Debian Bug report logs -
#839260
ghostscript: CVE-2016-7976: various userparams allow %pipe% in paths, allowing remote shell command execution
Reported by: Florian Weimer <fw@deneb.enyo.de>
Date: Fri, 30 Sep 2016 21:39:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version ghostscript/9.19~dfsg-3
Fixed in versions ghostscript/9.06~dfsg-2+deb8u2, ghostscript/9.19~dfsg-3.1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Forwarded to http://bugs.ghostscript.com/show_bug.cgi?id=697178
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#839260; Package ghostscript.
(Fri, 30 Sep 2016 21:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>.
(Fri, 30 Sep 2016 21:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ghostscript
Version: 9.19~dfsg-3
Tags: security
Severity: grave
Tavis Ormandy has reported several sandbox bypasses on the
oss-security mailing list.
<http://www.openwall.com/lists/oss-security/2016/09/29/3>
(also see follow-ups)
Filed upstream as:
<http://bugs.ghostscript.com/show_bug.cgi?id=697169>
<http://bugs.ghostscript.com/show_bug.cgi?id=697178>
This is a fairly important security issue because it introduces
vulnerabilities into CUPS and programs such as mail clients which use
mailcap entries and run Ghostscript indirectly.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 03 Oct 2016 09:00:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#839260; Package ghostscript.
(Wed, 05 Oct 2016 17:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>.
(Wed, 05 Oct 2016 17:21:03 GMT) (full text, mbox, link).
Message #12 received at 839260@bugs.debian.org (full text, mbox, reply):
clone 839260 -1
retitle -1 ghostscript: .libfile doesn't check PermitFileReading array, allowing remote file disclosure
forwarded -1 http://bugs.ghostscript.com/show_bug.cgi?id=697169
retitle 839260 ghostscript: various userparams allow %pipe% in paths, allowing remote shell command execution
forwarded 839260 http://bugs.ghostscript.com/show_bug.cgi?id=697178
thanks
Hi
Hope I will not create a mess here. But on oss-security two distinct
CVE id's were requested for the respecive issues for those two
upstream bugs. So let's try to separate them here as well.
FTR, the CVE request is here:
http://www.openwall.com/lists/oss-security/2016/10/05/7
Regards,
Salvatore
Bug 839260 cloned as bug 839841
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 05 Oct 2016 17:21:05 GMT) (full text, mbox, link).
Changed Bug title to 'ghostscript: various userparams allow %pipe% in paths, allowing remote shell command execution' from 'ghostscript: various sandbox bypasses'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 05 Oct 2016 17:21:06 GMT) (full text, mbox, link).
Changed Bug title to 'ghostscript: CVE-2016-7976: various userparams allow %pipe% in paths, allowing remote shell command execution' from 'ghostscript: various userparams allow %pipe% in paths, allowing remote shell command execution'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 05 Oct 2016 18:27:07 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 10 Oct 2016 17:36:18 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Wed, 12 Oct 2016 22:21:15 GMT) (full text, mbox, link).
Notification sent
to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer.
(Wed, 12 Oct 2016 22:21:15 GMT) (full text, mbox, link).
Message #27 received at 839260-close@bugs.debian.org (full text, mbox, reply):
Source: ghostscript
Source-Version: 9.06~dfsg-2+deb8u2
We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 839260@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ghostscript package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 08 Oct 2016 13:30:08 +0200
Source: ghostscript
Binary: ghostscript ghostscript-x ghostscript-doc libgs9 libgs9-common libgs-dev ghostscript-dbg
Architecture: all source
Version: 9.06~dfsg-2+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 839118 839260 839841 839845 839846
Description:
ghostscript - interpreter for the PostScript language and for PDF
ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug symbo
ghostscript-doc - interpreter for the PostScript language and for PDF - Documentati
ghostscript-x - interpreter for the PostScript language and for PDF - X11 support
libgs-dev - interpreter for the PostScript language and for PDF - Development
libgs9 - interpreter for the PostScript language and for PDF - Library
libgs9-common - interpreter for the PostScript language and for PDF - common file
Changes:
ghostscript (9.06~dfsg-2+deb8u2) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2013-5653: Information disclosure through getenv, filenameforall
(Closes: #839118)
* CVE-2016-7976: Various userparams allow %pipe% in paths, allowing remote
shell command execution (Closes: #839260)
* CVE-2016-7977: .libfile doesn't check PermitFileReading array, allowing
remote file disclosure (Closes: #839841)
* CVE-2016-7978: reference leak in .setdevice allows use-after-free and
remote code execution (Closes: #839845)
* CVE-2016-7979: type confusion in .initialize_dsc_parser allows remote code
execution (Closes: #839846)
Checksums-Sha1:
b588704da31bacdd39d8673723b000827468a5f9 3015 ghostscript_9.06~dfsg-2+deb8u2.dsc
67365aa74ac2a302e082dc6b2124662a3e08d686 96344 ghostscript_9.06~dfsg-2+deb8u2.debian.tar.xz
3fb2685b8fa3fa1714bf642ce73bf4aabe60e6f2 5067220 ghostscript-doc_9.06~dfsg-2+deb8u2_all.deb
4eac087f729feaa9e3535d7e91d7c8516528bac7 1979836 libgs9-common_9.06~dfsg-2+deb8u2_all.deb
Checksums-Sha256:
f74449c2025e1ca7f97da0f9d875bb00b19c65d8f35a2158f56aae10a455407e 3015 ghostscript_9.06~dfsg-2+deb8u2.dsc
e00a08abdf3e10cbb4a06c9758fc01fe7d5997c4a87c3e2e5ff32545dcec244e 96344 ghostscript_9.06~dfsg-2+deb8u2.debian.tar.xz
d33dd656712051f325116ccfc2932b8fc36473ef8bc376002384bb66825b7fde 5067220 ghostscript-doc_9.06~dfsg-2+deb8u2_all.deb
011526d50434dfc45365cb08a319c15fa9f3738b4ffe58426b26b7a5f4cce9d7 1979836 libgs9-common_9.06~dfsg-2+deb8u2_all.deb
Files:
deecd3c66493c1737b5956ff7fdacd5e 3015 text optional ghostscript_9.06~dfsg-2+deb8u2.dsc
fcc27764c58d681a71cf82757b2b2e6c 96344 text optional ghostscript_9.06~dfsg-2+deb8u2.debian.tar.xz
a26fa2eba469b8cbfcdf7c846dfc8082 5067220 doc optional ghostscript-doc_9.06~dfsg-2+deb8u2_all.deb
5d690f48416c022b1ca3c26e28fe4f26 1979836 libs optional libgs9-common_9.06~dfsg-2+deb8u2_all.deb
-----BEGIN PGP SIGNATURE-----
iQKPBAEBCgB5BQJX+OKlXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0NjQ0NDA5ODA4QzE3MUUwNTUzMURERUUw
NTRDQjhGMzEzNDNDRjQ0EhxjYXJuaWxAZGViaWFuLm9yZwAKCRAFTLjzE0PPRLdK
D/9Hb+2bm5pwwARX27BVpLXuUe8fREyHHp54buRYNWpS6sgNoy2tvPlutBwyh4vR
0BJojuPjLh69O2Z5pj1/6MXY1GjnzibWRGwrNuWeI64nNXN4XRAXIohizNjOpNsx
IC/3GaI+Wgy4wUl7vMWAQzfFAcU6MXnIAVRlSV+eG+T9VOxTFeR0poe5W1pAG4Sm
OQlnf/8Ytwwkjx59aChAOyEeiOY3qHEku8b+iwpijHsFHuflJy8MuZs/uVpVksiM
geHZYYRHfcj4C+2CDtk2ZyfadPP2S75tAw58furTAvWRf6d8jY/ZmGEK+nOApfBx
bnLD2L+GXxiVKAhDuQ/Ms5EYO5T7CuU/4uvMdK2abXVT4PKzXhxEXHJfrvBN+oEr
Z7ynDZB6NVM4E8saPfG+A31Rt/fp9KNALg95W74GEKtkUhiy2h6sScyHHW7TUlhX
M7Zv/95dZ/MrDZgYZX9zbffZpQLnaQH6s03w0bHIPwmssaMdUV7tSJdsg41bewmj
Yk+7QD33eJcfsF7t5759fVEFtJGFPPOi3xtNlNX13smby2WyYTFutwJltoRdygrL
ElKyfuoRZTE1m6YFaIt39SjcD03xBS4Zz8hwLyfY4EfLqWhd0ThRaYTaidhL/uUI
NHRbv8Gm+MqBFABiNHF809zFhAhyPDECs6ZcADuYQ4Ta6Q==
=XQEM
-----END PGP SIGNATURE-----
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 839118-submit@bugs.debian.org.
(Sun, 16 Oct 2016 19:00:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#839260; Package ghostscript.
(Sun, 16 Oct 2016 19:00:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Printing Team <debian-printing@lists.debian.org>.
(Sun, 16 Oct 2016 19:00:08 GMT) (full text, mbox, link).
Message #34 received at 839260@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 839118 + patch
Control: tags 839260 + patch
Control: tags 839841 + patch
Control: tags 839845 + patch
Dear maintainer,
I've prepared now an NMU debdiff for ghostscript as well for the
version in unstable. Due to further investigation needed for #840691
I'm not yet uploading.
After updating ghostscript the same problems seem visible in unstable
for evince and zathura, and I'm not yet sure that the patches just
uncovered a bug in libspectre. Help in debugging this would be
welcome.
Regards,
Salvatore
[ghostscript-9.19~dfsg-3.1-nmu.diff (text/x-diff, attachment)]
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 28 Oct 2016 18:21:12 GMT) (full text, mbox, link).
Notification sent
to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer.
(Fri, 28 Oct 2016 18:21:12 GMT) (full text, mbox, link).
Message #39 received at 839260-close@bugs.debian.org (full text, mbox, reply):
Source: ghostscript
Source-Version: 9.19~dfsg-3.1
We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 839260@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ghostscript package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 27 Oct 2016 13:25:52 +0200
Source: ghostscript
Binary: ghostscript ghostscript-x ghostscript-doc libgs9 libgs9-common libgs-dev ghostscript-dbg
Architecture: all source
Version: 9.19~dfsg-3.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 839118 839260 839841 839845 839846 840451
Description:
ghostscript - interpreter for the PostScript language and for PDF
ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug symbo
ghostscript-doc - interpreter for the PostScript language and for PDF - Documentati
ghostscript-x - interpreter for the PostScript language and for PDF - X11 support
libgs-dev - interpreter for the PostScript language and for PDF - Development
libgs9 - interpreter for the PostScript language and for PDF - Library
libgs9-common - interpreter for the PostScript language and for PDF - common file
Changes:
ghostscript (9.19~dfsg-3.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2013-5653: Information disclosure through getenv, filenameforall
(Closes: #839118)
* CVE-2016-7976: Various userparams allow %pipe% in paths, allowing remote
shell command execution (Closes: #839260)
* CVE-2016-7977: .libfile doesn't check PermitFileReading array, allowing
remote file disclosure (Closes: #839841)
* CVE-2016-7978: reference leak in .setdevice allows use-after-free and
remote code execution (Closes: #839845)
* CVE-2016-7979: type confusion in .initialize_dsc_parser allows remote code
execution (Closes: #839846)
* CVE-2016-8602: check for sufficient params in .sethalftone5 and param
types (Closes: #840451)
* Add 840691-Fix-.locksafe.patch patch.
Fixes regression seen with zathura and evince. Fix .locksafe. We need to
.forceput the defintion of getenv into systemdict.
Thanks to Edgar Fuß <ef@math.uni-bonn.de>
Checksums-Sha1:
73e9eb76a5189dc9a1bd57752b26f4edae837946 2997 ghostscript_9.19~dfsg-3.1.dsc
d969bd2cc53abe7352922c1853c47e7ccb0d8eeb 106324 ghostscript_9.19~dfsg-3.1.debian.tar.xz
285f6d7b5828229ebfd9ba92d92168fabc90331a 5568784 ghostscript-doc_9.19~dfsg-3.1_all.deb
20aa04760215363e21fdffde03a4f23f7ce2111b 3030750 libgs9-common_9.19~dfsg-3.1_all.deb
Checksums-Sha256:
d0c44fabebe04b6d2797d61df9940c1ac5897ff47d0dd3882e6eaa603fdd6642 2997 ghostscript_9.19~dfsg-3.1.dsc
0e22f98aed5e9b705a241acd401303c57467b686363912bf6c85422c587e90bb 106324 ghostscript_9.19~dfsg-3.1.debian.tar.xz
5526424d99b60b40665177bb93927f5620aaddb458e2624922d56b49670c8a10 5568784 ghostscript-doc_9.19~dfsg-3.1_all.deb
55ad19603838e06a2fd2d5b69ffd2bdb9d4899f8714c5b050ee94f760e710c6f 3030750 libgs9-common_9.19~dfsg-3.1_all.deb
Files:
679cdcc87ac7a4382519dcfeace22a46 2997 text optional ghostscript_9.19~dfsg-3.1.dsc
8668693afcef4280199b80fd08e1a754 106324 text optional ghostscript_9.19~dfsg-3.1.debian.tar.xz
439b9da68e9e157294b64d472f99cc5e 5568784 doc optional ghostscript-doc_9.19~dfsg-3.1_all.deb
6aa26679d65514fccb63fb82e3343d0b 3030750 libs optional libgs9-common_9.19~dfsg-3.1_all.deb
-----BEGIN PGP SIGNATURE-----
iQKPBAEBCgB5BQJYE4tXXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0NjQ0NDA5ODA4QzE3MUUwNTUzMURERUUw
NTRDQjhGMzEzNDNDRjQ0EhxjYXJuaWxAZGViaWFuLm9yZwAKCRAFTLjzE0PPRMoI
D/94fxNlivh403wFVls0NLyAAkeiSbPP1DzirV+q/3aXk1lUvzhHsrxT+co65rn1
2zIymw5kvElanQiwI+REmlOF+mkxRv0yLYopGKHjvDST/W/Kx5KIrl68yyqVe8fO
WDdSW2mRg5otCQyuSd+Pa96jpFZEWsyEE1zblS/jhZw8RzkJpSCHnmGUXFDLKV0i
+m59qliO8TsaldVJ1f8f8Ts5mfs5J9UzU2p4Z0jXBkVVhOejvqBcJjhYsUydV/mL
SSzvpUBgkqd29af0n53YvOssgt3XhXXwx55L2EI+1/lhMR4XGXfWGLq3cnJGxAhl
2Vavbn+GSg6g8u8uHeUe4L5BCzhqcUtBKyGNLxbTv4+4sv+2C1tzS8XavvBokI+D
E4sc4l1UePIkWWI9AaFSq7pc9hOF+gjFI2JqBAvGd2sc8Cg+qRznxLRwrmsGet5g
XcKVHv91uqoYcYpN8y/kmI/IzmZ1khjvtYatjLGK56eUBNAjXrjrJ4aMYwaVZrKV
FCtueleGbjpwJyeFl8QRq/4vhTPPP6vYWYmb07hf+hBVoYicoQR78qnJiF99nXjm
uO+UfW4Zc07pIHl+qVbmUMC28pWYsJ2qlQ+GJDluBPQMTR2k/jLs6XbuQ1diZIw2
YeZPkNB9dfrqPIFGAllZWwFuk3ISFhUele7pMMX3v8mfDA==
=ykAE
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 05 Dec 2016 10:07:00 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Wed, 07 Dec 2016 01:57:30 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 27 Jan 2017 10:19:15 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:06:34 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon