Bug 1108027 (CVE-2018-16802) - VUL-0: CVE-2018-16802: ghostscript,ghostscript-library: An issue was discovered in Artifex Ghostscript before 9.25. Incorrect"restoration of privilege" checking when running out of stack during exceptionhandling could be used by attackers
Summary: VUL-0: CVE-2018-16802: ghostscript,ghostscript-library: An issue was discover...
Status: RESOLVED FIXED
Alias: CVE-2018-16802
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/214041/
Whiteboard: CVSSv3:SUSE:CVE-2018-16802:8.8:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-11 14:18 UTC by Marcus Meissner
Modified: 2020-06-14 05:11 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
CVE-2018-16802.ps (555 bytes, application/postscript)
2018-09-11 14:24 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-09-11 14:18:45 UTC
CVE-2018-16802

An issue was discovered in Artifex Ghostscript before 9.25. Incorrect
"restoration of privilege" checking when running out of stack during exception
handling could be used by attackers able to supply crafted PostScript to execute
code using the "pipe" instruction. This is due to an incomplete fix for
CVE-2018-16509.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16802
http://seclists.org/oss-sec/2018/q3/233
http://www.cvedetails.com/cve/CVE-2018-16802/
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=643b24dbd002fb9c131313253c307cf3951b3d47
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3e5d316b72e3965b7968bb1d96baa137cd063ac6
https://seclists.org/oss-sec/2018/q3/229
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5812b1b78fc4d36fdc293b7859de69241140d590
https://seclists.org/oss-sec/2018/q3/228
Comment 1 Marcus Meissner 2018-09-11 14:24:27 UTC
Created attachment 782812 [details]
CVE-2018-16802.ps

QA REPRODUCER:

gs -dSAFER CVE-2018-16802.ps 

should NOT include:
uid=10574(meissner) gid=50(suse) Gruppen=50(suse)

or similar.
Comment 4 Swamp Workflow Management 2018-10-02 19:10:26 UTC
SUSE-SU-2018:2975-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1106171,1106172,1106173,1106195,1107410,1107411,1107412,1107413,1107420,1107421,1107422,1107423,1107426,1107581,1108027,1109105
CVE References: CVE-2018-15908,CVE-2018-15909,CVE-2018-15910,CVE-2018-15911,CVE-2018-16509,CVE-2018-16510,CVE-2018-16511,CVE-2018-16513,CVE-2018-16539,CVE-2018-16540,CVE-2018-16541,CVE-2018-16542,CVE-2018-16543,CVE-2018-16585,CVE-2018-16802,CVE-2018-17183
Sources used:
SUSE OpenStack Cloud 7 (src):    ghostscript-9.25-23.13.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ghostscript-9.25-23.13.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ghostscript-9.25-23.13.1
SUSE Linux Enterprise Server 12-SP3 (src):    ghostscript-9.25-23.13.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ghostscript-9.25-23.13.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ghostscript-9.25-23.13.1
SUSE Linux Enterprise Server 12-LTSS (src):    ghostscript-9.25-23.13.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ghostscript-9.25-23.13.1
SUSE Enterprise Storage 4 (src):    ghostscript-9.25-23.13.1
Comment 5 Swamp Workflow Management 2018-10-02 19:13:25 UTC
SUSE-SU-2018:2976-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1106171,1106172,1106173,1106195,1107410,1107411,1107412,1107413,1107420,1107421,1107422,1107423,1107426,1107581,1108027,1109105
CVE References: CVE-2018-15908,CVE-2018-15909,CVE-2018-15910,CVE-2018-15911,CVE-2018-16509,CVE-2018-16510,CVE-2018-16511,CVE-2018-16513,CVE-2018-16539,CVE-2018-16540,CVE-2018-16541,CVE-2018-16542,CVE-2018-16543,CVE-2018-16585,CVE-2018-16802,CVE-2018-17183
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    libspectre-0.2.8-3.2.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    ghostscript-9.25-3.6.1
Comment 6 Swamp Workflow Management 2018-10-05 19:12:38 UTC
openSUSE-SU-2018:3036-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1106171,1106172,1106173,1106195,1107410,1107411,1107412,1107413,1107420,1107421,1107422,1107423,1107426,1107581,1108027,1109105
CVE References: CVE-2018-15908,CVE-2018-15909,CVE-2018-15910,CVE-2018-15911,CVE-2018-16509,CVE-2018-16510,CVE-2018-16511,CVE-2018-16513,CVE-2018-16539,CVE-2018-16540,CVE-2018-16541,CVE-2018-16542,CVE-2018-16543,CVE-2018-16585,CVE-2018-16802,CVE-2018-17183
Sources used:
openSUSE Leap 42.3 (src):    ghostscript-9.25-14.9.1, ghostscript-mini-9.25-14.9.1
Comment 7 Swamp Workflow Management 2018-10-05 19:15:24 UTC
openSUSE-SU-2018:3038-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1106171,1106172,1106173,1106195,1107410,1107411,1107412,1107413,1107420,1107421,1107422,1107423,1107426,1107581,1108027,1109105
CVE References: CVE-2018-15908,CVE-2018-15909,CVE-2018-15910,CVE-2018-15911,CVE-2018-16509,CVE-2018-16510,CVE-2018-16511,CVE-2018-16513,CVE-2018-16539,CVE-2018-16540,CVE-2018-16541,CVE-2018-16542,CVE-2018-16543,CVE-2018-16585,CVE-2018-16802,CVE-2018-17183
Sources used:
openSUSE Leap 15.0 (src):    ghostscript-9.25-lp150.2.6.1, ghostscript-mini-9.25-lp150.2.6.1, libspectre-0.2.8-lp150.2.3.1
Comment 9 Swamp Workflow Management 2018-10-18 18:02:30 UTC
SUSE-SU-2018:2975-2: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1106171,1106172,1106173,1106195,1107410,1107411,1107412,1107413,1107420,1107421,1107422,1107423,1107426,1107581,1108027,1109105
CVE References: CVE-2018-15908,CVE-2018-15909,CVE-2018-15910,CVE-2018-15911,CVE-2018-16509,CVE-2018-16510,CVE-2018-16511,CVE-2018-16513,CVE-2018-16539,CVE-2018-16540,CVE-2018-16541,CVE-2018-16542,CVE-2018-16543,CVE-2018-16585,CVE-2018-16802,CVE-2018-17183
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ghostscript-9.25-23.13.1
Comment 10 Masaru Nomiya 2018-11-06 11:58:51 UTC
You've still forgotten to add the patch file;

 http://www.linuxfromscratch.org/patches/blfs/svn/ghostscript-9.25-security_fixes-2.patch

With this patch, the problem reported on the Mailing list can be solved.

In the Message; 

  Subject    : [opensuse] ghostscript + gv / epstopdf problems after recent update
  Message-ID : <CABkVZH1Nx-xHpLCdfxmK7djCRgVFduUaio-G8pnJLNB2B_bsew@mail.gmail.com>
  Date & Time: Mon, 5 Nov 2018 11:48:00 +0000

Boris Gaensicke <boris.gaensicke@gmail.com> has written:

> Hi,

> I'm on LEAP 15.0, and a recent update of ghostscript (gs) to version
> 9.25 broke some functionality in the interplay between gv / epstopdf
> and ghostscript.

> The attached simple eps file displays find in gs, but loading it in
> gv, or trying to convert it to pdf  reports the error listed below.

> Maybe it's some incompatibility between the new version of gs, and gv
> / epstopdf which call gs, but I'm not sure how to test this on my
> system. Any suggestions will be much appreciated.

> Boris

> Error: /nocurrentpoint in --currentpoint--GPL Ghostscript 9.25:
> Unrecoverable error, exit code 1

> Operand stack:

> Execution stack:
>     %interp_exit   .runexec2   --nostringval--   --nostringval--
> --nostringval--   2   %stopped_push   --nostringval--
> --nostringval--   --nostringval--   false   1   %stopped_push   1999
> 1   3   %oparray_pop   1998   1   3   %oparray_pop   --nostringval--
> 1982   1   3   %oparray_pop   1868   1   3   %oparray_pop
> --nostringval--   %errorexec_pop   .runexec2   --nostringval--
> --nostringval--   --nostringval--   2   %stopped_push
> --nostringval--   --nostringval--
> Dictionary stack:
>    --dict:965/1684(ro)(G)--   --dict:0/20(G)--   --dict:82/200(L)--
> --dict:12/20(L)--
> Current allocation mode is local
> Current file position is 661
> [2 test.eps <application/postscript (base64)>]


Anothe question;

In the ghostscript-9.25-XX.src.rpm, the patch 'remove-zilb-h-dependency.patch is included, but not applied when building.

Is this patch unnecessary?

Regards,
Comment 11 Swamp Workflow Management 2019-04-27 22:42:54 UTC
SUSE-SU-2018:2975-3: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1106171,1106172,1106173,1106195,1107410,1107411,1107412,1107413,1107420,1107421,1107422,1107423,1107426,1107581,1108027,1109105
CVE References: CVE-2018-15908,CVE-2018-15909,CVE-2018-15910,CVE-2018-15911,CVE-2018-16509,CVE-2018-16510,CVE-2018-16511,CVE-2018-16513,CVE-2018-16539,CVE-2018-16540,CVE-2018-16541,CVE-2018-16542,CVE-2018-16543,CVE-2018-16585,CVE-2018-16802,CVE-2018-17183
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    ghostscript-9.25-23.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Marcus Meissner 2020-01-28 07:18:41 UTC
released