '-r72x72' -g612x792 '-sOutputFile=/tmp/magick-955WzJ4UvxhLwQT%d' '-f/tmp/magick-95505j-kbelxXGs' '-f/tmp/magick-955IqsJtzVIPtx1' -c showpage' (-1) @ error/delegate.c/ExternalDelegateCommand/462.
> convert-im6.q16: no images defined `exploit.gif' @ error/convert.c/ConvertImageCommand/3258.
>
> $ apt-cache policy ghostscript
> ghostscript:
> Installed: 9.22~dfsg-2.1
> Candidate: 9.22~dfsg-2.1
> Version table:
> *** 9.22~dfsg-2.1 990
> 990 http://localhost:3142/debian buster/main amd64 Packages
> 500 http://localhost:3142/debian sid/main amd64 Packages
> 100 /var/lib/dpkg/status
I'm attaching the relevant files.
Best,
nicoo
[CVE-2018-11645]: https://security-tracker.debian.org/tracker/CVE-2018-11645
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.17.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages ghostscript depends on:
ii debconf [debconf-2.0] 1.5.69
ii libc6 2.27-5
ii libgs9 9.22~dfsg-2.1
Versions of packages ghostscript recommends:
ii gsfonts 1:8.11+urwcyr1.0.7~pre44-4.4
Versions of packages ghostscript suggests:
pn ghostscript-x <none>
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#907332; Package ghostscript.
(Sun, 26 Aug 2018 17:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Stefano Rivera <stefanor@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>.
(Sun, 26 Aug 2018 17:30:03 GMT) (full text, mbox, link).
Message #10 received at 907332@bugs.debian.org (full text, mbox, reply):
Control: tag -1 stretch
> I was able to reproduce the issue on my system:
Reproduced on stretch too.
SR
--
Stefano Rivera
http://tumbleweed.org.za/
+1 415 683 3272
Added tag(s) stretch.
Request was from Stefano Rivera <stefanor@debian.org>
to 907332-submit@bugs.debian.org.
(Sun, 26 Aug 2018 17:30:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#907332; Package ghostscript.
(Sun, 26 Aug 2018 17:33:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Nicolas Braud-Santoni <nicolas@braud-santoni.eu>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>.
(Sun, 26 Aug 2018 17:33:10 GMT) (full text, mbox, link).
Message #17 received at 907332@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, Aug 26, 2018 at 06:08:58PM +0100, Nicolas Braud-Santoni wrote:
>
> I'm attaching the relevant files.
Oops, forgot the attachments.
[exploit.jpg (image/jpeg, attachment)]
[exploit.ps (application/postscript, attachment)]
[signature.asc (application/pgp-signature, inline)]
Removed tag(s) sid and buster.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 26 Aug 2018 19:39:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#907332; Package ghostscript.
(Sun, 26 Aug 2018 19:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>.
(Sun, 26 Aug 2018 19:57:06 GMT) (full text, mbox, link).
Message #24 received at 907332@bugs.debian.org (full text, mbox, reply):
Hi,
On Sun, Aug 26, 2018 at 06:08:58PM +0100, Nicolas Braud-Santoni wrote:
> Tavis Ormandy disclosed a new ghoscript security issue, leading directly to code
> execution: http://openwall.com/lists/oss-security/2018/08/21/2
There are actually several issues, see the whole thread. For now since
you filled this bug will track all those with this bug entry. Proper
evaluation though is still pending (and Moritz is taking care of
strech, adding this note to dsa-needed file ("needs some research on
issues found by Tavis").
See
https://www.kb.cert.org/vuls/id/332928
the current set of fixes:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce501
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d9111
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d390118
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614
Regards,
Salvatore
Removed tag(s) stretch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 26 Aug 2018 19:57:07 GMT) (full text, mbox, link).
Marked as found in versions ghostscript/9.20~dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 26 Aug 2018 19:57:08 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 26 Aug 2018 20:09:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#907332; Package ghostscript.
(Mon, 27 Aug 2018 18:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonas Smedegaard <jonas@jones.dk>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>.
(Mon, 27 Aug 2018 18:36:03 GMT) (full text, mbox, link).
Message #35 received at 907332@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Quoting Salvatore Bonaccorso (2018-08-26 21:55:14)
> Hi,
>
> On Sun, Aug 26, 2018 at 06:08:58PM +0100, Nicolas Braud-Santoni wrote:
> > Tavis Ormandy disclosed a new ghoscript security issue, leading directly to code
> > execution: http://openwall.com/lists/oss-security/2018/08/21/2
>
> There are actually several issues, see the whole thread. For now since
> you filled this bug will track all those with this bug entry. Proper
> evaluation though is still pending (and Moritz is taking care of
> strech, adding this note to dsa-needed file ("needs some research on
> issues found by Tavis").
>
> See
>
> https://www.kb.cert.org/vuls/id/332928
>
> the current set of fixes:
>
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce501
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d9111
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d390118
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614
Also http://git.ghostscript.com/?p=ghostpdl.git;h=0b6cd19
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#907332; Package ghostscript.
(Mon, 27 Aug 2018 20:30:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>.
(Mon, 27 Aug 2018 20:30:02 GMT) (full text, mbox, link).
Message #40 received at 907332@bugs.debian.org (full text, mbox, reply):
Hi,
On Mon, Aug 27, 2018 at 08:34:25PM +0200, Jonas Smedegaard wrote:
> Quoting Salvatore Bonaccorso (2018-08-26 21:55:14)
> > Hi,
> >
> > On Sun, Aug 26, 2018 at 06:08:58PM +0100, Nicolas Braud-Santoni wrote:
> > > Tavis Ormandy disclosed a new ghoscript security issue, leading directly to code
> > > execution: http://openwall.com/lists/oss-security/2018/08/21/2
> >
> > There are actually several issues, see the whole thread. For now since
> > you filled this bug will track all those with this bug entry. Proper
> > evaluation though is still pending (and Moritz is taking care of
> > strech, adding this note to dsa-needed file ("needs some research on
> > issues found by Tavis").
> >
> > See
> >
> > https://www.kb.cert.org/vuls/id/332928
> >
> > the current set of fixes:
> >
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce501
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d9111
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d390118
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614
>
> Also http://git.ghostscript.com/?p=ghostpdl.git;h=0b6cd19
A first set of CVEs has now been assigned already:
CVE-2018-15908, CVE-2018-15909 and CVE-2018-15910.
Regards,
Salvatore
Reply sent
to Jonas Smedegaard <dr@jones.dk>:
You have taken responsibility.
(Mon, 27 Aug 2018 22:24:03 GMT) (full text, mbox, link).
Notification sent
to Nicolas Braud-Santoni <nicolas@braud-santoni.eu>:
Bug acknowledged by developer.
(Mon, 27 Aug 2018 22:24:03 GMT) (full text, mbox, link).
Message #45 received at 907332-close@bugs.debian.org (full text, mbox, reply):
Source: ghostscript
Source-Version: 9.22~dfsg-3
We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 907332@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated ghostscript package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 28 Aug 2018 00:05:05 +0200
Source: ghostscript
Binary: ghostscript ghostscript-x ghostscript-doc libgs9 libgs9-common libgs-dev ghostscript-dbg
Architecture: source
Version: 9.22~dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description:
ghostscript - interpreter for the PostScript language and for PDF
ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug symbo
ghostscript-doc - interpreter for the PostScript language and for PDF - Documentati
ghostscript-x - interpreter for the PostScript language and for PDF - X11 support
libgs-dev - interpreter for the PostScript language and for PDF - Development
libgs9 - interpreter for the PostScript language and for PDF - Library
libgs9-common - interpreter for the PostScript language and for PDF - common file
Closes: 907332
Changes:
ghostscript (9.22~dfsg-3) unstable; urgency=high
.
* Add patches cherry-picked upstream to fix execution issues:
+ Properly apply file permissions to .tempfile.
+ Don't just assume an object is a t_(a)struct.
+ Fix handling of pre-SAFER opened files.
+ Properly check return value when getting value from a dictionary.
+ Handle LockDistillerParams not being a boolean.
+ Fix shading_param incomplete type checking.
+ Ensure the correct is in place before cleanup.
+ Check the restore operand type.
+ Fix memory corruption in aesdecode.
+ Fix handle stack overflow during error handling.
+ Avoid sharing pointers between pdf14 compositors.
+ Improve restore robustness.
+ Hide the .shfill operator.
Closes: Bug#907332. Thanks to Nicolas Braud-Santoni.
* Use package section optional (not extra).
* Extend lintian overrides regarding License-Reference.
* Declare compliance with Debian Policy 4.2.0.
Checksums-Sha1:
b8eb3e03815e939d8fc9b962b37b319cea45eca1 2745 ghostscript_9.22~dfsg-3.dsc
dadb1522471552920d4f68f210da9c3851d51247 112052 ghostscript_9.22~dfsg-3.debian.tar.xz
c9953c0dea6874765e6b3cad1a77ed7fe5dd3a62 11698 ghostscript_9.22~dfsg-3_amd64.buildinfo
Checksums-Sha256:
d08bf6f48f9ee6bffae77a0d81a3b6809a97aa78c350064a78652af2b1356036 2745 ghostscript_9.22~dfsg-3.dsc
1dfce2417808cf299ce9d6cb07751ae2d285772e71506a5752f084d7a90472ff 112052 ghostscript_9.22~dfsg-3.debian.tar.xz
41326e94b2840ef0371a001280e9f97f38f6ceaaeda2ac89c5c80b9c0630c6f8 11698 ghostscript_9.22~dfsg-3_amd64.buildinfo
Files:
e4c0bba718411389348034d81acfae5c 2745 text optional ghostscript_9.22~dfsg-3.dsc
86ac72bed6c6be02d6d18af997d54a83 112052 text optional ghostscript_9.22~dfsg-3.debian.tar.xz
e3e7fec12fa9dafb5201c74e1d6c4e17 11698 text optional ghostscript_9.22~dfsg-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAluEdrAACgkQLHwxRsGg
ASGIWA//cEBRY6EMR+I8x0Z1xSGmmx1AHrbjmnpZYZDkOJ+IGagkam//E3OzLWS+
of0IyiUvQBNW5BoV2h4GwaYhkGe12Osoc05+yOPXp76OnOCIJTzK2CWY6gVeykZz
M6jQm8f2EF/1Zzt04xJzn+KTvxV/eUOqYqGOHpwAMZnL9NL4YllahLrI6udlJzWU
lkX3PJD4O7ScbTxA+8MwYrsQSNz1sJnwHRNxLnL8UBVQt0+NC7LF6gH/u4VFJiFH
w7t/QinVA6HvYcRLCVPHY3dZnhDgNI8mmvjWfPT2d7SiJFycwi0YZNe74XGvYxW+
WCDBnuktri3PFtuNa/8eSrJmVin5cJTuOshTkwUCT8nVwmxG9peWEk5vNH0wEy4/
o2AY4/zVonZeAjSLA+xXK2uj22BdhN15DpDa2JvyiZkb/pVZHmX4H2G1qhVUIL2Y
kA8aiR7jmtlMk2fBRrKnCkWVS6vUNCTwr7aKSKMF6LTvOrztKZ7P6Cd8/aQZMXE7
FwWh4AWW3kIYozirfcFgcAOV2J1Mip+ian82IjYaT2+YJtCfxyA+TKE9a9PSNQco
F7d+HIdH8GWYzawhIEOGhjd8MHYWzOlVH5wAHZNDW1CElDk8UbFbCUrAt2MfYaJw
i7SUjCSOcVaZ0fdo7tHErpDHnUdST2lIqZSEzldRlSLkDWPCuuo=
=wb3f
-----END PGP SIGNATURE-----
Changed Bug submitter to 'Nicolas Braud-Santoni <nicoo@debian.org>' from 'Nicolas Braud-Santoni <nicolas@braud-santoni.eu>'.
Request was from Nicolas Braud-Santoni <nicoo@debian.org>
to control@bugs.debian.org.
(Thu, 15 Nov 2018 18:12:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:22:31 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon
