Bug 1090099 (CVE-2018-10194)

Summary: VUL-0: CVE-2018-10194: ghostscript-library: Ghostscript 9.18 stack-based buffer overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Johannes Meixner <jsmeix>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: astieger, atoptsoglou, daniel, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/204299/
Whiteboard: CVSSv3:RedHat:CVE-2018-10194:7.0:(AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSSv3:SUSE:CVE-2018-10194:7.0:(AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSSv2:NVD:CVE-2018-10194:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) maint:released:sle10-sp3:64034
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2018-04-18 16:20:11 UTC 
via distros

CVE-2018-10194

From: VĂ­tor Silva <vitorhg20080@gmail.com>

Hello,

I have found a possible RCE on ghostscript 9.18. Since version is still on ubuntu I'm reporting to other distros to make sure you have your repos updated.
The vendor has indirectly fixed the issue so I think by reporting on their bugzilla doesn't add anything. A usecase file is on their bugzilla (look at the end of this e-mail).


[Suggested description]
pdf_set_text_matrix in gdevpdts.c in
Artifex Ghostscript through 9.18
allows remote attackers to cause a denial of service (spprint.c
pprintg1 stack-based out-of-bounds write) or possibly execute arbitrary code
via a crafted PDF document.

------------------------------------------

[Additional Information]
This seems to be affected only on ghostscript 9.18 or less. My
analysis seems this is a bad validation on input at
pdf_set_text_matrix at gdevpdts.c causing pprintg1 function at
spprint.c to write outbounds of the stack.

I can provide with a file use case. Even this seems not to trigger on
newer versions, this package is still available on a lot of systems
(such as ubuntu or debian) as the latest version available.

$ gs -o tested.pdf -sDEVICE=pdfwrite -dPDFSETTINGS=/prepress -dHaveTrueTypes=true -dEmbedAllFonts=true \
   -dSubsetFonts=false -c ".setpdfwrite <</NeverEmbed [ ]>> setdistillerparams" -f fuzzed-case1.ps
GPL Ghostscript 9.18 (2015-10-05)
Copyright (C) 2015 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Loading NimbusRomNo9L-Reg font from /usr/share/ghostscript/9.18/Resource/Font/NimbusRomNo9L-Reg... 4743540 3133830 2015200 710957 1 done.
Loading NimbusRomNo9L-Med font from /usr/share/ghostscript/9.18/Resource/Font/NimbusRomNo9L-Med... 4820876 3332725 2035392 735152 1 done.
Loading NimbusMono-Regular font from /usr/share/ghostscript/9.18/Resource/Font/NimbusMono-Regular... 4900004 3527153 2055584 752136 1 done.
Loading NimbusMono-Bold font from /usr/share/ghostscript/9.18/Resource/Font/NimbusMono-Bold... 5118700 3762771 2095968 786137 1 done.
Loading NimbusRomNo9L-RegIta font from /usr/share/ghostscript/9.18/Resource/Font/NimbusRomNo9L-RegIta... 5357220 4001795 2156544 851571 1 done.
Loading NimbusSanL-Reg font from /usr/share/ghostscript/9.18/Resource/Font/NimbusSanL-Reg... 5556092 4193319 2358464 1039445 1 done.
*** stack smashing detected ***: gs terminated
Aborted (core dumped)

------------------------------------------

[Vulnerability Type]
Buffer Overflow

------------------------------------------

[Vendor of Product]
ghostscript


------------------------------------------

[Affected Product Code Base]
ghostscript - 9.18

------------------------------------------

[Affected Component]
pprintg1 of ghostscript

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Code execution]
true

------------------------------------------

[Impact Denial of Service]
true

------------------------------------------

[Attack Vectors]
crafted postscript can crash and/or execute code via buffer overflow

------------------------------------------

[Reference]
https://bugs.ghostscript.com/show_bug.cgi?id=699255
Comment 3 Johannes Segitz 2018-04-20 05:22:53 UTC 
public
Comment 15 Swamp Workflow Management 2018-05-09 14:24:37 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-05-23.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64033
Comment 16 Swamp Workflow Management 2018-05-18 10:12:12 UTC 
SUSE-SU-2018:1332-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1090099
CVE References: CVE-2018-10194
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ghostscript-9.15-23.10.2
SUSE Linux Enterprise Server 12-SP3 (src):    ghostscript-9.15-23.10.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    ghostscript-9.15-23.10.2
Comment 17 Andreas Stieger 2018-05-19 15:09:20 UTC 
Can you submit to Factory and SLE 15 please?
Comment 18 Swamp Workflow Management 2018-05-19 19:08:03 UTC 
openSUSE-SU-2018:1348-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1090099
CVE References: CVE-2018-10194
Sources used:
openSUSE Leap 42.3 (src):    ghostscript-9.15-14.6.1, ghostscript-mini-9.15-14.6.1
Comment 19 Swamp Workflow Management 2018-05-23 06:12:00 UTC 
SUSE-SU-2018:1369-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1090099
CVE References: CVE-2016-9601,CVE-2018-10194
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ghostscript-library-8.62-32.47.10.1
SUSE Linux Enterprise Server 11-SP4 (src):    ghostscript-library-8.62-32.47.10.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ghostscript-library-8.62-32.47.10.1
Comment 20 Swamp Workflow Management 2018-06-05 14:10:09 UTC 
This is an autogenerated message for OBS integration:
This bug (1090099) was mentioned in
https://build.opensuse.org/request/show/614287 Factory / ghostscript
Comment 23 Swamp Workflow Management 2018-07-05 10:13:53 UTC 
SUSE-SU-2018:1884-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1090099
CVE References: CVE-2018-10194
Sources used:
SUSE Linux Enterprise Module for Basesystem 15 (src):    ghostscript-9.23-3.3.1
Comment 24 Swamp Workflow Management 2018-07-06 22:11:53 UTC 
openSUSE-SU-2018:1909-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1090099
CVE References: CVE-2018-10194
Sources used:
openSUSE Leap 15.0 (src):    ghostscript-9.23-lp150.2.3.1, ghostscript-mini-9.23-lp150.2.3.1
Comment 25 Alexandros Toptsoglou 2019-05-13 15:41:53 UTC 
closing all released