Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER
Package: ghostscript
Version: 9.22~dfsg-2.1
Severity: grave
Tags: security buster sid
Justification: user security hole
Hi,
Tavis Ormandy disclosed a new ghoscript security issue, leading directly to code
execution: http://openwall.com/lists/oss-security/2018/08/21/2
I don't think this is [CVE-2018-11645], as it's supposedly fixed in buster, and
I was able to reproduce the issue on my system:
> $ gs -q -sDEVICE=ppmraw -dSAFER -sOutputFile=/dev/null < exploit.ps
> GS>GS>GS>GS>GS<1>uid=1000(nicoo) gid=1000(nicoo) groups=1000(nicoo),4(adm),5(tty),20(dialout),27(sudo),44(video),46(plugdev),104(input),113(sbuild),115(wireshark)
>
> $ convert exploit.jpg exploit.gif :(
> uid=1000(nicoo) gid=1000(nicoo) groups=1000(nicoo),4(adm),5(tty),20(dialout),27(sudo),44(video),46(plugdev),104(input),113(sbuild),115(wireshark)
> convert-im6.q16: FailedToExecuteCommand `'gs' -sstdout=%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 '-r72x72' -g612x792 '-sOutputFile=/tmp/magick-955WzJ4UvxhLwQT%d' '-f/tmp/magick-95505j-kbelxXGs' '-f/tmp/magick-955IqsJtzVIPtx1' -c showpage' (-1) @ error/delegate.c/ExternalDelegateCommand/462.
> convert-im6.q16: no images defined `exploit.gif' @ error/convert.c/ConvertImageCommand/3258.
>
> $ apt-cache policy ghostscript
> ghostscript:
> Installed: 9.22~dfsg-2.1
> Candidate: 9.22~dfsg-2.1
> Version table:
> *** 9.22~dfsg-2.1 990
> 990 http://localhost:3142/debian buster/main amd64 Packages
> 500 http://localhost:3142/debian sid/main amd64 Packages
> 100 /var/lib/dpkg/status
I'm attaching the relevant files.
Best,
nicoo
[CVE-2018-11645]: https://security-tracker.debian.org/tracker/CVE-2018-11645
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.17.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages ghostscript depends on:
ii debconf [debconf-2.0] 1.5.69
ii libc6 2.27-5
ii libgs9 9.22~dfsg-2.1
Versions of packages ghostscript recommends:
ii gsfonts 1:8.11+urwcyr1.0.7~pre44-4.4
Versions of packages ghostscript suggests:
pn ghostscript-x <none>
-- no debconf information
Reply to: