Bug 1144621 (CVE-2019-10216)

Summary: VUL-0: CVE-2019-10216: ghostscript, ghostscript-library: privilege escalation via specially crafted PostScript file
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: atoptsoglou, meissner, stefan.fent, werner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv3:SUSE:CVE-2019-10216:7.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 12 Marcus Meissner 2019-08-12 13:29:05 UTC 
To: oss-security@lists.openwall.com
Date: Mon, 12 Aug 2019 15:25:15 +0200
Subject: [oss-security] ghostscript CVE-2019-10216: -dSAFER escape via .buildfont1

Hello,

This is to disclose a new vulnerability in ghostscript, rated as Important.

Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript (PS) and Portable Document Format (PDF) page description languages.  Its primary purpose includesi.
URL : www.ghostscript.com

The flaw is a usual "getting a reference to a privileged function" (the script must successfully be able to overload the error handling code to take advantage of that flaw), allowing arbia.


* CVE-2019-10216 ghostscript: -dSAFER escape via .buildfont1 (701394):
It was found that the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could use i.

All released versions of ghostscript are believed to be impacted, up to, and including, 9.27 (however, master should not be affected: see below for builds post commit 7ecbfda92).

Upstream bug report (currently restricted) : https://bugs.ghostscript.com/show_bug.cgi?id=701394
Upstream fix : http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19 

Acknowledgements:
* Red Hat would like to thank Artifex for alerting us.
* The vulnerability was originally discovered by Netanel from Cloudinary.


Noteworthy : 
A recent modification, started in upstream commit 7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff, changed the access to file permissions. After this commit, the ability to modify the /PermitFil .
That is to say: getting a reference to highly privileged function (such as .forceput), can still be used to remove SAFER, and modify the /PermitFile* lists. However, the interpreter will i.

Best regards,

--
Cedric Buissart
Product Security
Red Hat
Comment 13 Swamp Workflow Management 2019-09-10 16:12:40 UTC 
SUSE-SU-2019:2347-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1144621
CVE References: CVE-2019-10216
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ghostscript-9.26a-23.25.1
SUSE Linux Enterprise Server 12-SP4 (src):    ghostscript-9.26a-23.25.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ghostscript-9.26a-23.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2019-09-10 16:15:40 UTC 
SUSE-SU-2019:2348-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1144621
CVE References: CVE-2019-10216
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ghostscript-mini-9.26a-3.18.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ghostscript-mini-9.26a-3.18.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    ghostscript-9.26a-3.18.2
SUSE Linux Enterprise Module for Basesystem 15 (src):    ghostscript-9.26a-3.18.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2019-09-16 10:10:55 UTC 
openSUSE-SU-2019:2139-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1144621
CVE References: CVE-2019-10216
Sources used:
openSUSE Leap 15.1 (src):    ghostscript-9.26a-lp151.3.3.1, ghostscript-mini-9.26a-lp151.3.3.1
Comment 16 Dr. Werner Fink 2019-09-16 13:17:03 UTC 
Also NOT part of ghostscript 9.27
Comment 17 Swamp Workflow Management 2019-09-16 14:10:10 UTC 
This is an autogenerated message for OBS integration:
This bug (1144621) was mentioned in
https://build.opensuse.org/request/show/731293 Factory / ghostscript
Comment 18 Swamp Workflow Management 2019-09-24 13:23:17 UTC 
openSUSE-SU-2019:2160-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1144621
CVE References: CVE-2019-10216
Sources used:
openSUSE Leap 15.0 (src):    ghostscript-9.26a-lp150.2.20.1, ghostscript-mini-9.26a-lp150.2.20.1
Comment 19 Dr. Werner Fink 2019-10-23 08:00:48 UTC 
done
Comment 20 Marcus Meissner 2020-01-28 07:33:34 UTC 
released