http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commit;h=6d444c273da5499a4cd72f21cb6d4c9a5256807d

DSA-3691

[oss-security] 20161019 Re: Re: CVE Request - multiple ghostscript -dSAFER sandbox problems

95332

https://bugs.ghostscript.com/show_bug.cgi?id=697178

GLSA-201702-31

According to the versions of the ghostscript package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The PS Interpreter in Ghostscript 9.18 and 9.20 allows     remote attackers to execute arbitrary code via crafted     userparams.(CVE-2016-7976)

  - psi/zfile.c in Artifex Ghostscript before 9.21rc1     permits the status command even if -dSAFER is used,     which might allow remote attackers to determine the     existence and size of arbitrary files, a similar issue     to CVE-2016-7977.(CVE-2018-11645)

  - A flaw was found in the .pdfexectoken and other     procedures where it did not properly secure its     privileged calls, enabling scripts to bypass `-dSAFER`     restrictions. A specially crafted PostScript file could     disable security protection and then have access to the     file system, or execute arbitrary     commands.(CVE-2019-14817)

  - A flaw was found in the setsystemparams procedure where     it did not properly secure its privileged calls,     enabling scripts to bypass `-dSAFER` restrictions. A     specially crafted PostScript file could disable     security protection and then have access to the file     system, or execute arbitrary commands.(CVE-2019-14813)

  - A flaw was found in the .setuserparams2 procedure where     it did not properly secure its privileged calls,     enabling scripts to bypass `-dSAFER` restrictions. A     specially crafted PostScript file could disable     security protection and then have access to the file     system, or execute arbitrary commands.(CVE-2019-14812)

  - A flaw was found in the .pdf_hook_DSC_Creator procedure     where it did not properly secure its privileged calls,     enabling scripts to bypass `-dSAFER` restrictions. A     specially crafted PostScript file could disable     security protection and then have access to the file     system, or execute arbitrary commands.(CVE-2019-14811)

  - libjbig2dec.a in Artifex jbig2dec 0.13, as used in     MuPDF and Ghostscript, has a NULL pointer dereference     in the jbig2_huffman_get function in jbig2_huffman.c.
    For example, the jbig2dec utility will crash     (segmentation fault) when parsing an invalid     file.(CVE-2017-9216)

  - Artifex jbig2dec 0.13, as used in Ghostscript, allows     out-of-bounds writes because of an integer overflow in     the jbig2_build_huffman_table function in     jbig2_huffman.c during operations on a crafted JBIG2     file, leading to a denial of service (application     crash) or possibly execution of arbitrary     code.(CVE-2017-7975)

  - Artifex jbig2dec 0.13 has a heap-based buffer over-read     leading to denial of service (application crash) or     disclosure of sensitive information from process     memory, because of an integer overflow in the     jbig2_decode_symbol_dict function in     jbig2_symbol_dict.c in libjbig2dec.a during operation     on a crafted .jb2 file.(CVE-2017-7885)

  - Artifex jbig2dec 0.13 allows out-of-bounds writes and     reads because of an integer overflow in the     jbig2_image_compose function in jbig2_image.c during     operations on a crafted .jb2 file, leading to a denial     of service (application crash) or disclosure of     sensitive information from process     memory.(CVE-2017-7976)

  - ghostscript before version 9.21 is vulnerable to a heap     based buffer overflow that was found in the ghostscript     jbig2_decode_gray_scale_image function which is used to     decode halftone segments in a JBIG2 image. A document     (PostScript or PDF) with an embedded, specially     crafted, jbig2 image could trigger a segmentation fault     in ghostscript.(CVE-2016-9601)

  - In Artifex Ghostscript before 9.26, a carefully crafted     PDF file can trigger an extremely long running     computation when parsing the file.(CVE-2018-19478)

  - It was found that the .buildfont1 procedure did not     properly secure its privileged calls, enabling scripts     to bypass `-dSAFER` restrictions. An attacker could     abuse this flaw by creating a specially crafted     PostScript file that could escalate privileges and     access files outside of restricted     areas.(CVE-2019-10216)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The PS Interpreter in Ghostscript 9.18 and 9.20 allows     remote attackers to execute arbitrary code via crafted     userparams.(CVE-2016-7976)

  - psi/zfile.c in Artifex Ghostscript before 9.21rc1     permits the status command even if -dSAFER is used,     which might allow remote attackers to determine the     existence and size of arbitrary files, a similar issue     to CVE-2016-7977.(CVE-2018-11645)

  - A flaw was found in, ghostscript versions prior to     9.50, in the .pdfexectoken and other procedures where     it did not properly secure its privileged calls,     enabling scripts to bypass `-dSAFER` restrictions. A     specially crafted PostScript file could disable     security protection and then have access to the file     system, or execute arbitrary commands.(CVE-2019-14817)

  - A flaw was found in ghostscript, versions 9.x before     9.50, in the setsystemparams procedure where it did not     properly secure its privileged calls, enabling scripts     to bypass `-dSAFER` restrictions. A specially crafted     PostScript file could disable security protection and     then have access to the file system, or execute     arbitrary commands.(CVE-2019-14813)

  - A flaw was found in all ghostscript versions 9.x before     9.50, in the .setuserparams2 procedure where it did not     properly secure its privileged calls, enabling scripts     to bypass `-dSAFER` restrictions. A specially crafted     PostScript file could disable security protection and     then have access to the file system, or execute     arbitrary commands.(CVE-2019-14812)

  - A flaw was found in, ghostscript versions prior to     9.50, in the .pdf_hook_DSC_Creator procedure where it     did not properly secure its privileged calls, enabling     scripts to bypass `-dSAFER` restrictions. A specially     crafted PostScript file could disable security     protection and then have access to the file system, or     execute arbitrary commands.(CVE-2019-14811)

  - libjbig2dec.a in Artifex jbig2dec 0.13, as used in     MuPDF and Ghostscript, has a NULL pointer dereference     in the jbig2_huffman_get function in jbig2_huffman.c.
    For example, the jbig2dec utility will crash     (segmentation fault) when parsing an invalid     file.(CVE-2017-9216)

  - Artifex jbig2dec 0.13, as used in Ghostscript, allows     out-of-bounds writes because of an integer overflow in     the jbig2_build_huffman_table function in     jbig2_huffman.c during operations on a crafted JBIG2     file, leading to a denial of service (application     crash) or possibly execution of arbitrary     code.(CVE-2017-7975)

  - Artifex jbig2dec 0.13 has a heap-based buffer over-read     leading to denial of service (application crash) or     disclosure of sensitive information from process     memory, because of an integer overflow in the     jbig2_decode_symbol_dict function in     jbig2_symbol_dict.c in libjbig2dec.a during operation     on a crafted .jb2 file.(CVE-2017-7885)

  - Artifex jbig2dec 0.13 allows out-of-bounds writes and     reads because of an integer overflow in the     jbig2_image_compose function in jbig2_image.c during     operations on a crafted .jb2 file, leading to a denial     of service (application crash) or disclosure of     sensitive information from process     memory.(CVE-2017-7976)

  - A heap based buffer overflow was found in the     ghostscript jbig2_decode_gray_scale_image() function     used to decode halftone segments in a JBIG2 image. A     document (PostScript or PDF) with an embedded,     specially crafted, jbig2 image could trigger a     segmentation fault in ghostscript.(CVE-2016-9601)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - psi/zfile.c in Artifex Ghostscript before 9.21rc1     permits the status command even if -dSAFER is used,     which might allow remote attackers to determine the     existence and size of arbitrary files, a similar issue     to CVE-2016-7977.(CVE-2018-11645)

  - The PS Interpreter in Ghostscript 9.18 and 9.20 allows     remote attackers to execute arbitrary code via crafted     userparams.(CVE-2016-7976)

  - A flaw was found in, ghostscript versions prior to     9.28, in the .pdf_hook_DSC_Creator procedure where it     did not properly secure its privileged calls, enabling     scripts to bypass `-dSAFER` restrictions. A specially     crafted PostScript file could disable security     protection and then have access to the file system, or     execute arbitrary commands.(CVE-2019-14811)

  - A flaw was found in the .setuserparams2 procedure where     it did not properly secure its privileged calls,     enabling scripts to bypass `-dSAFER` restrictions. A     specially crafted PostScript file could disable     security protection and then have access to the file     system, or execute arbitrary commands.(CVE-2019-14812)

  - A flaw was found in the setsystemparams procedure where     it did not properly secure its privileged calls,     enabling scripts to bypass `-dSAFER` restrictions. A     specially crafted PostScript file could disable     security protection and then have access to the file     system, or execute arbitrary commands.(CVE-2019-14813)

  - A flaw was found in the .pdfexectoken and other     procedures where it did not properly secure its     privileged calls, enabling scripts to bypass `-dSAFER`     restrictions. A specially crafted PostScript file could     disable security protection and then have access to the     file system, or execute arbitrary     commands.(CVE-2019-14817)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201702-31 (GPL Ghostscript: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in GPL Ghostscript and the       bundled OpenJPEG. Please review the CVE identifiers and GLSA-201612-26       (OpenJPEG) referenced below for additional information.
    Note: GPL Ghostscript in Gentoo since app-text/ghostscript-gpl-9.20-r1       no longer bundles OpenJPEG.
  Impact :

    A context-dependent attacker could entice a user to open a specially       crafted PostScript file or PDF using GPL Ghostscript possibly resulting       in the execution of arbitrary code with the privileges of the process or       a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Tavis Ormandy discovered multiple vulnerabilities in the way that Ghostscript processes certain Postscript files. If a user or automated system were tricked into opening a specially crafted file, an attacker could cause a denial of service or possibly execute arbitrary code.
(CVE-2016-7976, CVE-2016-7978, CVE-2016-7979, CVE-2016-8602)

Multiple vulnerabilities were discovered in Ghostscript related to information disclosure. If a user or automated system were tricked into opening a specially crafted file, an attacker could expose sensitive data. (CVE-2013-5653, CVE-2016-7977).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This is a rebase of **ghostscript** package, to address several security issues :

  - [CVE-2016-7977     ](https://bugzilla.redhat.com/show_bug.cgi?id=1380415) -
    *.libfile does not honor -dSAFER*

  -     [CVE-2013-5653](https://bugzilla.redhat.com/show_bug.cgi     ?id=1380327) - *getenv and filenameforall ignore
    -dSAFER*

  -     [CVE-2016-7976](https://bugzilla.redhat.com/show_bug.cgi     ?id=1382294) - *various userparams allow %pipe% in     paths, allowing remote shell*

  -     [CVE-2016-7978](https://bugzilla.redhat.com/show_bug.cgi     ?id=1382300) - *reference leak in .setdevice allows     use-after-free and remote code*

  -     [CVE-2016-7979](https://bugzilla.redhat.com/show_bug.cgi     ?id=1382305) - *Type confusion in .initialize_dsc_parser     allows remote code execution*

----------- #### INFORMATION FOR FEDORA PACKAGERS & MAINTAINERS :

**ghostscript** has been rebased to latest upstream version (9.20).
Rebase notes :

  - **no API/ABI changes between versions 9.16 -> 9.20     according to upstream**

  - *OpenJPEG* support has been retained

  - *ijs-config* custom tool from upstream has been
    *removed* (by upstream) (*pkg-config* is used by default     now instead, see [commit     0c176a9](http://git.ghostscript.com/?p=ghostpdl.git;h=0c     176a91d53c85cda))

  - some patches were updated to 'git format-patch' format &     renamed

  - rest of the patches were deleted (irrelevant for current     version), mostly because upstream has fixed those issues     in some way

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may lead to the execution of arbitrary code or information disclosure if a specially crafted Postscript file is processed.

ID	Name	Product	Family	Severity
135661	EulerOS Virtualization 3.0.2.2 : ghostscript (EulerOS-SA-2020-1499)	Nessus	Huawei Local Security Checks	high
134529	EulerOS Virtualization for ARM 64 3.0.2.0 : ghostscript (EulerOS-SA-2020-1240)	Nessus	Huawei Local Security Checks	high
130860	EulerOS 2.0 SP5 : ghostscript (EulerOS-SA-2019-2151)	Nessus	Huawei Local Security Checks	high
97343	GLSA-201702-31 : GPL Ghostscript: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
95467	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : ghostscript vulnerabilities (USN-3148-1)	Nessus	Ubuntu Local Security Checks	high
94786	Fedora 25 : ghostscript (2016-2df27a2224)	Nessus	Fedora Local Security Checks	high
94121	Fedora 24 : ghostscript (2016-53e8aa35f6)	Nessus	Fedora Local Security Checks	high
94119	Fedora 23 : ghostscript (2016-1c13825502)	Nessus	Fedora Local Security Checks	high
94023	Debian DSA-3691-1 : ghostscript - security update	Nessus	Debian Local Security Checks	high

CVE-2016-7976

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins