Bug 1117022 – VUL-0: CVE-2018-19409: ghostscript,ghostscript-library: LockSafetyParams is not checked correctly if another device is used

Bug 1117022 - (CVE-2018-19409) VUL-0: CVE-2018-19409: ghostscript,ghostscript-library: LockSafetyParams is not checked correctly if another device is used

(CVE-2018-19409)
Summary:	VUL-0: CVE-2018-19409: ghostscript,ghostscript-library: LockSafetyParams is n...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/219554/
Whiteboard:	CVSSv3:SUSE:CVE-2018-19409:7.1:(AV:N/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-11-22 10:25 UTC by Robert Frohl
Modified:	2020-06-15 13:28 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
POC (59.94 KB, application/pdf) 2019-05-13 16:57 UTC, Alexandros Toptsoglou	Details
correct POC (801.25 KB, application/pdf) 2019-05-20 15:39 UTC, Alexandros Toptsoglou	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2018-11-22 10:25:11 UTC

CVE-2018-19409

An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is
not checked correctly if another device is used.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19409
http://www.cvedetails.com/cve/CVE-2018-19409/
https://www.ghostscript.com/doc/9.26/History9.htm#Version9.26
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=661e8d8fb8248c38d67958beda32f3a5876d0c3f
https://bugs.ghostscript.com/show_bug.cgi?id=700176

Comment 1 Robert Frohl 2018-11-22 10:30:53 UTC

Hi Johannes,
my investigation suggests that all codestreams are affected:
- SUSE:SLE-15:Update/ghostscript
- SUSE:SLE-12:Update/ghostscript
- SUSE:SLE-11-SP1:Update/ghostscript-library
- SUSE:SLE-10-SP3:Update/ghostscript-library

Included in the new 9.26 release.

Rating this issue is a bit hard because the available information is not very useful for outside consumption and the upstream ticket is not accessible to me. Rating it as VUL-1 for now.

Upstream patch:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=661e8d8fb8248c38d67958beda32f3a5876d0c3f

Comment 4 Swamp Workflow Management 2018-12-12 17:10:23 UTC

SUSE-SU-2018:4087-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1109105,1111479,1111480,1112229,1117022,1117274,1117313,1117327,1117331
CVE References: CVE-2018-17183,CVE-2018-17961,CVE-2018-18073,CVE-2018-18284,CVE-2018-19409,CVE-2018-19475,CVE-2018-19476,CVE-2018-19477
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ghostscript-mini-9.26-3.9.3
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    libspectre-0.2.8-3.4.3
SUSE Linux Enterprise Module for Basesystem 15 (src):    ghostscript-9.26-3.9.4

Comment 5 Swamp Workflow Management 2018-12-12 20:11:43 UTC

SUSE-SU-2018:4090-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1109105,1111479,1111480,1112229,1117022,1117274,1117313,1117327,1117331
CVE References: CVE-2018-17183,CVE-2018-17961,CVE-2018-18073,CVE-2018-18284,CVE-2018-19409,CVE-2018-19475,CVE-2018-19476,CVE-2018-19477
Sources used:
SUSE OpenStack Cloud 7 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-SP4 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-SP3 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-LTSS (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Enterprise Storage 4 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1

Comment 6 Swamp Workflow Management 2018-12-15 11:11:40 UTC

openSUSE-SU-2018:4138-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1109105,1111479,1111480,1112229,1117022,1117274,1117313,1117327,1117331
CVE References: CVE-2018-17183,CVE-2018-17961,CVE-2018-18073,CVE-2018-18284,CVE-2018-19409,CVE-2018-19475,CVE-2018-19476,CVE-2018-19477
Sources used:
openSUSE Leap 15.0 (src):    ghostscript-9.26-lp150.2.9.1, ghostscript-mini-9.26-lp150.2.9.1, libspectre-0.2.8-lp150.2.6.2

Comment 7 Swamp Workflow Management 2018-12-15 11:15:05 UTC

openSUSE-SU-2018:4140-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1109105,1111479,1111480,1112229,1117022,1117274,1117313,1117327,1117331
CVE References: CVE-2018-17183,CVE-2018-17961,CVE-2018-18073,CVE-2018-18284,CVE-2018-19409,CVE-2018-19475,CVE-2018-19476,CVE-2018-19477
Sources used:
openSUSE Leap 42.3 (src):    ghostscript-9.26-14.12.1, ghostscript-mini-9.26-14.12.1, libspectre-0.2.7-17.4.2

Comment 8 Swamp Workflow Management 2019-04-27 22:38:48 UTC

SUSE-SU-2018:4090-2: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1109105,1111479,1111480,1112229,1117022,1117274,1117313,1117327,1117331
CVE References: CVE-2018-17183,CVE-2018-17961,CVE-2018-18073,CVE-2018-18284,CVE-2018-19409,CVE-2018-19475,CVE-2018-19476,CVE-2018-19477
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Alexandros Toptsoglou 2019-05-13 16:57:19 UTC

Created attachment 804907 [details]
POC

Reproduce: 
gs -DSAFER $POC
Further info at https://bugs.ghostscript.com/show_bug.cgi?id=700176#c0

Comment 11 Alexandros Toptsoglou 2019-05-20 15:39:31 UTC

Created attachment 805508 [details]
correct POC

Comment 14 Marcus Meissner 2020-01-28 07:24:15 UTC

released