Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER
Hi, On Mon, Aug 27, 2018 at 08:34:25PM +0200, Jonas Smedegaard wrote: > Quoting Salvatore Bonaccorso (2018-08-26 21:55:14) > > Hi, > > > > On Sun, Aug 26, 2018 at 06:08:58PM +0100, Nicolas Braud-Santoni wrote: > > > Tavis Ormandy disclosed a new ghoscript security issue, leading directly > > > to code > > > execution: http://openwall.com/lists/oss-security/2018/08/21/2 > > > > There are actually several issues, see the whole thread. For now since > > you filled this bug will track all those with this bug entry. Proper > > evaluation though is still pending (and Moritz is taking care of > > strech, adding this note to dsa-needed file ("needs some research on > > issues found by Tavis"). > > > > See > > > > https://www.kb.cert.org/vuls/id/332928 > > > > the current set of fixes: > > > > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec > > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce501 > > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d9111 > > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c > > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3 > > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c > > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d > > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d390118 > > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde > > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716 > > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01 > > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614 > > Also http://git.ghostscript.com/?p=ghostpdl.git;h=0b6cd19 A first set of CVEs has now been assigned already: CVE-2018-15908, CVE-2018-15909 and CVE-2018-15910. Regards, Salvatore
Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER
Quoting Salvatore Bonaccorso (2018-08-26 21:55:14) > Hi, > > On Sun, Aug 26, 2018 at 06:08:58PM +0100, Nicolas Braud-Santoni wrote: > > Tavis Ormandy disclosed a new ghoscript security issue, leading directly to > > code > > execution: http://openwall.com/lists/oss-security/2018/08/21/2 > > There are actually several issues, see the whole thread. For now since > you filled this bug will track all those with this bug entry. Proper > evaluation though is still pending (and Moritz is taking care of > strech, adding this note to dsa-needed file ("needs some research on > issues found by Tavis"). > > See > > https://www.kb.cert.org/vuls/id/332928 > > the current set of fixes: > > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce501 > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d9111 > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3 > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d390118 > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716 > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01 > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614 Also http://git.ghostscript.com/?p=ghostpdl.git;h=0b6cd19 - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER
Hi, On Sun, Aug 26, 2018 at 06:08:58PM +0100, Nicolas Braud-Santoni wrote: > Tavis Ormandy disclosed a new ghoscript security issue, leading directly to > code > execution: http://openwall.com/lists/oss-security/2018/08/21/2 There are actually several issues, see the whole thread. For now since you filled this bug will track all those with this bug entry. Proper evaluation though is still pending (and Moritz is taking care of strech, adding this note to dsa-needed file ("needs some research on issues found by Tavis"). See https://www.kb.cert.org/vuls/id/332928 the current set of fixes: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce501 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d9111 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a3 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d390118 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614 Regards, Salvatore
Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER
On Sun, Aug 26, 2018 at 06:08:58PM +0100, Nicolas Braud-Santoni wrote: > > I'm attaching the relevant files. Oops, forgot the attachments. exploit.ps Description: PostScript document signature.asc Description: PGP signature
Processed: Re: Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER
Processing control commands: > tag -1 stretch Bug #907332 [ghostscript] ghostscript has a new code execution issue, even when used with -dSAFER Added tag(s) stretch. -- 907332: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907332 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER
Control: tag -1 stretch > I was able to reproduce the issue on my system: Reproduced on stretch too. SR -- Stefano Rivera http://tumbleweed.org.za/ +1 415 683 3272
Bug#907332: ghostscript has a new code execution issue, even when used with -dSAFER
Package: ghostscript Version: 9.22~dfsg-2.1 Severity: grave Tags: security buster sid Justification: user security hole Hi, Tavis Ormandy disclosed a new ghoscript security issue, leading directly to code execution: http://openwall.com/lists/oss-security/2018/08/21/2 I don't think this is [CVE-2018-11645], as it's supposedly fixed in buster, and I was able to reproduce the issue on my system: > $ gs -q -sDEVICE=ppmraw -dSAFER -sOutputFile=/dev/null < exploit.ps > GS>GS>GS>GS>GS<1>uid=1000(nicoo) gid=1000(nicoo) > groups=1000(nicoo),4(adm),5(tty),20(dialout),27(sudo),44(video),46(plugdev),104(input),113(sbuild),115(wireshark) > > $ convert exploit.jpg exploit.gif:( > uid=1000(nicoo) gid=1000(nicoo) > groups=1000(nicoo),4(adm),5(tty),20(dialout),27(sudo),44(video),46(plugdev),104(input),113(sbuild),115(wireshark) > convert-im6.q16: FailedToExecuteCommand `'gs' -sstdout=%stderr -dQUIET > -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=5 -dAlignToPixels=0 > -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 > '-r72x72' -g612x792 '-sOutputFile=/tmp/magick-955WzJ4UvxhLwQT%d' > '-f/tmp/magick-95505j-kbelxXGs' '-f/tmp/magick-955IqsJtzVIPtx1' -c showpage' > (-1) @ error/delegate.c/ExternalDelegateCommand/462. > convert-im6.q16: no images defined `exploit.gif' @ > error/convert.c/ConvertImageCommand/3258. > > $ apt-cache policy ghostscript > ghostscript: > Installed: 9.22~dfsg-2.1 > Candidate: 9.22~dfsg-2.1 > Version table: > *** 9.22~dfsg-2.1 990 > 990 http://localhost:3142/debian buster/main amd64 Packages > 500 http://localhost:3142/debian sid/main amd64 Packages > 100 /var/lib/dpkg/status I'm attaching the relevant files. Best, nicoo [CVE-2018-11645]: https://security-tracker.debian.org/tracker/CVE-2018-11645 -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.17.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ghostscript depends on: ii debconf [debconf-2.0] 1.5.69 ii libc6 2.27-5 ii libgs9 9.22~dfsg-2.1 Versions of packages ghostscript recommends: ii gsfonts 1:8.11+urwcyr1.0.7~pre44-4.4 Versions of packages ghostscript suggests: pn ghostscript-x -- no debconf information