Bugzilla – Bug 1118455
VUL-0: CVE-2018-19134: ghostscript,ghostscript-library: ghostscript: Type confusion in setpattern (700141)
Last modified: 2020-06-14 05:11:59 UTC
rh#1655599 There is a missing type check in line 292 of zcolor.c: http://git.ghostscript.com/?p=ghostpdl.git;a=blob;f=psi/zcolor.c;h=74b428801eda5c75d70cf55e88c407484b554527;hb=5a4fec2a34af925993192e197ab666fe542b79d3#l292 Here `pPatInst` comes from the first array element of `pImpl` http://git.ghostscript.com/?p=ghostpdl.git;a=blob;f=psi/zcolor.c;h=74b428801eda5c75d70cf55e88c407484b554527;hb=5a4fec2a34af925993192e197ab666fe542b79d3#l289 which comes from `op`: http://git.ghostscript.com/?p=ghostpdl.git;a=blob;f=psi/zcolor.c;h=74b428801eda5c75d70cf55e88c407484b554527;hb=5a4fec2a34af925993192e197ab666fe542b79d3#l286 The type of `pPatInst` is not checked and is used in `r_ptr`, which accesses its `pstruct` value and then cast it into `gs_pattern_instance_t`. As `op` is an untrusted argument, this can lead to type confusion issue when parsing malicious postscript. (Access to arbitrary pointer) Upstream bug: https://bugs.ghostscript.com/show_bug.cgi?id=700141 Upstream fix: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=693baf02152119af6e6afd30bb8ec76d14f84bbf References: https://bugzilla.redhat.com/show_bug.cgi?id=1655599 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19134 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19134
This is fixed in SLE12 and SLE15 since Ghostscript version upgrade to 9.26 but "CVE-2018-19134" is not mentioned in our ghostscript.changes file.
exploit description for code exec: https://lgtm.com/blog/ghostscript_CVE-2018-19134_exploit
released