http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5b5536fa88a9e885032bc0df3852c3439399a5c0

https://bugs.ghostscript.com/show_bug.cgi?id=699670

[debian-lts-announce] 20180930 [SECURITY] [DLA 1527-1] ghostscript security update

GLSA-201811-12

USN-3768-1

DSA-4288

According to the versions of the ghostscript package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - It was discovered that the ghostscript PDF14 compositor     did not properly handle the copying of a device. An     attacker could possibly exploit this to bypass the
    -dSAFER protection and crash ghostscript or, possibly,     execute arbitrary code in the ghostscript context via a     specially crafted PostScript     document.i1/4^CVE-2018-16540i1/4%0

  - It was discovered that the ghostscript gssetresolution     and gsgetresolution procedures were available, although     they have dangerous side effects. An attacker could     possibly exploit this to bypass the -dSAFER protection     and crash ghostscript or, possibly, execute arbitrary     code in the ghostscript context via a specially crafted     PostScript document.i1/4^CVE-2018-16543i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ghostscript to version 9.25 fixes the following issues :

These security issues were fixed :

  - CVE-2018-17183: Remote attackers were be able to supply     crafted PostScript to potentially overwrite or replace     error handlers to inject code (bsc#1109105)

  - CVE-2018-15909: Prevent type confusion using the .shfill     operator that could have been used by attackers able to     supply crafted PostScript files to crash the interpreter     or potentially execute code (bsc#1106172).

  - CVE-2018-15908: Prevent attackers that are able to     supply malicious PostScript files to bypass .tempfile     restrictions and write files (bsc#1106171).

  - CVE-2018-15910: Prevent a type confusion in the     LockDistillerParams parameter that could have been used     to crash the interpreter or execute code (bsc#1106173).

  - CVE-2018-15911: Prevent use uninitialized memory access     in the aesdecode operator that could have been used to     crash the interpreter or potentially execute code     (bsc#1106195).

  - CVE-2018-16513: Prevent a type confusion in the setcolor     function that could have been used to crash the     interpreter or possibly have unspecified other impact     (bsc#1107412).

  - CVE-2018-16509: Incorrect 'restoration of privilege'     checking during handling of /invalidaccess exceptions     could be have been used by attackers able to supply     crafted PostScript to execute code using the 'pipe'     instruction (bsc#1107410).

  - CVE-2018-16510: Incorrect exec stack handling in the     'CS' and 'SC' PDF primitives could have been used by     remote attackers able to supply crafted PDFs to crash     the interpreter or possibly have unspecified other     impact (bsc#1107411).

  - CVE-2018-16542: Prevent attackers able to supply crafted     PostScript files from using insufficient interpreter     stack-size checking during error handling to crash the     interpreter (bsc#1107413).

  - CVE-2018-16541: Prevent attackers able to supply crafted     PostScript files from using incorrect free logic in     pagedevice replacement to crash the interpreter     (bsc#1107421).

  - CVE-2018-16540: Prevent use-after-free in copydevice     handling that could have been used to crash the     interpreter or possibly have unspecified other impact     (bsc#1107420).

  - CVE-2018-16539: Prevent attackers able to supply crafted     PostScript files from using incorrect access checking in     temp file handling to disclose contents of files on the     system otherwise not readable (bsc#1107422).

  - CVE-2018-16543: gssetresolution and gsgetresolution     allowed attackers to have an unspecified impact     (bsc#1107423).

  - CVE-2018-16511: A type confusion in 'ztype' could have     been used by remote attackers able to supply crafted     PostScript to crash the interpreter or possibly have     unspecified other impact (bsc#1107426).

  - CVE-2018-16585: The .setdistillerkeys PostScript command     was accepted even though it is not intended for use     during document processing (e.g., after the startup     phase). This lead to memory corruption, allowing remote     attackers able to supply crafted PostScript to crash the     interpreter or possibly have unspecified other impact     (bsc#1107581).

  - CVE-2018-16802: Incorrect 'restoration of privilege'     checking when running out of stack during exception     handling could have been used by attackers able to     supply crafted PostScript to execute code using the     'pipe' instruction. This is due to an incomplete fix for     CVE-2018-16509 (bsc#1108027).

These non-security issues were fixed :

  - Fixes problems with argument handling, some unintended     results of the security fixes to the SAFER file access     restrictions (specifically accessing ICC profile files).

  - Avoid that ps2epsi fails with 'Error: /undefined in
    --setpagedevice--'

For additional changes please check http://www.ghostscript.com/doc/9.25/News.htm

This update was imported from the SUSE:SLE-15:Update update project.

According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - ghostscript: gssetresolution and gsgetresolution memory     corruption(CVE-2018-16543)

  - ghostscript: use-after-free in copydevice     handling(CVE-2018-16540)

  - ghostscript: incomplete fix for CVE-2018-16509     (CVE-2018-16863)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - ghostscript: Incorrect 'restoration of privilege'     checking when running out of stack during exception     handling (CVE-2018-16802)

  - ghostscript: User-writable error exception table     (CVE-2018-17183)

  - ghostscript: Saved execution stacks can leak operator     arrays (incomplete fix for CVE-2018-17183)     (CVE-2018-17961)

  - ghostscript: Saved execution stacks can leak operator     arrays (CVE-2018-18073)

  - ghostscript: 1Policy operator allows a sandbox     protection bypass (CVE-2018-18284)

  - ghostscript: Type confusion in setpattern (700141)     (CVE-2018-19134)

  - ghostscript: Improperly implemented security check in     zsetdevice function in psi/zdevice.c (CVE-2018-19409)

  - ghostscript: Uninitialized memory access in the     aesdecode operator (699665) (CVE-2018-15911)

  - ghostscript: incomplete fix for CVE-2018-16509     (CVE-2018-16863)

  - ghostscript: gssetresolution and gsgetresolution memory     corruption(CVE-2018-16543)

  - ghostscript: use-after-free in copydevice     handling(CVE-2018-16540)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This is a security update for `CVE-2018-16802`. It also fixes a printing problem discovered in one of the previous CVE fixes.

NOTE: *Please, be advised that there's a separate issue related to printing problems, which is connected to CUPS itself, meaning this update might not completely resolve your printing issues.*

----

This is a rebase to latest upstream version of `Ghostscript`, which fixes several high important CVEs recently discovered. It is advised to update this version as soon as possible.

----

Security fix for CVE-2018-15909 and some other bug fixes.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This is a rebase to latest upstream version of `Ghostscript`, which fixes several high important CVEs recently discovered. It is advised to update this version as soon as possible.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ghostscript to version 9.25 fixes the following issues :

These security issues were fixed :

CVE-2018-17183: Remote attackers were be able to supply crafted PostScript to potentially overwrite or replace error handlers to inject code (bsc#1109105)

CVE-2018-15909: Prevent type confusion using the .shfill operator that could have been used by attackers able to supply crafted PostScript files to crash the interpreter or potentially execute code (bsc#1106172).

CVE-2018-15908: Prevent attackers that are able to supply malicious PostScript files to bypass .tempfile restrictions and write files (bsc#1106171).

CVE-2018-15910: Prevent a type confusion in the LockDistillerParams parameter that could have been used to crash the interpreter or execute code (bsc#1106173).

CVE-2018-15911: Prevent use uninitialized memory access in the aesdecode operator that could have been used to crash the interpreter or potentially execute code (bsc#1106195).

CVE-2018-16513: Prevent a type confusion in the setcolor function that could have been used to crash the interpreter or possibly have unspecified other impact (bsc#1107412).

CVE-2018-16509: Incorrect 'restoration of privilege' checking during handling of /invalidaccess exceptions could be have been used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction (bsc#1107410).

CVE-2018-16510: Incorrect exec stack handling in the 'CS' and 'SC' PDF primitives could have been used by remote attackers able to supply crafted PDFs to crash the interpreter or possibly have unspecified other impact (bsc#1107411).

CVE-2018-16542: Prevent attackers able to supply crafted PostScript files from using insufficient interpreter stack-size checking during error handling to crash the interpreter (bsc#1107413).

CVE-2018-16541: Prevent attackers able to supply crafted PostScript files from using incorrect free logic in pagedevice replacement to crash the interpreter (bsc#1107421).

CVE-2018-16540: Prevent use-after-free in copydevice handling that could have been used to crash the interpreter or possibly have unspecified other impact (bsc#1107420).

CVE-2018-16539: Prevent attackers able to supply crafted PostScript files from using incorrect access checking in temp file handling to disclose contents of files on the system otherwise not readable (bsc#1107422).

CVE-2018-16543: gssetresolution and gsgetresolution allowed attackers to have an unspecified impact (bsc#1107423).

CVE-2018-16511: A type confusion in 'ztype' could have been used by remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact (bsc#1107426).

CVE-2018-16585: The .setdistillerkeys PostScript command was accepted even though it is not intended for use during document processing (e.g., after the startup phase). This lead to memory corruption, allowing remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact (bsc#1107581).

CVE-2018-16802: Incorrect 'restoration of privilege' checking when running out of stack during exception handling could have been used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction. This is due to an incomplete fix for CVE-2018-16509 (bsc#1108027).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - ghostscript: /invalidaccess bypass after failed     restore.(CVE-2018-16509)

  - ghostscript: LockDistillerParams type     confusion.(CVE-2018-15910)

  - ghostscript: definemodifiedfont memory corruption if     /typecheck is handled.(CVE-2018-16542)

  - ghostscript: Stack-based out-of-bounds write in     pdf_set_text_matrix function in gdevpdts.c     (CVE-2018-10194)

  - ghostscript: incorrect free logic in pagedevice     replacement.(CVE-2018-16541)

  - ghostscript:se-after-free in copydevice     handling.(CVE-2018-16540)

  - ghostscript:gssetresolution and gsgetresolution memory     corruption.(CVE-2018-16543)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201811-12 (GPL Ghostscript: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in GPL Ghostscript. Please       review the CVE identifiers referenced below for additional information.
  Impact :

    A context-dependent attacker could entice a user to open a specially       crafted PostScript file or PDF document using GPL Ghostscript possibly       resulting in the execution of arbitrary code with the privileges of the       process, a Denial of Service condition, or other unspecified impacts,   Workaround :

    There is no known workaround at this time.

This update for ghostscript to version 9.25 fixes the following issues :

These security issues were fixed :

  - CVE-2018-17183: Remote attackers were be able to supply     crafted PostScript to potentially overwrite or replace     error handlers to inject code (bsc#1109105)

  - CVE-2018-15909: Prevent type confusion using the .shfill     operator that could have been used by attackers able to     supply crafted PostScript files to crash the interpreter     or potentially execute code (bsc#1106172).

  - CVE-2018-15908: Prevent attackers that are able to     supply malicious PostScript files to bypass .tempfile     restrictions and write files (bsc#1106171).

  - CVE-2018-15910: Prevent a type confusion in the     LockDistillerParams parameter that could have been used     to crash the interpreter or execute code (bsc#1106173).

  - CVE-2018-15911: Prevent use uninitialized memory access     in the aesdecode operator that could have been used to     crash the interpreter or potentially execute code     (bsc#1106195).

  - CVE-2018-16513: Prevent a type confusion in the setcolor     function that could have been used to crash the     interpreter or possibly have unspecified other impact     (bsc#1107412).

  - CVE-2018-16509: Incorrect 'restoration of privilege'     checking during handling of /invalidaccess exceptions     could be have been used by attackers able to supply     crafted PostScript to execute code using the 'pipe'     instruction (bsc#1107410).

  - CVE-2018-16510: Incorrect exec stack handling in the     'CS' and 'SC' PDF primitives could have been used by     remote attackers able to supply crafted PDFs to crash     the interpreter or possibly have unspecified other     impact (bsc#1107411).

  - CVE-2018-16542: Prevent attackers able to supply crafted     PostScript files from using insufficient interpreter     stack-size checking during error handling to crash the     interpreter (bsc#1107413).

  - CVE-2018-16541: Prevent attackers able to supply crafted     PostScript files from using incorrect free logic in     pagedevice replacement to crash the interpreter     (bsc#1107421).

  - CVE-2018-16540: Prevent use-after-free in copydevice     handling that could have been used to crash the     interpreter or possibly have unspecified other impact     (bsc#1107420).

  - CVE-2018-16539: Prevent attackers able to supply crafted     PostScript files from using incorrect access checking in     temp file handling to disclose contents of files on the     system otherwise not readable (bsc#1107422).

  - CVE-2018-16543: gssetresolution and gsgetresolution     allowed attackers to have an unspecified impact     (bsc#1107423).

  - CVE-2018-16511: A type confusion in 'ztype' could have     been used by remote attackers able to supply crafted     PostScript to crash the interpreter or possibly have     unspecified other impact (bsc#1107426).

  - CVE-2018-16585: The .setdistillerkeys PostScript command     was accepted even though it is not intended for use     during document processing (e.g., after the startup     phase). This lead to memory corruption, allowing remote     attackers able to supply crafted PostScript to crash the     interpreter or possibly have unspecified other impact     (bsc#1107581).

  - CVE-2018-16802: Incorrect 'restoration of privilege'     checking when running out of stack during exception     handling could have been used by attackers able to     supply crafted PostScript to execute code using the     'pipe' instruction. This is due to an incomplete fix for     CVE-2018-16509 (bsc#1108027).

These non-security issues were fixed :

  - Fixes problems with argument handling, some unintended     results of the security fixes to the SAFER file access     restrictions (specifically accessing ICC profile files).

  - Avoid that ps2epsi fails with 'Error: /undefined in
    --setpagedevice--'

For additional changes please check http://www.ghostscript.com/doc/9.25/News.htm and the changes file of the package. This update was imported from the SUSE:SLE-12:Update update project.

Tavis Ormandy discovered multiple security issues in Ghostscript. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could possibly use these issues to access arbitrary files, execute arbitrary code, or cause a denial of service.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security update for `CVE-2018-16543` and `CVE-2018-16510`, which were recently discovered.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Artifex Ghostscript installed on the remote Windows host is prior to 9.24. It is, therefore, affected by multiple vulnerabilities due to improperly handling PostScript data. A context-dependent attacker could cause a buffer overflow, potentially crashing the service.

Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an interpreter for the PostScript language, which could result in denial of service, the creation of files or the execution of arbitrary code if a malformed Postscript file is processed (despite the dSAFER sandbox being enabled).

ID	Name	Product	Family	Severity
123709	EulerOS Virtualization 2.5.3 : ghostscript (EulerOS-SA-2019-1241)	Nessus	Huawei Local Security Checks	medium
123326	openSUSE Security Update : ghostscript (openSUSE-2019-759)	Nessus	SuSE Local Security Checks	high
122170	EulerOS 2.0 SP5 : ghostscript (EulerOS-SA-2019-1023)	Nessus	Huawei Local Security Checks	high
122169	EulerOS 2.0 SP3 : ghostscript (EulerOS-SA-2019-1022)	Nessus	Huawei Local Security Checks	high
120572	Fedora 29 : ghostscript (2018-81ee973d7c)	Nessus	Fedora Local Security Checks	medium
120437	Fedora 28 : ghostscript (2018-56221eb24b)	Nessus	Fedora Local Security Checks	medium
120116	SUSE SLED15 / SLES15 Security Update : ghostscript (SUSE-SU-2018:2976-1)	Nessus	SuSE Local Security Checks	high
119919	EulerOS 2.0 SP2 : ghostscript (EulerOS-SA-2018-1430)	Nessus	Huawei Local Security Checks	high
119132	GLSA-201811-12 : GPL Ghostscript: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
118298	SUSE SLES12 Security Update : ghostscript (SUSE-SU-2018:2975-2)	Nessus	SuSE Local Security Checks	high
117980	openSUSE Security Update : ghostscript (openSUSE-2018-1123)	Nessus	SuSE Local Security Checks	high
117979	openSUSE Security Update : ghostscript (openSUSE-2018-1122)	Nessus	SuSE Local Security Checks	high
117901	SUSE SLED12 / SLES12 Security Update : ghostscript (SUSE-SU-2018:2975-1)	Nessus	SuSE Local Security Checks	high
117595	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : ghostscript vulnerabilities (USN-3768-1)	Nessus	Ubuntu Local Security Checks	high
117534	Fedora 27 : ghostscript (2018-f1b1ed38b3)	Nessus	Fedora Local Security Checks	medium
117459	Artifex Ghostscript Multiple Vulnerabilities	Nessus	Windows	medium
117369	Debian DSA-4288-1 : ghostscript - security update	Nessus	Debian Local Security Checks	medium

CVE-2018-16543

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins