Bugzilla – Bug 1090099
VUL-0: CVE-2018-10194: ghostscript-library: Ghostscript 9.18 stack-based buffer overflow
Last modified: 2019-05-13 15:41:53 UTC
via distros CVE-2018-10194 From: Vítor Silva <vitorhg20080@gmail.com> Hello, I have found a possible RCE on ghostscript 9.18. Since version is still on ubuntu I'm reporting to other distros to make sure you have your repos updated. The vendor has indirectly fixed the issue so I think by reporting on their bugzilla doesn't add anything. A usecase file is on their bugzilla (look at the end of this e-mail). [Suggested description] pdf_set_text_matrix in gdevpdts.c in Artifex Ghostscript through 9.18 allows remote attackers to cause a denial of service (spprint.c pprintg1 stack-based out-of-bounds write) or possibly execute arbitrary code via a crafted PDF document. ------------------------------------------ [Additional Information] This seems to be affected only on ghostscript 9.18 or less. My analysis seems this is a bad validation on input at pdf_set_text_matrix at gdevpdts.c causing pprintg1 function at spprint.c to write outbounds of the stack. I can provide with a file use case. Even this seems not to trigger on newer versions, this package is still available on a lot of systems (such as ubuntu or debian) as the latest version available. $ gs -o tested.pdf -sDEVICE=pdfwrite -dPDFSETTINGS=/prepress -dHaveTrueTypes=true -dEmbedAllFonts=true \ -dSubsetFonts=false -c ".setpdfwrite <</NeverEmbed [ ]>> setdistillerparams" -f fuzzed-case1.ps GPL Ghostscript 9.18 (2015-10-05) Copyright (C) 2015 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. Loading NimbusRomNo9L-Reg font from /usr/share/ghostscript/9.18/Resource/Font/NimbusRomNo9L-Reg... 4743540 3133830 2015200 710957 1 done. Loading NimbusRomNo9L-Med font from /usr/share/ghostscript/9.18/Resource/Font/NimbusRomNo9L-Med... 4820876 3332725 2035392 735152 1 done. Loading NimbusMono-Regular font from /usr/share/ghostscript/9.18/Resource/Font/NimbusMono-Regular... 4900004 3527153 2055584 752136 1 done. Loading NimbusMono-Bold font from /usr/share/ghostscript/9.18/Resource/Font/NimbusMono-Bold... 5118700 3762771 2095968 786137 1 done. Loading NimbusRomNo9L-RegIta font from /usr/share/ghostscript/9.18/Resource/Font/NimbusRomNo9L-RegIta... 5357220 4001795 2156544 851571 1 done. Loading NimbusSanL-Reg font from /usr/share/ghostscript/9.18/Resource/Font/NimbusSanL-Reg... 5556092 4193319 2358464 1039445 1 done. *** stack smashing detected ***: gs terminated Aborted (core dumped) ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] ghostscript ------------------------------------------ [Affected Product Code Base] ghostscript - 9.18 ------------------------------------------ [Affected Component] pprintg1 of ghostscript ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Attack Vectors] crafted postscript can crash and/or execute code via buffer overflow ------------------------------------------ [Reference] https://bugs.ghostscript.com/show_bug.cgi?id=699255
public
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2018-05-23. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64033
SUSE-SU-2018:1332-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1090099 CVE References: CVE-2018-10194 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): ghostscript-9.15-23.10.2 SUSE Linux Enterprise Server 12-SP3 (src): ghostscript-9.15-23.10.2 SUSE Linux Enterprise Desktop 12-SP3 (src): ghostscript-9.15-23.10.2
Can you submit to Factory and SLE 15 please?
openSUSE-SU-2018:1348-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1090099 CVE References: CVE-2018-10194 Sources used: openSUSE Leap 42.3 (src): ghostscript-9.15-14.6.1, ghostscript-mini-9.15-14.6.1
SUSE-SU-2018:1369-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1090099 CVE References: CVE-2016-9601,CVE-2018-10194 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): ghostscript-library-8.62-32.47.10.1 SUSE Linux Enterprise Server 11-SP4 (src): ghostscript-library-8.62-32.47.10.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): ghostscript-library-8.62-32.47.10.1
This is an autogenerated message for OBS integration: This bug (1090099) was mentioned in https://build.opensuse.org/request/show/614287 Factory / ghostscript
SUSE-SU-2018:1884-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1090099 CVE References: CVE-2018-10194 Sources used: SUSE Linux Enterprise Module for Basesystem 15 (src): ghostscript-9.23-3.3.1
openSUSE-SU-2018:1909-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1090099 CVE References: CVE-2018-10194 Sources used: openSUSE Leap 15.0 (src): ghostscript-9.23-lp150.2.3.1, ghostscript-mini-9.23-lp150.2.3.1
closing all released