Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 692106 (CVE-2019-10216)

Summary: <app-text/ghostscript-gpl-9.28_rc4: -dSAFER escape via .buildfont1 (CVE-2019-10216)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: nobrowser, printing
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.openwall.com/lists/oss-security/2019/08/12/4
Whiteboard: B2 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 693002    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2019-08-13 23:10:22 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-08-13 23:12:15 UTC
The .buildfont1 does not sufficiently protect its environment. A specially crafted PostScript script can override the typecheck error handler to retrieve a reference to .forceput. This can be used to disable -dSAFER and, for example, access files outside of the restricted area.

Upstream patch: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19
Comment 2 Arfrever Frehtes Taifersar Arahesis 2019-10-24 01:32:31 UTC
Ghostscript 9.50 was released on 2019-10-15:
https://ghostscript.com/pipermail/gs-devel/2019-October/010232.html

"""
The more astute among you might notice that 9.28 has morphed into 9.50.
In a recent discussion amongst the Ghostscript developers, it became
clear that the redesign and reimplementation of the file security
features warranted more recognition than just the usual single digit
version increment. Hence we opted to bump it up to 9.50.
"""
Comment 3 Arfrever Frehtes Taifersar Arahesis 2019-10-24 23:36:36 UTC
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=afdbdbedba9222816f18bbf03d102bdb73ce3a15

commit afdbdbedba9222816f18bbf03d102bdb73ce3a15
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-24 22:18:04 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-24 22:29:05 +0000

    app-text/ghostscript-gpl: bump to v9.50
    
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
Comment 4 Thomas Deutschmann gentoo-dev Security 2020-04-01 19:45:01 UTC
New GLSA request filed.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2020-04-01 19:53:19 UTC
This issue was resolved and addressed in
 GLSA 202004-03 at https://security.gentoo.org/glsa/202004-03
by GLSA coordinator Thomas Deutschmann (whissi).