Package: ghostscript Version: 9.22~dfsg-2.1 Severity: grave Tags: security buster sid Justification: user security hole
Hi, Tavis Ormandy disclosed a new ghoscript security issue, leading directly to code execution: http://openwall.com/lists/oss-security/2018/08/21/2 I don't think this is [CVE-2018-11645], as it's supposedly fixed in buster, and I was able to reproduce the issue on my system: > $ gs -q -sDEVICE=ppmraw -dSAFER -sOutputFile=/dev/null < exploit.ps > GS>GS>GS>GS>GS<1>uid=1000(nicoo) gid=1000(nicoo) > groups=1000(nicoo),4(adm),5(tty),20(dialout),27(sudo),44(video),46(plugdev),104(input),113(sbuild),115(wireshark) > > $ convert exploit.jpg exploit.gif :( > uid=1000(nicoo) gid=1000(nicoo) > groups=1000(nicoo),4(adm),5(tty),20(dialout),27(sudo),44(video),46(plugdev),104(input),113(sbuild),115(wireshark) > convert-im6.q16: FailedToExecuteCommand `'gs' -sstdout=%stderr -dQUIET > -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 > -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 > '-r72x72' -g612x792 '-sOutputFile=/tmp/magick-955WzJ4UvxhLwQT%d' > '-f/tmp/magick-95505j-kbelxXGs' '-f/tmp/magick-955IqsJtzVIPtx1' -c showpage' > (-1) @ error/delegate.c/ExternalDelegateCommand/462. > convert-im6.q16: no images defined `exploit.gif' @ > error/convert.c/ConvertImageCommand/3258. > > $ apt-cache policy ghostscript > ghostscript: > Installed: 9.22~dfsg-2.1 > Candidate: 9.22~dfsg-2.1 > Version table: > *** 9.22~dfsg-2.1 990 > 990 http://localhost:3142/debian buster/main amd64 Packages > 500 http://localhost:3142/debian sid/main amd64 Packages > 100 /var/lib/dpkg/status I'm attaching the relevant files. Best, nicoo [CVE-2018-11645]: https://security-tracker.debian.org/tracker/CVE-2018-11645 -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.17.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ghostscript depends on: ii debconf [debconf-2.0] 1.5.69 ii libc6 2.27-5 ii libgs9 9.22~dfsg-2.1 Versions of packages ghostscript recommends: ii gsfonts 1:8.11+urwcyr1.0.7~pre44-4.4 Versions of packages ghostscript suggests: pn ghostscript-x <none> -- no debconf information
