To: oss-security@lists.openwall.com
Date: Mon, 12 Aug 2019 15:25:15 +0200
Subject: [oss-security] ghostscript CVE-2019-10216: -dSAFER escape via .buildfont1

Hello,

This is to disclose a new vulnerability in ghostscript, rated as Important.

Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript (PS) and Portable Document Format (PDF) page description languages.  Its primary purpose includesi.
URL : www.ghostscript.com

The flaw is a usual "getting a reference to a privileged function" (the script must successfully be able to overload the error handling code to take advantage of that flaw), allowing arbia.


* CVE-2019-10216 ghostscript: -dSAFER escape via .buildfont1 (701394):
It was found that the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could use i.

All released versions of ghostscript are believed to be impacted, up to, and including, 9.27 (however, master should not be affected: see below for builds post commit 7ecbfda92).

Upstream bug report (currently restricted) : https://bugs.ghostscript.com/show_bug.cgi?id=701394
Upstream fix : http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19 

Acknowledgements:
* Red Hat would like to thank Artifex for alerting us.
* The vulnerability was originally discovered by Netanel from Cloudinary.


Noteworthy : 
A recent modification, started in upstream commit 7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff, changed the access to file permissions. After this commit, the ability to modify the /PermitFil .
That is to say: getting a reference to highly privileged function (such as .forceput), can still be used to remove SAFER, and modify the /PermitFile* lists. However, the interpreter will i.

Best regards,

--
Cedric Buissart
Product Security
Red Hat

SUSE-SU-2019:2347-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1144621
CVE References: CVE-2019-10216
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ghostscript-9.26a-23.25.1
SUSE Linux Enterprise Server 12-SP4 (src):    ghostscript-9.26a-23.25.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ghostscript-9.26a-23.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2019:2348-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1144621
CVE References: CVE-2019-10216
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ghostscript-mini-9.26a-3.18.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ghostscript-mini-9.26a-3.18.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    ghostscript-9.26a-3.18.2
SUSE Linux Enterprise Module for Basesystem 15 (src):    ghostscript-9.26a-3.18.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

openSUSE-SU-2019:2139-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1144621
CVE References: CVE-2019-10216
Sources used:
openSUSE Leap 15.1 (src):    ghostscript-9.26a-lp151.3.3.1, ghostscript-mini-9.26a-lp151.3.3.1

Also NOT part of ghostscript 9.27

This is an autogenerated message for OBS integration:
This bug (1144621) was mentioned in
https://build.opensuse.org/request/show/731293 Factory / ghostscript

openSUSE-SU-2019:2160-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1144621
CVE References: CVE-2019-10216
Sources used:
openSUSE Leap 15.0 (src):    ghostscript-9.26a-lp150.2.20.1, ghostscript-mini-9.26a-lp150.2.20.1

done

released