http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=b60d50b7567369ad856cebe1efb6cd7dd2284219

RHSA-2019:2281

https://bugs.ghostscript.com/show_bug.cgi?id=697193

[debian-lts-announce] 20180913 [SECURITY] [DLA 1504-1] ghostscript security update

USN-3768-1

DSA-4336

According to the versions of the ghostscript package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The PS Interpreter in Ghostscript 9.18 and 9.20 allows     remote attackers to execute arbitrary code via crafted     userparams.(CVE-2016-7976)

  - psi/zfile.c in Artifex Ghostscript before 9.21rc1     permits the status command even if -dSAFER is used,     which might allow remote attackers to determine the     existence and size of arbitrary files, a similar issue     to CVE-2016-7977.(CVE-2018-11645)

  - A flaw was found in the .pdfexectoken and other     procedures where it did not properly secure its     privileged calls, enabling scripts to bypass `-dSAFER`     restrictions. A specially crafted PostScript file could     disable security protection and then have access to the     file system, or execute arbitrary     commands.(CVE-2019-14817)

  - A flaw was found in the setsystemparams procedure where     it did not properly secure its privileged calls,     enabling scripts to bypass `-dSAFER` restrictions. A     specially crafted PostScript file could disable     security protection and then have access to the file     system, or execute arbitrary commands.(CVE-2019-14813)

  - A flaw was found in the .setuserparams2 procedure where     it did not properly secure its privileged calls,     enabling scripts to bypass `-dSAFER` restrictions. A     specially crafted PostScript file could disable     security protection and then have access to the file     system, or execute arbitrary commands.(CVE-2019-14812)

  - A flaw was found in the .pdf_hook_DSC_Creator procedure     where it did not properly secure its privileged calls,     enabling scripts to bypass `-dSAFER` restrictions. A     specially crafted PostScript file could disable     security protection and then have access to the file     system, or execute arbitrary commands.(CVE-2019-14811)

  - libjbig2dec.a in Artifex jbig2dec 0.13, as used in     MuPDF and Ghostscript, has a NULL pointer dereference     in the jbig2_huffman_get function in jbig2_huffman.c.
    For example, the jbig2dec utility will crash     (segmentation fault) when parsing an invalid     file.(CVE-2017-9216)

  - Artifex jbig2dec 0.13, as used in Ghostscript, allows     out-of-bounds writes because of an integer overflow in     the jbig2_build_huffman_table function in     jbig2_huffman.c during operations on a crafted JBIG2     file, leading to a denial of service (application     crash) or possibly execution of arbitrary     code.(CVE-2017-7975)

  - Artifex jbig2dec 0.13 has a heap-based buffer over-read     leading to denial of service (application crash) or     disclosure of sensitive information from process     memory, because of an integer overflow in the     jbig2_decode_symbol_dict function in     jbig2_symbol_dict.c in libjbig2dec.a during operation     on a crafted .jb2 file.(CVE-2017-7885)

  - Artifex jbig2dec 0.13 allows out-of-bounds writes and     reads because of an integer overflow in the     jbig2_image_compose function in jbig2_image.c during     operations on a crafted .jb2 file, leading to a denial     of service (application crash) or disclosure of     sensitive information from process     memory.(CVE-2017-7976)

  - ghostscript before version 9.21 is vulnerable to a heap     based buffer overflow that was found in the ghostscript     jbig2_decode_gray_scale_image function which is used to     decode halftone segments in a JBIG2 image. A document     (PostScript or PDF) with an embedded, specially     crafted, jbig2 image could trigger a segmentation fault     in ghostscript.(CVE-2016-9601)

  - In Artifex Ghostscript before 9.26, a carefully crafted     PDF file can trigger an extremely long running     computation when parsing the file.(CVE-2018-19478)

  - It was found that the .buildfont1 procedure did not     properly secure its privileged calls, enabling scripts     to bypass `-dSAFER` restrictions. An attacker could     abuse this flaw by creating a specially crafted     PostScript file that could escalate privileges and     access files outside of restricted     areas.(CVE-2019-10216)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The PS Interpreter in Ghostscript 9.18 and 9.20 allows     remote attackers to execute arbitrary code via crafted     userparams.(CVE-2016-7976)

  - psi/zfile.c in Artifex Ghostscript before 9.21rc1     permits the status command even if -dSAFER is used,     which might allow remote attackers to determine the     existence and size of arbitrary files, a similar issue     to CVE-2016-7977.(CVE-2018-11645)

  - A flaw was found in, ghostscript versions prior to     9.50, in the .pdfexectoken and other procedures where     it did not properly secure its privileged calls,     enabling scripts to bypass `-dSAFER` restrictions. A     specially crafted PostScript file could disable     security protection and then have access to the file     system, or execute arbitrary commands.(CVE-2019-14817)

  - A flaw was found in ghostscript, versions 9.x before     9.50, in the setsystemparams procedure where it did not     properly secure its privileged calls, enabling scripts     to bypass `-dSAFER` restrictions. A specially crafted     PostScript file could disable security protection and     then have access to the file system, or execute     arbitrary commands.(CVE-2019-14813)

  - A flaw was found in all ghostscript versions 9.x before     9.50, in the .setuserparams2 procedure where it did not     properly secure its privileged calls, enabling scripts     to bypass `-dSAFER` restrictions. A specially crafted     PostScript file could disable security protection and     then have access to the file system, or execute     arbitrary commands.(CVE-2019-14812)

  - A flaw was found in, ghostscript versions prior to     9.50, in the .pdf_hook_DSC_Creator procedure where it     did not properly secure its privileged calls, enabling     scripts to bypass `-dSAFER` restrictions. A specially     crafted PostScript file could disable security     protection and then have access to the file system, or     execute arbitrary commands.(CVE-2019-14811)

  - libjbig2dec.a in Artifex jbig2dec 0.13, as used in     MuPDF and Ghostscript, has a NULL pointer dereference     in the jbig2_huffman_get function in jbig2_huffman.c.
    For example, the jbig2dec utility will crash     (segmentation fault) when parsing an invalid     file.(CVE-2017-9216)

  - Artifex jbig2dec 0.13, as used in Ghostscript, allows     out-of-bounds writes because of an integer overflow in     the jbig2_build_huffman_table function in     jbig2_huffman.c during operations on a crafted JBIG2     file, leading to a denial of service (application     crash) or possibly execution of arbitrary     code.(CVE-2017-7975)

  - Artifex jbig2dec 0.13 has a heap-based buffer over-read     leading to denial of service (application crash) or     disclosure of sensitive information from process     memory, because of an integer overflow in the     jbig2_decode_symbol_dict function in     jbig2_symbol_dict.c in libjbig2dec.a during operation     on a crafted .jb2 file.(CVE-2017-7885)

  - Artifex jbig2dec 0.13 allows out-of-bounds writes and     reads because of an integer overflow in the     jbig2_image_compose function in jbig2_image.c during     operations on a crafted .jb2 file, leading to a denial     of service (application crash) or disclosure of     sensitive information from process     memory.(CVE-2017-7976)

  - A heap based buffer overflow was found in the     ghostscript jbig2_decode_gray_scale_image() function     used to decode halftone segments in a JBIG2 image. A     document (PostScript or PDF) with an embedded,     specially crafted, jbig2 image could trigger a     segmentation fault in ghostscript.(CVE-2016-9601)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has ghostscript packages installed that are affected by multiple vulnerabilities:

  - psi/zfile.c in Artifex Ghostscript before 9.21rc1     permits the status command even if -dSAFER is used,     which might allow remote attackers to determine the     existence and size of arbitrary files, a similar issue     to CVE-2016-7977. (CVE-2018-11645)

  - It was found that the .buildfont1 procedure did not     properly secure its privileged calls, enabling scripts     to bypass `-dSAFER` restrictions. An attacker could     abuse this flaw by creating a specially crafted     PostScript file that could escalate privileges and     access files outside of restricted areas.
    (CVE-2019-10216)

  - A flaw was found in ghostscript, versions 9.x before     9.50, in the setsystemparams procedure where it did not     properly secure its privileged calls, enabling scripts     to bypass `-dSAFER` restrictions. A specially crafted     PostScript file could disable security protection and     then have access to the file system, or execute     arbitrary commands. (CVE-2019-14813)

  - A flaw was found in all ghostscript versions 9.x before     9.50, in the .setuserparams2 procedure where it did not     properly secure its privileged calls, enabling scripts     to bypass `-dSAFER` restrictions. A specially crafted     PostScript file could disable security protection and     then have access to the file system, or execute     arbitrary commands. (CVE-2019-14812)

  - A flaw was found in, ghostscript versions prior to 9.50,     in the .pdf_hook_DSC_Creator procedure where it did not     properly secure its privileged calls, enabling scripts     to bypass `-dSAFER` restrictions. A specially crafted     PostScript file could disable security protection and     then have access to the file system, or execute     arbitrary commands. (CVE-2019-14811)

  - A flaw was found in, ghostscript versions prior to 9.50,     in the .pdfexectoken and other procedures where it did     not properly secure its privileged calls, enabling     scripts to bypass `-dSAFER` restrictions. A specially     crafted PostScript file could disable security     protection and then have access to the file system, or     execute arbitrary commands. (CVE-2019-14817)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - psi/zfile.c in Artifex Ghostscript before 9.21rc1     permits the status command even if -dSAFER is used,     which might allow remote attackers to determine the     existence and size of arbitrary files, a similar issue     to CVE-2016-7977.(CVE-2018-11645)

  - The PS Interpreter in Ghostscript 9.18 and 9.20 allows     remote attackers to execute arbitrary code via crafted     userparams.(CVE-2016-7976)

  - A flaw was found in, ghostscript versions prior to     9.28, in the .pdf_hook_DSC_Creator procedure where it     did not properly secure its privileged calls, enabling     scripts to bypass `-dSAFER` restrictions. A specially     crafted PostScript file could disable security     protection and then have access to the file system, or     execute arbitrary commands.(CVE-2019-14811)

  - A flaw was found in the .setuserparams2 procedure where     it did not properly secure its privileged calls,     enabling scripts to bypass `-dSAFER` restrictions. A     specially crafted PostScript file could disable     security protection and then have access to the file     system, or execute arbitrary commands.(CVE-2019-14812)

  - A flaw was found in the setsystemparams procedure where     it did not properly secure its privileged calls,     enabling scripts to bypass `-dSAFER` restrictions. A     specially crafted PostScript file could disable     security protection and then have access to the file     system, or execute arbitrary commands.(CVE-2019-14813)

  - A flaw was found in the .pdfexectoken and other     procedures where it did not properly secure its     privileged calls, enabling scripts to bypass `-dSAFER`     restrictions. A specially crafted PostScript file could     disable security protection and then have access to the     file system, or execute arbitrary     commands.(CVE-2019-14817)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has ghostscript packages installed that are affected by multiple vulnerabilities:

  - psi/zfile.c in Artifex Ghostscript before 9.21rc1     permits the status command even if -dSAFER is used,     which might allow remote attackers to determine the     existence and size of arbitrary files, a similar issue     to CVE-2016-7977. (CVE-2018-11645)

  - A flaw was found in ghostscript, versions 9.x before     9.28, in the setsystemparams procedure where it did not     properly secure its privileged calls, enabling scripts     to bypass `-dSAFER` restrictions. A specially crafted     PostScript file could disable security protection and     then have access to the file system, or execute     arbitrary commands. (CVE-2019-14813)

  - A flaw was found in, ghostscript versions prior to 9.28,     in the .pdf_hook_DSC_Creator procedure where it did not     properly secure its privileged calls, enabling scripts     to bypass `-dSAFER` restrictions. A specially crafted     PostScript file could disable security protection and     then have access to the file system, or execute     arbitrary commands. (CVE-2019-14811)

  - A flaw was found in, ghostscript versions prior to 9.28,     in the .pdfexectoken and other procedures where it did     not properly secure its privileged calls, enabling     scripts to bypass `-dSAFER` restrictions. A specially     crafted PostScript file could disable security     protection and then have access to the file system, or     execute arbitrary commands. (CVE-2019-14817)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for ghostscript is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section.

The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed.

The following packages have been upgraded to a later upstream version:
ghostscript (9.25). (BZ#1636115)

Security Fix(es) :

* ghostscript: status command permitted with -dSAFER in psi/zfile.c allowing attackers to identify the size and existence of files (CVE-2018-11645)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

The following packages have been upgraded to a later upstream version:
ghostscript (9.25).

Security Fix(es) :

  - ghostscript: status command permitted with -dSAFER in     psi/zfile.c allowing attackers to identify the size and     existence of files (CVE-2018-11645)

Several vulnerabilities were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service, disclosure of existence and size of arbitrary files, or the execution of arbitrary code if a malformed Postscript file is processed (despite the dSAFER sandbox being enabled).

This update rebases ghostscript for stretch to the upstream version 9.25 which includes additional non-security related changes.

It was discovered that the ghostscript .shfill operator did not properly validate certain types. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.(CVE-2018-15909)

An issue was discovered in Artifex Ghostscript before 9.24. A type confusion in 'ztype' could be used by remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact.(CVE-2018-16511)

An issue was discovered in Artifex Ghostscript before 9.24. The .setdistillerkeys PostScript command is accepted even though it is not intended for use during document processing (e.g., after the startup phase). This leads to memory corruption, allowing remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact.(CVE-2018-16585)

It was discovered that the ghostscript PDF14 compositor did not properly handle the copying of a device. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.(CVE-2018-16540)

It was discovered that the ghostscript device cleanup did not properly handle devices replaced with a null device. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.(CVE-2018-16541)

It was discovered that the ghostscript did not properly restrict access to files open prior to enabling the -dSAFER mode. An attacker could possibly exploit this to bypass the -dSAFER protection and disclose the content of affected files via a specially crafted PostScript document.(CVE-2018-16539)

An issue was discovered in Artifex Ghostscript before 9.25. Incorrect 'restoration of privilege' checking when running out of stack during exception handling could be used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction. This is due to an incomplete fix for CVE-2018-16509 .(CVE-2018-16802)

It was discovered that ghostscript did not properly handle certain stack overflow error conditions. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.(CVE-2018-16542)

Ghostscript did not honor the -dSAFER option when executing the 'status' instruction, which can be used to retrieve information such as a file's existence and size. A specially crafted postscript document could use this flow to gain information on the targeted system's filesystem content.(CVE-2018-11645)

It was discovered that the ghostscript did not properly validate the operands passed to the setcolor function. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.(CVE-2018-16513)

It was discovered that the type of the LockDistillerParams parameter is not properly verified. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.(CVE-2018-15910)

It was discovered that the ghostscript /invalidaccess checks fail under certain conditions. An attacker could possibly exploit this to bypass the -dSAFER protection and, for example, execute arbitrary shell commands via a specially crafted PostScript document.(CVE-2018-16509)

It was discovered that ghostscript did not properly verify the key used in aesdecode. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.(CVE-2018-15911)

It was discovered that the ghostscript .tempfile function did not properly handle file permissions. An attacker could possibly exploit this to exploit this to bypass the -dSAFER protection and delete files or disclose their content via a specially crafted PostScript document.(CVE-2018-15908)

Tavis Ormandy discovered multiple security issues in Ghostscript. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could possibly use these issues to access arbitrary files, execute arbitrary code, or cause a denial of service.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Tavis Ormandy discovered multiple vulnerabilities in Ghostscript, an interpreter for the PostScript language, which could result in denial of service, the creation of files or the execution of arbitrary code if a malformed Postscript file is processed (despite the dSAFER sandbox being enabled).

For Debian 8 'Jessie', these problems have been fixed in version 9.06~dfsg-2+deb8u8.

We recommend that you upgrade your ghostscript packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
135661	EulerOS Virtualization 3.0.2.2 : ghostscript (EulerOS-SA-2020-1499)	Nessus	Huawei Local Security Checks	high
134529	EulerOS Virtualization for ARM 64 3.0.2.0 : ghostscript (EulerOS-SA-2020-1240)	Nessus	Huawei Local Security Checks	high
132453	NewStart CGSL CORE 5.05 / MAIN 5.05 : ghostscript Multiple Vulnerabilities (NS-SA-2019-0250)	Nessus	NewStart CGSL Local Security Checks	high
130860	EulerOS 2.0 SP5 : ghostscript (EulerOS-SA-2019-2151)	Nessus	Huawei Local Security Checks	high
129908	NewStart CGSL CORE 5.04 / MAIN 5.04 : ghostscript Multiple Vulnerabilities (NS-SA-2019-0203)	Nessus	NewStart CGSL Local Security Checks	high
128382	CentOS 7 : ghostscript (CESA-2019:2281)	Nessus	CentOS Local Security Checks	medium
128219	Scientific Linux Security Update : ghostscript on SL7.x x86_64 (20190806)	Nessus	Scientific Linux Local Security Checks	medium
127704	RHEL 7 : ghostscript (RHSA-2019:2281)	Nessus	Red Hat Local Security Checks	medium
118893	Debian DSA-4336-1 : ghostscript - security update	Nessus	Debian Local Security Checks	medium
118043	Amazon Linux 2 : ghostscript (ALAS-2018-1088)	Nessus	Amazon Linux Local Security Checks	high
117595	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : ghostscript vulnerabilities (USN-3768-1)	Nessus	Ubuntu Local Security Checks	high
117487	Debian DLA-1504-1 : ghostscript security update	Nessus	Debian Local Security Checks	high

CVE-2018-11645

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins