Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 596576 (CVE-2016-7976, CVE-2016-7977, CVE-2016-7978, CVE-2016-7979, CVE-2016-8602)

Summary: <app-text/ghostscript-gpl-9.20-r1: Multiple vulnerabilities
Product: Gentoo Security Reporter: Ian Zimmerman <nobrowser>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: dev-zero
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://bugs.ghostscript.com/show_bug.cgi?id=697178
Whiteboard: A2 [glsa cve]
Package list:
=app-text/ghostscript-gpl-9.20-r1 =net-print/gutenprint-5.2.12
Runtime testing required: Yes
Bug Depends on:    
Bug Blocks: 587744, 607190    

Description Ian Zimmerman 2016-10-08 19:51:01 UTC
According to the post on oss-security [1], where pointers to upstream fixes can also be found:

bug: various userparams allow %pipe% in paths, allowing remote shell
command execution.

bug: .libfile doesn't check PermitFileReading array, allowing remote
file disclosure.

bug: reference leak in .setdevice allows use-after-free and remote
code execution

bug: type confusion in .initialize_dsc_parser allows remote code execution

[1]
https://marc.info/?l=oss-security&m=147568403218963&w=2


Reproducible: Always
Comment 1 Agostino Sarubbo gentoo-dev 2016-10-09 14:25:23 UTC
Since the current status of ghostscript's security I did not consider to open the bug.
Thanks anyway to did it.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-05 18:09:26 UTC
Upstream fix: http://git.ghostscript.com/?p=ghostpdl.git;h=6d444c273da5499a4cd72f21cb6d4c9a5256807d

Not yet released.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-25 14:54:37 UTC
> bug: various userparams allow %pipe% in paths, allowing remote shell
> command execution.

CVE-2016-7976

Upstream bug:

https://bugs.ghostscript.com/show_bug.cgi?id=697178

Upstream patch:

http://git.ghostscript.com/?p=ghostpdl.git;h=6d444c273da5499a4cd72f21cb6d4c9a5256807d


> bug: .libfile doesn't check PermitFileReading array, allowing remote
> file disclosure.

CVE-2016-7977

Upstream bug: 

https://bugs.ghostscript.com/show_bug.cgi?id=697169

Upstream patch:

http://git.ghostscript.com/?p=ghostpdl.git;h=8abd22010eb4db0fb1b10e430d5f5d83e015ef70


> bug: reference leak in .setdevice allows use-after-free and remote
> code execution

CVE-2016-7978

Upstream bug:

https://bugs.ghostscript.com/show_bug.cgi?id=697179

Upstream patch:

http://git.ghostscript.com/?p=ghostpdl.git;h=6f749c0c44e7b9e09737b9f29edf29925a34f0cf


> bug: type confusion in .initialize_dsc_parser allows remote
> code execution

CVE-2016-7979

Upstream bug:

https://bugs.ghostscript.com/show_bug.cgi?id=697190

Upstream patch:

http://git.ghostscript.com/?p=ghostpdl.git;h=875a0095f37626a721c7ff57d606a0f95af03913


> type confusion

CVE-2016-8602

Upstream bug:

https://bugs.ghostscript.com/show_bug.cgi?id=697203

Upstream patch:

http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78



@ Maintainer(s): Please bump to >=app-text/ghostscript-gpl-9.20 and cherry-pick the patches.
Comment 4 Tiziano Müller (RETIRED) gentoo-dev 2017-01-25 18:03:04 UTC
A preliminary version bump can be found here:

https://gitweb.gentoo.org/dev/dev-zero.git/tree/app-text/ghostscript-gpl/ghostscript-gpl-9.20.ebuild

It is still a WiP since I didn't fix the build failures with gsdjvu yet.
The patchset is based on the Fedora patches minus the one for jbig2dec since we unbundle it anyway. The tarball is located on woodpecker:/home/dev-zero/distfiles/ghostscript-gpl-9.20-patchset-1.tar.xz
(since upstream uses now xz instead of bz2 I switched to xz for the patchset as well)
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2017-01-28 13:15:40 UTC
Bumped to 9.20 in ~arch, please test. I still need to verify which of these issues is already fixed and which needs separate patches. 

(In reply to Tiziano Müller from comment #4)
[...]
> The patchset is based on the Fedora patches minus the one for jbig2dec since
> we unbundle it anyway. The tarball is located on
> woodpecker:/home/dev-zero/distfiles/ghostscript-gpl-9.20-patchset-1.tar.xz

Doh. Only saw this now. Will have a look later on.
Comment 6 Andreas K. Hüttel archtester gentoo-dev 2017-01-28 22:50:23 UTC
commit 521a0bbaf9bea07b4c977156bb5cd3efaded1bb4
Author: Andreas K. Hüttel <dilfridge@gentoo.org>
Date:   Sat Jan 28 23:47:18 2017 +0100

    app-text/ghostscript-gpl: Revision bump adding various security patches from Fedora, bug 596576
    
    Many thanks to dev-zero for preparing this.
    It fixes CVE-2016-7976, CVE-2016-7977, CVE-2016-7978, CVE-2016-7979, CVE-2016-8602
    
    Package-Manager: Portage-2.3.3, Repoman-2.3.1

 app-text/ghostscript-gpl/Manifest                       |   1 +
 app-text/ghostscript-gpl/ghostscript-gpl-9.20-r1.ebuild | 255 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 256 insertions(+)


Let's test this for a bit before stabilization.
Comment 7 Andreas K. Hüttel archtester gentoo-dev 2017-02-10 23:59:49 UTC
I don't see any breakage wave coming, so let's go ahead.

Arches please stabilize app-text/ghostscript-gpl-9.20-r1
Target: all stable arches
Comment 8 Agostino Sarubbo gentoo-dev 2017-02-12 14:49:01 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-02-12 15:44:30 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-02-12 17:01:28 UTC
ppc stable
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2017-02-15 13:51:40 UTC
Stable on alpha.
Comment 12 Markus Meier gentoo-dev 2017-02-15 17:31:57 UTC
arm stable
Comment 13 Andreas K. Hüttel archtester gentoo-dev 2017-02-16 23:20:05 UTC
Adding arches back. 

Please also stabilize in addition =net-print/gutenprint-5.2.12 (current stable does not build with the newly stable ghostscript-gpl, see bug 587744).

So, 

=app-text/ghostscript-gpl-9.20-r1
=net-print/gutenprint-5.2.12

Target: all stable arches
Comment 14 Agostino Sarubbo gentoo-dev 2017-02-17 10:15:30 UTC
amd64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2017-02-17 10:42:24 UTC
x86 stable
Comment 16 Agostino Sarubbo gentoo-dev 2017-02-17 10:57:32 UTC
sparc stable
Comment 17 Michael Weber (RETIRED) gentoo-dev 2017-02-17 22:27:39 UTC
arm ppc ppc64 stable.
Comment 18 Jeroen Roovers (RETIRED) gentoo-dev 2017-02-18 12:05:31 UTC
Stable for HPPA.
Comment 19 Agostino Sarubbo gentoo-dev 2017-02-18 14:45:10 UTC
ia64 stable
Comment 20 Tobias Klausmann (RETIRED) gentoo-dev 2017-02-21 11:55:22 UTC
Stable on alpha.
Comment 21 Andreas K. Hüttel archtester gentoo-dev 2017-02-21 12:45:13 UTC
Cleanup done. 

Nothing to do for printing here anymore.
Comment 22 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-21 18:21:57 UTC
New GLSA request filed.
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2017-02-22 11:22:43 UTC
This issue was resolved and addressed in
 GLSA 201702-31 at https://security.gentoo.org/glsa/201702-31
by GLSA coordinator Thomas Deutschmann (whissi).