Bug 1212711 (CVE-2023-36664)

Summary:	VUL-0: CVE-2023-36664: ghostscript-library,ghostscript: permission validation mishandling for pipe devices (with the %pipe% prefix or the \| pipe character prefix)
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Carlos López <carlos.lopez>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	brahmajit.das, carlos.lopez, doerges, jsmeix, meissner, security-team, smishos
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/370464/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-36664:7.8:(AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Carlos López 2023-06-26 08:28:56 UTC

CVE-2023-36664

Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe
devices (with the %pipe% prefix or the | pipe character prefix).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-36664
https://www.cve.org/CVERecord?id=CVE-2023-36664
http://www.cvedetails.com/cve/CVE-2023-36664/
https://bugs.ghostscript.com/show_bug.cgi?id=706761
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=505eab7782b429017eb434b2b95120855f2b0e3c

Comment 1 Carlos López 2023-06-26 08:30:25 UTC

The patch would apply for:
- SUSE:ALP:Source:Standard:1.0/ghostscript
- SUSE:SLE-12:Update/ghostscript
- SUSE:SLE-15:Update/ghostscript
- openSUSE:Factory/ghostscript

Comment 6 Johannes Meixner 2023-07-04 07:42:09 UTC

Fixed for openSUSE:Factory
-------------------------------------------------------------
# osc request accept -m "Security fix CVE-2023-36664 \
 bsc#1212711 for ghostscript and ghostscript-mini" \
 1096684

Result of change request state: ok
openSUSE:Factory 
Forward this submit to it? ([y]/n)y
Security fix CVE-2023-36664 bsc#1212711
 for ghostscript and ghostscript-mini
 (forwarded request 1096684 from jsmeix)
New request # 1096685
-------------------------------------------------------------

Comment 7 OBSbugzilla Bot 2023-07-04 08:15:04 UTC

This is an autogenerated message for OBS integration:
This bug (1212711) was mentioned in
https://build.opensuse.org/request/show/1096685 Factory / ghostscript

Comment 10 Steven Mishos 2023-07-14 01:46:39 UTC

(In reply to Carlos López from comment #1)
> The patch would apply for:
> - SUSE:ALP:Source:Standard:1.0/ghostscript
> - SUSE:SLE-12:Update/ghostscript
> - SUSE:SLE-15:Update/ghostscript
> - openSUSE:Factory/ghostscript

Is Tumbleweed covered in one of those categories so it's remediated?

My TW installation, with all current updates applied, has ghostscript 9.56.1-4.1 which is vulnerable based on my (admittedly limited) understanding of this CVE.

Comment 11 Marcus Meissner 2023-07-14 06:56:20 UTC

Factory submits turn into Tumbleweed fixes.

You can check here:
  https://www.suse.com/security/cve/CVE-2023-36664.html

The version 9.56.1-4.1 is the fixed version for tumbleweed.

Comment 12 Maintenance Automation 2023-07-14 13:15:33 UTC

SUSE-SU-2023:2829-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1212711
CVE References: CVE-2023-36664
Sources used:
SUSE Linux Enterprise Real Time 15 SP3 (src): ghostscript-9.52-150000.167.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): ghostscript-9.52-150000.167.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): ghostscript-9.52-150000.167.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): ghostscript-9.52-150000.167.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): ghostscript-9.52-150000.167.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): ghostscript-9.52-150000.167.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): ghostscript-9.52-150000.167.1
SUSE Manager Proxy 4.2 (src): ghostscript-9.52-150000.167.1
SUSE Manager Retail Branch Server 4.2 (src): ghostscript-9.52-150000.167.1
SUSE Manager Server 4.2 (src): ghostscript-9.52-150000.167.1
SUSE Enterprise Storage 7.1 (src): ghostscript-9.52-150000.167.1
SUSE Enterprise Storage 7 (src): ghostscript-9.52-150000.167.1
SUSE CaaS Platform 4.0 (src): ghostscript-9.52-150000.167.1
openSUSE Leap 15.4 (src): ghostscript-9.52-150000.167.1
openSUSE Leap 15.5 (src): ghostscript-9.52-150000.167.1
Basesystem Module 15-SP4 (src): ghostscript-9.52-150000.167.1
Basesystem Module 15-SP5 (src): ghostscript-9.52-150000.167.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): ghostscript-9.52-150000.167.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): ghostscript-9.52-150000.167.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): ghostscript-9.52-150000.167.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): ghostscript-9.52-150000.167.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Steven Mishos 2023-07-14 17:04:28 UTC

(In reply to Marcus Meissner from comment #11)
> Factory submits turn into Tumbleweed fixes.
> 
> You can check here:
>   https://www.suse.com/security/cve/CVE-2023-36664.html
> 
> The version 9.56.1-4.1 is the fixed version for tumbleweed.

I appreciate both insights, thank you.

Comment 14 Maintenance Automation 2023-07-17 09:37:09 UTC

SUSE-SU-2023:2844-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1212711
CVE References: CVE-2023-36664
Sources used:
SUSE OpenStack Cloud 9 (src): ghostscript-9.52-23.54.1
SUSE OpenStack Cloud Crowbar 9 (src): ghostscript-9.52-23.54.1
SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): ghostscript-9.52-23.54.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): ghostscript-9.52-23.54.1
SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): ghostscript-9.52-23.54.1
SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): ghostscript-9.52-23.54.1
SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): ghostscript-9.52-23.54.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): ghostscript-9.52-23.54.1
SUSE Linux Enterprise Server 12 SP5 (src): ghostscript-9.52-23.54.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): ghostscript-9.52-23.54.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Till Dörges 2023-07-17 12:22:50 UTC

For lack of a better place:

LibreOffice and other applications that are also shipped with openSUSE Leap/SLE are mentioned as a potential attack vector for this vulnerability.

Does the fix from this ticket also mitigate/close these attack vectors?

Thanks!

Comment 16 Marcus Meissner 2023-07-17 12:30:01 UTC

As LibreOffice does not contain ghostscript copies but call into system ghostscript, they are fixed by the ghostscript system updates referenced here.

Comment 34 Carlos López 2024-02-22 14:45:44 UTC

Done, closing.