Bug#907332: marked as done (ghostscript has a new code execution issue, even when used with -dSAFER)

To: Jonas Smedegaard <dr@jones.dk>
Subject: Bug#907332: marked as done (ghostscript has a new code execution issue, even when used with -dSAFER)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Mon, 27 Aug 2018 22:24:03 +0000
Message-id: <[🔎] handler.907332.D907332.15354084658599.ackdone@bugs.debian.org>
Reply-to: 907332@bugs.debian.org
References: <E1fuPse-0006OF-27@fasolo.debian.org> <[🔎] 153530333844.30062.15148412983907947587.reportbug@neon.citronna.de>

Your message dated Mon, 27 Aug 2018 22:21:04 +0000
with message-id <E1fuPse-0006OF-27@fasolo.debian.org>
and subject line Bug#907332: fixed in ghostscript 9.22~dfsg-3
has caused the Debian Bug report #907332,
regarding ghostscript has a new code execution issue, even when used with -dSAFER
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
907332: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907332
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ghostscript has a new code execution issue, even when used with -dSAFER
From: Nicolas Braud-Santoni <nicolas@braud-santoni.eu>
Date: Sun, 26 Aug 2018 18:08:58 +0100
Message-id: <[🔎] 153530333844.30062.15148412983907947587.reportbug@neon.citronna.de>

Package: ghostscript
Version: 9.22~dfsg-2.1
Severity: grave
Tags: security buster sid
Justification: user security hole

Hi,

Tavis Ormandy disclosed a new ghoscript security issue, leading directly to code
execution:  http://openwall.com/lists/oss-security/2018/08/21/2

I don't think this is [CVE-2018-11645], as it's supposedly fixed in buster, and
I was able to reproduce the issue on my system:

> $ gs -q -sDEVICE=ppmraw -dSAFER -sOutputFile=/dev/null < exploit.ps
> GS>GS>GS>GS>GS<1>uid=1000(nicoo) gid=1000(nicoo) groups=1000(nicoo),4(adm),5(tty),20(dialout),27(sudo),44(video),46(plugdev),104(input),113(sbuild),115(wireshark)
> 
> $ convert exploit.jpg exploit.gif                        :(
> uid=1000(nicoo) gid=1000(nicoo) groups=1000(nicoo),4(adm),5(tty),20(dialout),27(sudo),44(video),46(plugdev),104(input),113(sbuild),115(wireshark)
> convert-im6.q16: FailedToExecuteCommand `'gs' -sstdout=%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 '-r72x72' -g612x792  '-sOutputFile=/tmp/magick-955WzJ4UvxhLwQT%d' '-f/tmp/magick-95505j-kbelxXGs' '-f/tmp/magick-955IqsJtzVIPtx1' -c showpage' (-1) @ error/delegate.c/ExternalDelegateCommand/462.
> convert-im6.q16: no images defined `exploit.gif' @ error/convert.c/ConvertImageCommand/3258.
> 
> $ apt-cache policy ghostscript     
> ghostscript:
>   Installed: 9.22~dfsg-2.1
>   Candidate: 9.22~dfsg-2.1
>   Version table:
>  *** 9.22~dfsg-2.1 990
>         990 http://localhost:3142/debian buster/main amd64 Packages
>         500 http://localhost:3142/debian sid/main amd64 Packages
>         100 /var/lib/dpkg/status


I'm attaching the relevant files.


Best,

  nicoo


[CVE-2018-11645]: https://security-tracker.debian.org/tracker/CVE-2018-11645


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.17.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ghostscript depends on:
ii  debconf [debconf-2.0]  1.5.69
ii  libc6                  2.27-5
ii  libgs9                 9.22~dfsg-2.1

Versions of packages ghostscript recommends:
ii  gsfonts  1:8.11+urwcyr1.0.7~pre44-4.4

Versions of packages ghostscript suggests:
pn  ghostscript-x  <none>

-- no debconf information

--- End Message ---

--- Begin Message ---

To: 907332-close@bugs.debian.org
Subject: Bug#907332: fixed in ghostscript 9.22~dfsg-3
From: Jonas Smedegaard <dr@jones.dk>
Date: Mon, 27 Aug 2018 22:21:04 +0000
Message-id: <E1fuPse-0006OF-27@fasolo.debian.org>

Source: ghostscript
Source-Version: 9.22~dfsg-3

We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 907332@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated ghostscript package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 28 Aug 2018 00:05:05 +0200
Source: ghostscript
Binary: ghostscript ghostscript-x ghostscript-doc libgs9 libgs9-common libgs-dev ghostscript-dbg
Architecture: source
Version: 9.22~dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description:
 ghostscript - interpreter for the PostScript language and for PDF
 ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug symbo
 ghostscript-doc - interpreter for the PostScript language and for PDF - Documentati
 ghostscript-x - interpreter for the PostScript language and for PDF - X11 support
 libgs-dev  - interpreter for the PostScript language and for PDF - Development
 libgs9     - interpreter for the PostScript language and for PDF - Library
 libgs9-common - interpreter for the PostScript language and for PDF - common file
Closes: 907332
Changes:
 ghostscript (9.22~dfsg-3) unstable; urgency=high
 .
   * Add patches cherry-picked upstream to fix execution issues:
     + Properly apply file permissions to .tempfile.
     + Don't just assume an object is a t_(a)struct.
     + Fix handling of pre-SAFER opened files.
     + Properly check return value when getting value from a dictionary.
     + Handle LockDistillerParams not being a boolean.
     + Fix shading_param incomplete type checking.
     + Ensure the correct is in place before cleanup.
     + Check the restore operand type.
     + Fix memory corruption in aesdecode.
     + Fix handle stack overflow during error handling.
     + Avoid sharing pointers between pdf14 compositors.
     + Improve restore robustness.
     + Hide the .shfill operator.
     Closes: Bug#907332. Thanks to Nicolas Braud-Santoni.
   * Use package section optional (not extra).
   * Extend lintian overrides regarding License-Reference.
   * Declare compliance with Debian Policy 4.2.0.
Checksums-Sha1:
 b8eb3e03815e939d8fc9b962b37b319cea45eca1 2745 ghostscript_9.22~dfsg-3.dsc
 dadb1522471552920d4f68f210da9c3851d51247 112052 ghostscript_9.22~dfsg-3.debian.tar.xz
 c9953c0dea6874765e6b3cad1a77ed7fe5dd3a62 11698 ghostscript_9.22~dfsg-3_amd64.buildinfo
Checksums-Sha256:
 d08bf6f48f9ee6bffae77a0d81a3b6809a97aa78c350064a78652af2b1356036 2745 ghostscript_9.22~dfsg-3.dsc
 1dfce2417808cf299ce9d6cb07751ae2d285772e71506a5752f084d7a90472ff 112052 ghostscript_9.22~dfsg-3.debian.tar.xz
 41326e94b2840ef0371a001280e9f97f38f6ceaaeda2ac89c5c80b9c0630c6f8 11698 ghostscript_9.22~dfsg-3_amd64.buildinfo
Files:
 e4c0bba718411389348034d81acfae5c 2745 text optional ghostscript_9.22~dfsg-3.dsc
 86ac72bed6c6be02d6d18af997d54a83 112052 text optional ghostscript_9.22~dfsg-3.debian.tar.xz
 e3e7fec12fa9dafb5201c74e1d6c4e17 11698 text optional ghostscript_9.22~dfsg-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAluEdrAACgkQLHwxRsGg
ASGIWA//cEBRY6EMR+I8x0Z1xSGmmx1AHrbjmnpZYZDkOJ+IGagkam//E3OzLWS+
of0IyiUvQBNW5BoV2h1GwaYhkGe12Osoc05+yOPXp76OnOCIJTzK2CWY6gVeykZz
M6jQm8f2EF/1Zzt04xJzn+KTvxV/eUOqYqGOHpwAMZnL9NL4YllahLrI6udlJzWU
lkX3PJD4O7ScbTxA+8MwYrsQSNz1sJnwHRNxLnL8UBVQt0+NC7LF6gH/u4VFJiFH
w7t/QinVA6HvYcRLCVPHY3dZnhDgNI8mmvjWfPT2d7SiJFycwi0YZNe74XGvYxW+
WCDBnuktri3PFtuNa/8eSrJmVin5cJTuOshTkwUCT8nVwmxG9peWEk5vNH0wEy4/
o2AY4/zVonZeAjSLA+xXK2uj22BdhN15DpDa2JvyiZkb/pVZHmX4H2G1qhVUIL2Y
kA8aiR7jmtlMk2fBRrKnCkWVS6vUNCTwr7aKSKMF6LTvOrztKZ7P6Cd8/aQZMXE7
FwWh3AWW3kIYozirfcFgcAOV2J1Mip+ian82IjYaT2+YJtCfxyA+TKE9a9PSNQco
F7d+HIdH8GWYzawhIEOGhjd8MHYWzOlVH5wAHZNDW1CElDk8UbFbCUrAt2MfYaJw
i7SUjCSOcVaZ0fdo7tHErpDHnUdST2lIqZSEzldRlSLkDWPCuuo=
=wb3f
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER
  - From: Nicolas Braud-Santoni <nicolas@braud-santoni.eu>

Prev by Date: Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER
Next by Date: Processing of ghostscript_9.22~dfsg-3_source.changes
Previous by thread: Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER
Next by thread: Processed: tagging 907332
Index(es):
- Date
- Thread