[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER

Package: ghostscript
Version: 9.22~dfsg-2.1
Severity: grave
Tags: security buster sid
Justification: user security hole

Hi,

Tavis Ormandy disclosed a new ghoscript security issue, leading directly to code
execution:  http://openwall.com/lists/oss-security/2018/08/21/2

I don't think this is [CVE-2018-11645], as it's supposedly fixed in buster, and
I was able to reproduce the issue on my system:

> $ gs -q -sDEVICE=ppmraw -dSAFER -sOutputFile=/dev/null < exploit.ps
> GS>GS>GS>GS>GS<1>uid=1000(nicoo) gid=1000(nicoo) groups=1000(nicoo),4(adm),5(tty),20(dialout),27(sudo),44(video),46(plugdev),104(input),113(sbuild),115(wireshark)
> 
> $ convert exploit.jpg exploit.gif                        :(
> uid=1000(nicoo) gid=1000(nicoo) groups=1000(nicoo),4(adm),5(tty),20(dialout),27(sudo),44(video),46(plugdev),104(input),113(sbuild),115(wireshark)
> convert-im6.q16: FailedToExecuteCommand `'gs' -sstdout=%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 '-r72x72' -g612x792  '-sOutputFile=/tmp/magick-955WzJ4UvxhLwQT%d' '-f/tmp/magick-95505j-kbelxXGs' '-f/tmp/magick-955IqsJtzVIPtx1' -c showpage' (-1) @ error/delegate.c/ExternalDelegateCommand/462.
> convert-im6.q16: no images defined `exploit.gif' @ error/convert.c/ConvertImageCommand/3258.
> 
> $ apt-cache policy ghostscript     
> ghostscript:
>   Installed: 9.22~dfsg-2.1
>   Candidate: 9.22~dfsg-2.1
>   Version table:
>  *** 9.22~dfsg-2.1 990
>         990 http://localhost:3142/debian buster/main amd64 Packages
>         500 http://localhost:3142/debian sid/main amd64 Packages
>         100 /var/lib/dpkg/status


I'm attaching the relevant files.


Best,

  nicoo


[CVE-2018-11645]: https://security-tracker.debian.org/tracker/CVE-2018-11645


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.17.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ghostscript depends on:
ii  debconf [debconf-2.0]  1.5.69
ii  libc6                  2.27-5
ii  libgs9                 9.22~dfsg-2.1

Versions of packages ghostscript recommends:
ii  gsfonts  1:8.11+urwcyr1.0.7~pre44-4.4

Versions of packages ghostscript suggests:
pn  ghostscript-x  <none>

-- no debconf information
Reply to: