Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 693002 (CVE-2019-14811, CVE-2019-14812, CVE-2019-14813, CVE-2019-14817) - <app-text/ghostscript-gpl-9.28_rc4: multiple vulnerabilities (CVE-2019-{14811,14812,14813,14817})
Summary: <app-text/ghostscript-gpl-9.28_rc4: multiple vulnerabilities (CVE-2019-{14811...
Status: RESOLVED FIXED
Alias: CVE-2019-14811, CVE-2019-14812, CVE-2019-14813, CVE-2019-14817
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks: CVE-2019-3835, CVE-2019-3838, CVE-2019-6116 CVE-2019-10216
  Show dependency tree
 
Reported: 2019-08-28 12:51 UTC by Agostino Sarubbo
Modified: 2020-04-01 19:53 UTC (History)
1 user (show)

See Also:
Package list:
app-text/ghostscript-gpl-9.50 media-libs/jbig2dec-0.17-r1 net-print/cups-filters-1.25.11 app-text/qpdf-9.0.2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2019-08-28 12:51:31 UTC
From ${URL} :

This is to report another 4 CVEs in ghostscript, rated important. They are all similar to the recently reported CVE-2019-10216 (reference to `.forceput` can be accessed)

Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript (PS) and Portable Document Format (PDF) page description languages.  Its primary purpose includes displaying (rasterization & rendering) and printing of document pages, as well as conversions between different document formats.
URL : www.ghostscript.com

1- CVE-2019-14811 : Safer Mode Bypass by .forceput Exposure in .pdf_hook_DSC_Creator (701445)

2- CVE-2019-14812 : Safer Mode Bypass by .forceput Exposure in setuserparams (701444)

3- CVE-2019-14813 : Safer Mode Bypass by .forceput Exposure in setsystemparams (701443)

4- CVE-2019-14817 : Safer Mode Bypass by .forceput Exposure in .pdfexectoken and other procedures (701450)

In each case, a specially crafted script could get a reference to .forceput and use that to disable the -dSAFER protection. This then allows the script to access file system outside of resitricted areas and execute arbitrary commands.
Regarding CVE-2019-14817, only the .pdfexectoken procedure was proven to be vulnerable, the other fixed methods were only potentially vulnerable.

Preventing the modification of the error handler might protect most of these vulnerable functions

The fixes have been pushed upstream :

CVE-2019-14811, CVE-2019-14812, CVE-2019-14813 : 
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33

CVE-2019-14817 : 
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19

Acknowledgments :
CVE-2019-14811, CVE-2019-14812, CVE-2019-14813 were reported to upstream by Hiroki MATSUKUMA of Cyber Defense Institute, Inc.


Noteworthy (similar to CVE-2019-10216) :
A recent modification, started in upstream commit 7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff, changed the access to file permissions. After this commit, the ability to modify the /PermitFile* entries from systemdict's /userparams entry should have no effect.
That is to say: getting a reference to highly privileged function (such as .forceput), can still be used to remove SAFER, and modify the /PermitFile* lists. However, the interpreter will still refuse to access files outside of a list provided from a set of command line options. This should mitigate the class of ghostscript vulnerabilities similar to the one described above.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2019-08-28 12:53:03 UTC
I guess that 2.28 will have the fixes. In the meantime, the latest releases also contain fixes for security issues discovered from fuzzing.
Comment 2 Larry the Git Cow gentoo-dev 2019-10-07 00:35:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=215d56f50a764294df20c6a378fbe9b709fe056d

commit 215d56f50a764294df20c6a378fbe9b709fe056d
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-07 00:35:05 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-07 00:35:23 +0000

    app-text/ghostscript-gpl: bump to v9.28rc4
    
    Bug: https://bugs.gentoo.org/693002
    Package-Manager: Portage-2.3.76, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-text/ghostscript-gpl/Manifest                  |   2 +
 .../ghostscript-gpl-9.28_rc4.ebuild                | 200 +++++++++++++++++++++
 2 files changed, 202 insertions(+)
Comment 3 Arfrever Frehtes Taifersar Arahesis 2019-10-24 01:33:13 UTC
Ghostscript 9.50 was released on 2019-10-15:
https://ghostscript.com/pipermail/gs-devel/2019-October/010232.html

"""
The more astute among you might notice that 9.28 has morphed into 9.50.
In a recent discussion amongst the Ghostscript developers, it became
clear that the redesign and reimplementation of the file security
features warranted more recognition than just the usual single digit
version increment. Hence we opted to bump it up to 9.50.
"""
Comment 4 Arfrever Frehtes Taifersar Arahesis 2019-10-24 23:36:41 UTC
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=afdbdbedba9222816f18bbf03d102bdb73ce3a15

commit afdbdbedba9222816f18bbf03d102bdb73ce3a15
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-24 22:18:04 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-24 22:29:05 +0000

    app-text/ghostscript-gpl: bump to v9.50
    
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
Comment 5 Agostino Sarubbo gentoo-dev 2019-10-25 15:14:16 UTC
sparc stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-10-25 15:14:59 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-10-25 15:15:35 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-10-26 15:16:17 UTC
amd64 stable
Comment 9 Rolf Eike Beer archtester 2019-10-27 19:27:17 UTC
hppa stable
Comment 10 Agostino Sarubbo gentoo-dev 2019-10-28 07:43:29 UTC
ppc64 stable
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-11-01 10:32:13 UTC
arm stable
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2019-11-06 23:58:31 UTC
arm64 stable
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-11-08 08:34:02 UTC
s390 stable
Comment 14 Agostino Sarubbo gentoo-dev 2019-11-13 13:17:17 UTC
ia64 stable
Comment 15 Matt Turner gentoo-dev 2019-11-17 07:21:52 UTC
alpha stable

all arches stable
Comment 16 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-19 01:32:40 UTC
@maintainer(s), ok to cleanup?
Comment 17 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-28 21:55:42 UTC
Tree is clean: https://bugs.gentoo.org/676264#c16
Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev 2020-04-01 19:46:38 UTC
Added to an existing GLSA request.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2020-04-01 19:53:27 UTC
This issue was resolved and addressed in
 GLSA 202004-03 at https://security.gentoo.org/glsa/202004-03
by GLSA coordinator Thomas Deutschmann (whissi).