Bug#856142: ghostscript: CVE-2017-6196

To: Thorsten Alteholz <debian@alteholz.de>
Cc: team@security.debian.org, 856142@bugs.debian.org
Subject: Bug#856142: ghostscript: CVE-2017-6196
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 27 Feb 2017 19:57:40 +0100
Message-id: <[🔎] 20170227185740.u6dsmts5us7kxrav@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 856142@bugs.debian.org
In-reply-to: <[🔎] alpine.DEB.2.02.1702251613110.21351@jupiter.server.alteholz.net>
References: <[🔎] alpine.DEB.2.02.1702251613110.21351@jupiter.server.alteholz.net>
Control: notfound -1 9.06~dfsg-2
Control: notfound -1 9.20~dfsg-2
Hi

After some more investigation I suspect the issue actually was only
introduced with

http://git.ghostscript.com/?p=ghostpdl.git;h=cffb5712bc10c2c2f46adf311fc74aaae74cb784

and indeed applying that commit on top of the sid packaging and
running under valgrind leads to (but not without):

----cut---------cut---------cut---------cut---------cut---------cut-----
==30949== Memcheck, a memory error detector
==30949== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==30949== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==30949== Command: gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER gs_uaf_i_free_object -c quit
==30949== 
GPL Ghostscript 9.20 (2016-09-26)
Copyright (C) 2016 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
==30949== Invalid read of size 4
==30949==    at 0x5145D87: i_free_object (gsalloc.c:1457)
==30949==    by 0x519D4AC: gx_begin_image1 (gximage1.c:99)
==30949==    by 0x51C08A9: gx_default_begin_image (gdevddrw.c:1024)
==30949==    by 0x51C09CB: gx_default_begin_typed_image (gdevddrw.c:1051)
==30949==    by 0x515DF60: gs_image_begin_typed (gsimage.c:252)
==30949==    by 0x523A3ED: zimage_setup (zimage.c:183)
==30949==    by 0x523A9BC: image1_setup (zimage.c:246)
==30949==    by 0x5209451: interp (interp.c:1574)
==30949==    by 0x5209EC4: gs_call_interp (interp.c:511)
==30949==    by 0x5209EC4: gs_interpret (interp.c:468)
==30949==    by 0x51FE394: gs_main_interpret (imain.c:245)
==30949==    by 0x51FE394: gs_main_run_string_end (imain.c:663)
==30949==    by 0x51FFE28: run_string (imainarg.c:977)
==30949==    by 0x51FFFA9: runarg (imainarg.c:967)
==30949==  Address 0xd0881a4 is 84 bytes inside a block of size 24,928 free'd
==30949==    at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==30949==    by 0x514530D: alloc_free_clump (gsalloc.c:2593)
==30949==    by 0x5145F1F: i_free_object (gsalloc.c:1511)
==30949==    by 0x51A3664: gx_image_enum_begin (gxipixel.c:293)
==30949==    by 0x519D451: gx_begin_image1 (gximage1.c:94)
==30949==    by 0x51C08A9: gx_default_begin_image (gdevddrw.c:1024)
==30949==    by 0x51C09CB: gx_default_begin_typed_image (gdevddrw.c:1051)
==30949==    by 0x515DF60: gs_image_begin_typed (gsimage.c:252)
==30949==    by 0x523A3ED: zimage_setup (zimage.c:183)
==30949==    by 0x523A9BC: image1_setup (zimage.c:246)
==30949==    by 0x5209451: interp (interp.c:1574)
==30949==    by 0x5209EC4: gs_call_interp (interp.c:511)
==30949==    by 0x5209EC4: gs_interpret (interp.c:468)
==30949==  Block was alloc'd at
==30949==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==30949==    by 0x5161E85: gs_heap_alloc_bytes (gsmalloc.c:183)
==30949==    by 0x5144A8A: alloc_acquire_clump (gsalloc.c:2430)
==30949==    by 0x51456EC: alloc_obj.isra.4 (gsalloc.c:1891)
==30949==    by 0x51A0ACA: gx_image_enum_alloc (gxipixel.c:178)
==30949==    by 0x519D3F4: gx_begin_image1 (gximage1.c:84)
==30949==    by 0x51C08A9: gx_default_begin_image (gdevddrw.c:1024)
==30949==    by 0x51C09CB: gx_default_begin_typed_image (gdevddrw.c:1051)
==30949==    by 0x515DF60: gs_image_begin_typed (gsimage.c:252)
==30949==    by 0x523A3ED: zimage_setup (zimage.c:183)
==30949==    by 0x523A9BC: image1_setup (zimage.c:246)
==30949==    by 0x5209451: interp (interp.c:1574)
==30949== 
==30949== Invalid read of size 8
==30949==    at 0x5145D8B: i_free_object (gsalloc.c:1459)
==30949==    by 0x519D4AC: gx_begin_image1 (gximage1.c:99)
==30949==    by 0x51C08A9: gx_default_begin_image (gdevddrw.c:1024)
==30949==    by 0x51C09CB: gx_default_begin_typed_image (gdevddrw.c:1051)
==30949==    by 0x515DF60: gs_image_begin_typed (gsimage.c:252)
==30949==    by 0x523A3ED: zimage_setup (zimage.c:183)
==30949==    by 0x523A9BC: image1_setup (zimage.c:246)
==30949==    by 0x5209451: interp (interp.c:1574)
==30949==    by 0x5209EC4: gs_call_interp (interp.c:511)
==30949==    by 0x5209EC4: gs_interpret (interp.c:468)
==30949==    by 0x51FE394: gs_main_interpret (imain.c:245)
==30949==    by 0x51FE394: gs_main_run_string_end (imain.c:663)
==30949==    by 0x51FFE28: run_string (imainarg.c:977)
==30949==    by 0x51FFFA9: runarg (imainarg.c:967)
==30949==  Address 0xd0881a8 is 88 bytes inside a block of size 24,928 free'd
==30949==    at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==30949==    by 0x514530D: alloc_free_clump (gsalloc.c:2593)
==30949==    by 0x5145F1F: i_free_object (gsalloc.c:1511)
==30949==    by 0x51A3664: gx_image_enum_begin (gxipixel.c:293)
==30949==    by 0x519D451: gx_begin_image1 (gximage1.c:94)
==30949==    by 0x51C08A9: gx_default_begin_image (gdevddrw.c:1024)
==30949==    by 0x51C09CB: gx_default_begin_typed_image (gdevddrw.c:1051)
==30949==    by 0x515DF60: gs_image_begin_typed (gsimage.c:252)
==30949==    by 0x523A3ED: zimage_setup (zimage.c:183)
==30949==    by 0x523A9BC: image1_setup (zimage.c:246)
==30949==    by 0x5209451: interp (interp.c:1574)
==30949==    by 0x5209EC4: gs_call_interp (interp.c:511)
==30949==    by 0x5209EC4: gs_interpret (interp.c:468)
==30949==  Block was alloc'd at
==30949==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==30949==    by 0x5161E85: gs_heap_alloc_bytes (gsmalloc.c:183)
==30949==    by 0x5144A8A: alloc_acquire_clump (gsalloc.c:2430)
==30949==    by 0x51456EC: alloc_obj.isra.4 (gsalloc.c:1891)
==30949==    by 0x51A0ACA: gx_image_enum_alloc (gxipixel.c:178)
==30949==    by 0x519D3F4: gx_begin_image1 (gximage1.c:84)
==30949==    by 0x51C08A9: gx_default_begin_image (gdevddrw.c:1024)
==30949==    by 0x51C09CB: gx_default_begin_typed_image (gdevddrw.c:1051)
==30949==    by 0x515DF60: gs_image_begin_typed (gsimage.c:252)
==30949==    by 0x523A3ED: zimage_setup (zimage.c:183)
==30949==    by 0x523A9BC: image1_setup (zimage.c:246)
==30949==    by 0x5209451: interp (interp.c:1574)
==30949== 
==30949== Invalid read of size 1
==30949==    at 0x5145DC3: i_free_object (gsalloc.c:1487)
==30949==    by 0x519D4AC: gx_begin_image1 (gximage1.c:99)
==30949==    by 0x51C08A9: gx_default_begin_image (gdevddrw.c:1024)
==30949==    by 0x51C09CB: gx_default_begin_typed_image (gdevddrw.c:1051)
==30949==    by 0x515DF60: gs_image_begin_typed (gsimage.c:252)
==30949==    by 0x523A3ED: zimage_setup (zimage.c:183)
==30949==    by 0x523A9BC: image1_setup (zimage.c:246)
==30949==    by 0x5209451: interp (interp.c:1574)
==30949==    by 0x5209EC4: gs_call_interp (interp.c:511)
==30949==    by 0x5209EC4: gs_interpret (interp.c:468)
==30949==    by 0x51FE394: gs_main_interpret (imain.c:245)
==30949==    by 0x51FE394: gs_main_run_string_end (imain.c:663)
==30949==    by 0x51FFE28: run_string (imainarg.c:977)
==30949==    by 0x51FFFA9: runarg (imainarg.c:967)
==30949==  Address 0xd0881a0 is 80 bytes inside a block of size 24,928 free'd
==30949==    at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==30949==    by 0x514530D: alloc_free_clump (gsalloc.c:2593)
==30949==    by 0x5145F1F: i_free_object (gsalloc.c:1511)
==30949==    by 0x51A3664: gx_image_enum_begin (gxipixel.c:293)
==30949==    by 0x519D451: gx_begin_image1 (gximage1.c:94)
==30949==    by 0x51C08A9: gx_default_begin_image (gdevddrw.c:1024)
==30949==    by 0x51C09CB: gx_default_begin_typed_image (gdevddrw.c:1051)
==30949==    by 0x515DF60: gs_image_begin_typed (gsimage.c:252)
==30949==    by 0x523A3ED: zimage_setup (zimage.c:183)
==30949==    by 0x523A9BC: image1_setup (zimage.c:246)
==30949==    by 0x5209451: interp (interp.c:1574)
==30949==    by 0x5209EC4: gs_call_interp (interp.c:511)
==30949==    by 0x5209EC4: gs_interpret (interp.c:468)
==30949==  Block was alloc'd at
==30949==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==30949==    by 0x5161E85: gs_heap_alloc_bytes (gsmalloc.c:183)
==30949==    by 0x5144A8A: alloc_acquire_clump (gsalloc.c:2430)
==30949==    by 0x51456EC: alloc_obj.isra.4 (gsalloc.c:1891)
==30949==    by 0x51A0ACA: gx_image_enum_alloc (gxipixel.c:178)
==30949==    by 0x519D3F4: gx_begin_image1 (gximage1.c:84)
==30949==    by 0x51C08A9: gx_default_begin_image (gdevddrw.c:1024)
==30949==    by 0x51C09CB: gx_default_begin_typed_image (gdevddrw.c:1051)
==30949==    by 0x515DF60: gs_image_begin_typed (gsimage.c:252)
==30949==    by 0x523A3ED: zimage_setup (zimage.c:183)
==30949==    by 0x523A9BC: image1_setup (zimage.c:246)
==30949==    by 0x5209451: interp (interp.c:1574)
==30949== 
==30949== Invalid read of size 4
==30949==    at 0x5145D87: i_free_object (gsalloc.c:1457)
==30949==    by 0x519D4AC: gx_begin_image1 (gximage1.c:99)
==30949==    by 0x515DF60: gs_image_begin_typed (gsimage.c:252)
==30949==    by 0x523A3ED: zimage_setup (zimage.c:183)
==30949==    by 0x523A9BC: image1_setup (zimage.c:246)
==30949==    by 0x5209451: interp (interp.c:1574)
==30949==    by 0x5209EC4: gs_call_interp (interp.c:511)
==30949==    by 0x5209EC4: gs_interpret (interp.c:468)
==30949==    by 0x51FE394: gs_main_interpret (imain.c:245)
==30949==    by 0x51FE394: gs_main_run_string_end (imain.c:663)
==30949==    by 0x51FFE28: run_string (imainarg.c:977)
==30949==    by 0x51FFFA9: runarg (imainarg.c:967)
==30949==    by 0x5201697: gs_main_init_with_args (imainarg.c:238)
==30949==    by 0x108ACA: main (dxmainc.c:86)
==30949==  Address 0xd08e484 is 84 bytes inside a block of size 24,928 free'd
==30949==    at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==30949==    by 0x514530D: alloc_free_clump (gsalloc.c:2593)
==30949==    by 0x5145F1F: i_free_object (gsalloc.c:1511)
==30949==    by 0x51A3664: gx_image_enum_begin (gxipixel.c:293)
==30949==    by 0x519D451: gx_begin_image1 (gximage1.c:94)
==30949==    by 0x515DF60: gs_image_begin_typed (gsimage.c:252)
==30949==    by 0x523A3ED: zimage_setup (zimage.c:183)
==30949==    by 0x523A9BC: image1_setup (zimage.c:246)
==30949==    by 0x5209451: interp (interp.c:1574)
==30949==    by 0x5209EC4: gs_call_interp (interp.c:511)
==30949==    by 0x5209EC4: gs_interpret (interp.c:468)
==30949==    by 0x51FE394: gs_main_interpret (imain.c:245)
==30949==    by 0x51FE394: gs_main_run_string_end (imain.c:663)
==30949==    by 0x51FFE28: run_string (imainarg.c:977)
==30949==  Block was alloc'd at
==30949==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==30949==    by 0x5161E85: gs_heap_alloc_bytes (gsmalloc.c:183)
==30949==    by 0x5144A8A: alloc_acquire_clump (gsalloc.c:2430)
==30949==    by 0x51456EC: alloc_obj.isra.4 (gsalloc.c:1891)
==30949==    by 0x51A0ACA: gx_image_enum_alloc (gxipixel.c:178)
==30949==    by 0x519D3F4: gx_begin_image1 (gximage1.c:84)
==30949==    by 0x515DF60: gs_image_begin_typed (gsimage.c:252)
==30949==    by 0x523A3ED: zimage_setup (zimage.c:183)
==30949==    by 0x523A9BC: image1_setup (zimage.c:246)
==30949==    by 0x5209451: interp (interp.c:1574)
==30949==    by 0x5209EC4: gs_call_interp (interp.c:511)
==30949==    by 0x5209EC4: gs_interpret (interp.c:468)
==30949==    by 0x51FE394: gs_main_interpret (imain.c:245)
==30949==    by 0x51FE394: gs_main_run_string_end (imain.c:663)
==30949== 
==30949== Invalid read of size 8
==30949==    at 0x5145D8B: i_free_object (gsalloc.c:1459)
==30949==    by 0x519D4AC: gx_begin_image1 (gximage1.c:99)
==30949==    by 0x515DF60: gs_image_begin_typed (gsimage.c:252)
==30949==    by 0x523A3ED: zimage_setup (zimage.c:183)
==30949==    by 0x523A9BC: image1_setup (zimage.c:246)
==30949==    by 0x5209451: interp (interp.c:1574)
==30949==    by 0x5209EC4: gs_call_interp (interp.c:511)
==30949==    by 0x5209EC4: gs_interpret (interp.c:468)
==30949==    by 0x51FE394: gs_main_interpret (imain.c:245)
==30949==    by 0x51FE394: gs_main_run_string_end (imain.c:663)
==30949==    by 0x51FFE28: run_string (imainarg.c:977)
==30949==    by 0x51FFFA9: runarg (imainarg.c:967)
==30949==    by 0x5201697: gs_main_init_with_args (imainarg.c:238)
==30949==    by 0x108ACA: main (dxmainc.c:86)
==30949==  Address 0xd08e488 is 88 bytes inside a block of size 24,928 free'd
==30949==    at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==30949==    by 0x514530D: alloc_free_clump (gsalloc.c:2593)
==30949==    by 0x5145F1F: i_free_object (gsalloc.c:1511)
==30949==    by 0x51A3664: gx_image_enum_begin (gxipixel.c:293)
==30949==    by 0x519D451: gx_begin_image1 (gximage1.c:94)
==30949==    by 0x515DF60: gs_image_begin_typed (gsimage.c:252)
==30949==    by 0x523A3ED: zimage_setup (zimage.c:183)
==30949==    by 0x523A9BC: image1_setup (zimage.c:246)
==30949==    by 0x5209451: interp (interp.c:1574)
==30949==    by 0x5209EC4: gs_call_interp (interp.c:511)
==30949==    by 0x5209EC4: gs_interpret (interp.c:468)
==30949==    by 0x51FE394: gs_main_interpret (imain.c:245)
==30949==    by 0x51FE394: gs_main_run_string_end (imain.c:663)
==30949==    by 0x51FFE28: run_string (imainarg.c:977)
==30949==  Block was alloc'd at
==30949==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==30949==    by 0x5161E85: gs_heap_alloc_bytes (gsmalloc.c:183)
==30949==    by 0x5144A8A: alloc_acquire_clump (gsalloc.c:2430)
==30949==    by 0x51456EC: alloc_obj.isra.4 (gsalloc.c:1891)
==30949==    by 0x51A0ACA: gx_image_enum_alloc (gxipixel.c:178)
==30949==    by 0x519D3F4: gx_begin_image1 (gximage1.c:84)
==30949==    by 0x515DF60: gs_image_begin_typed (gsimage.c:252)
==30949==    by 0x523A3ED: zimage_setup (zimage.c:183)
==30949==    by 0x523A9BC: image1_setup (zimage.c:246)
==30949==    by 0x5209451: interp (interp.c:1574)
==30949==    by 0x5209EC4: gs_call_interp (interp.c:511)
==30949==    by 0x5209EC4: gs_interpret (interp.c:468)
==30949==    by 0x51FE394: gs_main_interpret (imain.c:245)
==30949==    by 0x51FE394: gs_main_run_string_end (imain.c:663)
==30949== 
==30949== Invalid read of size 1
==30949==    at 0x5145DC3: i_free_object (gsalloc.c:1487)
==30949==    by 0x519D4AC: gx_begin_image1 (gximage1.c:99)
==30949==    by 0x515DF60: gs_image_begin_typed (gsimage.c:252)
==30949==    by 0x523A3ED: zimage_setup (zimage.c:183)
==30949==    by 0x523A9BC: image1_setup (zimage.c:246)
==30949==    by 0x5209451: interp (interp.c:1574)
==30949==    by 0x5209EC4: gs_call_interp (interp.c:511)
==30949==    by 0x5209EC4: gs_interpret (interp.c:468)
==30949==    by 0x51FE394: gs_main_interpret (imain.c:245)
==30949==    by 0x51FE394: gs_main_run_string_end (imain.c:663)
==30949==    by 0x51FFE28: run_string (imainarg.c:977)
==30949==    by 0x51FFFA9: runarg (imainarg.c:967)
==30949==    by 0x5201697: gs_main_init_with_args (imainarg.c:238)
==30949==    by 0x108ACA: main (dxmainc.c:86)
==30949==  Address 0xd08e480 is 80 bytes inside a block of size 24,928 free'd
==30949==    at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==30949==    by 0x514530D: alloc_free_clump (gsalloc.c:2593)
==30949==    by 0x5145F1F: i_free_object (gsalloc.c:1511)
==30949==    by 0x51A3664: gx_image_enum_begin (gxipixel.c:293)
==30949==    by 0x519D451: gx_begin_image1 (gximage1.c:94)
==30949==    by 0x515DF60: gs_image_begin_typed (gsimage.c:252)
==30949==    by 0x523A3ED: zimage_setup (zimage.c:183)
==30949==    by 0x523A9BC: image1_setup (zimage.c:246)
==30949==    by 0x5209451: interp (interp.c:1574)
==30949==    by 0x5209EC4: gs_call_interp (interp.c:511)
==30949==    by 0x5209EC4: gs_interpret (interp.c:468)
==30949==    by 0x51FE394: gs_main_interpret (imain.c:245)
==30949==    by 0x51FE394: gs_main_run_string_end (imain.c:663)
==30949==    by 0x51FFE28: run_string (imainarg.c:977)
==30949==  Block was alloc'd at
==30949==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==30949==    by 0x5161E85: gs_heap_alloc_bytes (gsmalloc.c:183)
==30949==    by 0x5144A8A: alloc_acquire_clump (gsalloc.c:2430)
==30949==    by 0x51456EC: alloc_obj.isra.4 (gsalloc.c:1891)
==30949==    by 0x51A0ACA: gx_image_enum_alloc (gxipixel.c:178)
==30949==    by 0x519D3F4: gx_begin_image1 (gximage1.c:84)
==30949==    by 0x515DF60: gs_image_begin_typed (gsimage.c:252)
==30949==    by 0x523A3ED: zimage_setup (zimage.c:183)
==30949==    by 0x523A9BC: image1_setup (zimage.c:246)
==30949==    by 0x5209451: interp (interp.c:1574)
==30949==    by 0x5209EC4: gs_call_interp (interp.c:511)
==30949==    by 0x5209EC4: gs_interpret (interp.c:468)
==30949==    by 0x51FE394: gs_main_interpret (imain.c:245)
==30949==    by 0x51FE394: gs_main_run_string_end (imain.c:663)
==30949== 
Error: /undefinedresult in --colorimage--
Operand stack:
   6   8   8   --nostringval--   --nostringval--   --nostringval--   --nostringval--   true   3
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   false   1   %stopped_push   1999   1   3   %oparray_pop   1998   1   3   %oparray_pop   1982   1   3   %oparray_pop   1868   1   3   %oparray_pop   --nostringval--   %errorexec_pop   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   1894   9   3   %oparray_pop
Dictionary stack:
   --dict:1207/1684(ro)(G)--   --dict:0/20(G)--   --dict:78/200(L)--
Current allocation mode is local
GPL Ghostscript 9.20: Unrecoverable error, exit code 1
==30949== 
==30949== HEAP SUMMARY:
==30949==     in use at exit: 0 bytes in 0 blocks
==30949==   total heap usage: 2,821 allocs, 2,821 frees, 11,953,960 bytes allocated
==30949== 
==30949== All heap blocks were freed -- no leaks are possible
==30949== 
==30949== For counts of detected and suppressed errors, rerun with: -v
==30949== ERROR SUMMARY: 6 errors from 6 contexts (suppressed: 0 from 0)
----cut---------cut---------cut---------cut---------cut---------cut-----

I'm not closing the bug yet, nor updating the security tracker as
not-affected, since I would like to see first a peer-review on the
above.

Regards,
Salvatore
Reply to:
References:
- Bug#856142: ghostscript: CVE-2017-6196
  - From: Thorsten Alteholz <debian@alteholz.de>
Prev by Date: Processed: Re: Bug#856142: ghostscript: CVE-2017-6196
Next by Date: Processed: tagging 856142
Previous by thread: Processed: Re: Bug#856142: ghostscript: CVE-2017-6196
Next by thread: Processed: tagging 856142, bug 856142 is forwarded to https://bugs.ghostscript.com/show_bug.cgi?id=697596 ...
Index(es):
- Date
- Thread