subject:"Bug#907332\: ghostscript has a new code execution issue, even when used with \-dSAFER"

Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER

2018-08-27 Thread Salvatore Bonaccorso

Hi,

On Mon, Aug 27, 2018 at 08:34:25PM +0200, Jonas Smedegaard wrote:
> Quoting Salvatore Bonaccorso (2018-08-26 21:55:14)
> > Hi,
> > 
> > On Sun, Aug 26, 2018 at 06:08:58PM +0100, Nicolas Braud-Santoni wrote:
> > > Tavis Ormandy disclosed a new ghoscript security issue, leading directly 
> > > to code
> > > execution:  http://openwall.com/lists/oss-security/2018/08/21/2
> > 
> > There are actually several issues, see the whole thread. For now since
> > you filled this bug will track all those with this bug entry. Proper
> > evaluation though is still pending (and Moritz is taking care of
> > strech, adding this note to dsa-needed file ("needs some research on
> > issues found by Tavis").
> > 
> > See
> > 
> > https://www.kb.cert.org/vuls/id/332928
> > 
> > the current set of fixes:
> > 
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce501
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d9111
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d390118
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01
> > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614
> 
> Also http://git.ghostscript.com/?p=ghostpdl.git;h=0b6cd19

A first set of CVEs has now been assigned already:

CVE-2018-15908, CVE-2018-15909 and CVE-2018-15910.

Regards,
Salvatore

Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER

2018-08-27 Thread Jonas Smedegaard

Quoting Salvatore Bonaccorso (2018-08-26 21:55:14)
> Hi,
> 
> On Sun, Aug 26, 2018 at 06:08:58PM +0100, Nicolas Braud-Santoni wrote:
> > Tavis Ormandy disclosed a new ghoscript security issue, leading directly to 
> > code
> > execution:  http://openwall.com/lists/oss-security/2018/08/21/2
> 
> There are actually several issues, see the whole thread. For now since
> you filled this bug will track all those with this bug entry. Proper
> evaluation though is still pending (and Moritz is taking care of
> strech, adding this note to dsa-needed file ("needs some research on
> issues found by Tavis").
> 
> See
> 
> https://www.kb.cert.org/vuls/id/332928
> 
> the current set of fixes:
> 
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce501
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d9111
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d390118
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614

Also http://git.ghostscript.com/?p=ghostpdl.git;h=0b6cd19


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER

2018-08-26 Thread Salvatore Bonaccorso

Hi,

On Sun, Aug 26, 2018 at 06:08:58PM +0100, Nicolas Braud-Santoni wrote:
> Tavis Ormandy disclosed a new ghoscript security issue, leading directly to 
> code
> execution:  http://openwall.com/lists/oss-security/2018/08/21/2

There are actually several issues, see the whole thread. For now since
you filled this bug will track all those with this bug entry. Proper
evaluation though is still pending (and Moritz is taking care of
strech, adding this note to dsa-needed file ("needs some research on
issues found by Tavis").

See

https://www.kb.cert.org/vuls/id/332928

the current set of fixes:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce501
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d9111
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d390118
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614

Regards,
Salvatore

Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER

2018-08-26 Thread Nicolas Braud-Santoni

On Sun, Aug 26, 2018 at 06:08:58PM +0100, Nicolas Braud-Santoni wrote:
> 
> I'm attaching the relevant files.

Oops, forgot the attachments.


exploit.ps
Description: PostScript document


signature.asc
Description: PGP signature

Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER

2018-08-26 Thread Stefano Rivera

Control: tag -1 stretch

> I was able to reproduce the issue on my system:

Reproduced on stretch too.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER

2018-08-26 Thread Nicolas Braud-Santoni

Package: ghostscript
Version: 9.22~dfsg-2.1
Severity: grave
Tags: security buster sid
Justification: user security hole

Hi,

Tavis Ormandy disclosed a new ghoscript security issue, leading directly to code
execution:  http://openwall.com/lists/oss-security/2018/08/21/2

I don't think this is [CVE-2018-11645], as it's supposedly fixed in buster, and
I was able to reproduce the issue on my system:

> $ gs -q -sDEVICE=ppmraw -dSAFER -sOutputFile=/dev/null < exploit.ps
> GS>GS>GS>GS>GS<1>uid=1000(nicoo) gid=1000(nicoo) 
> groups=1000(nicoo),4(adm),5(tty),20(dialout),27(sudo),44(video),46(plugdev),104(input),113(sbuild),115(wireshark)
> 
> $ convert exploit.jpg exploit.gif:(
> uid=1000(nicoo) gid=1000(nicoo) 
> groups=1000(nicoo),4(adm),5(tty),20(dialout),27(sudo),44(video),46(plugdev),104(input),113(sbuild),115(wireshark)
> convert-im6.q16: FailedToExecuteCommand `'gs' -sstdout=%stderr -dQUIET 
> -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=5 -dAlignToPixels=0 
> -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 
> '-r72x72' -g612x792  '-sOutputFile=/tmp/magick-955WzJ4UvxhLwQT%d' 
> '-f/tmp/magick-95505j-kbelxXGs' '-f/tmp/magick-955IqsJtzVIPtx1' -c showpage' 
> (-1) @ error/delegate.c/ExternalDelegateCommand/462.
> convert-im6.q16: no images defined `exploit.gif' @ 
> error/convert.c/ConvertImageCommand/3258.
> 
> $ apt-cache policy ghostscript 
> ghostscript:
>   Installed: 9.22~dfsg-2.1
>   Candidate: 9.22~dfsg-2.1
>   Version table:
>  *** 9.22~dfsg-2.1 990
> 990 http://localhost:3142/debian buster/main amd64 Packages
> 500 http://localhost:3142/debian sid/main amd64 Packages
> 100 /var/lib/dpkg/status


I'm attaching the relevant files.


Best,

  nicoo


[CVE-2018-11645]: https://security-tracker.debian.org/tracker/CVE-2018-11645


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.17.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set 
to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ghostscript depends on:
ii  debconf [debconf-2.0]  1.5.69
ii  libc6  2.27-5
ii  libgs9 9.22~dfsg-2.1

Versions of packages ghostscript recommends:
ii  gsfonts  1:8.11+urwcyr1.0.7~pre44-4.4

Versions of packages ghostscript suggests:
pn  ghostscript-x  

-- no debconf information

Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER

Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER

Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER

Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER

Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER

Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER

6 matches

Site Navigation

Mail list logo

Footer information