Bugzilla – Bug 1190381
VUL-0: CVE-2021-3781: ghostscript: RCE injection
Last modified: 2022-06-20 14:15:27 UTC
https://bugs.ghostscript.com/show_bug.cgi?id=704342 Here's a trivial -dSAFER bypass that allows to execute arbitrary shell commands in the 9.55 Git version: # bin/gs -dSAFER GPL Ghostscript GIT PRERELEASE 9.55.0 (2021-03-30) [...] GS>(%pipe%/tmp/&id)(w)file GS<1>sh: 1: /tmp/: Permission denied uid=0(root) gid=0(root) groups=0(root) Greetings Jens
CVE-2021-3781 has been assigned to this flaw see https://bugs.ghostscript.com/show_bug.cgi?id=704342#c12
For SLE15: A fixed Ghostscript is in IBS home:jsmeix:branches:SUSE:SLE-15:Update/ghostscript.SUSE_SLE-15_Update On my SLES15-SP3 test system (KVM virtual machine) without the fix -------------------------------------------------------------------------- # gs -dSAFER -sDEVICE=nullpage GPL Ghostscript 9.52 (2020-03-19) Copyright (C) 2020 Artifex Software, Inc. All rights reserved. This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY: see the file COPYING for details. GS>(%pipe%/tmp/&id)(w)file GS<1>uid=0(root) gid=0(root) groups=0(root) sh: /tmp/: Is a directory quit -------------------------------------------------------------------------- versus with the fix (long lines shown wrapped here) -------------------------------------------------------------------------- # gs -dSAFER -sDEVICE=nullpage GPL Ghostscript 9.52 (2020-03-19) Copyright (C) 2020 Artifex Software, Inc. All rights reserved. This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY: see the file COPYING for details. GS>(%pipe%/tmp/&id)(w)file Error: /invalidfileaccess in --file-- Operand stack: (%pipe%/tmp/&id) (w) Execution stack: %interp_exit .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- %loop_continue --nostringval-- --nostringval-- false 1 %stopped_push .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- Dictionary stack: --dict:732/1123(ro)(G)-- --dict:0/20(G)-- --dict:75/200(L)-- Current allocation mode is local Last OS error: Permission denied Current file position is 24 GS<2>quit --------------------------------------------------------------------------
There is also a poc on GitHub that uses ImageMagick to trigger the vulnerability [0]. I tried to reproduce it on my SLE-12 (SP3, SP4, SP5), SLE-15 (GA, SP1, SP2, SP3) and OpenSUSE test system (containers) with no luck. [0] https://github.com/duc-nt/RCE-0-day-for-GhostScript-9.50
Submitted for SLE15: ------------------------------------------------------------- # osc -A https://api.suse.de mr -m \ 'Ghostscript security fix CVE-2021-3781 (bsc#1190381)' \ home:jsmeix:branches:SUSE:SLE-15:Update \ ghostscript.SUSE_SLE-15_Update \ SUSE:SLE-15:Update Using target project 'SUSE:Maintenance'. (release in 'SUSE:SLE-15:Update') 249584 -------------------------------------------------------------
For SLE12: I think I have a fixed Ghostscript in IBS home:jsmeix:branches:SUSE:SLE-12:Update/ghostscript.SUSE_SLE-12_Update But I cannot test it on my SLES12 SP5 test system (KVM virtual machine) because somehow it seems it does not start to build because since some time # osc -A https://api.suse.de results -v \ home:jsmeix:branches:SUSE:SLE-12:Update \ ghostscript.SUSE_SLE-12_Update only shows "outdated" but it doesn't go into "building" state so I sit and wait...
With current Ghostscript 9.54 from the OBS Printing project on my openSUSE Leap 15.2 laptop (long lines shown wrapped here): -------------------------------------------------------------- # gs -dSAFER -sDEVICE=nullpage GPL Ghostscript 9.54.0 (2021-03-30) Copyright (C) 2021 Artifex Software, Inc. All rights reserved. This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY: see the file COPYING for details. GS>(%pipe%/tmp/&id)(w)file Error: /ioerror in --file-- Operand stack: (%pipe%/tmp/&id) (w) Execution stack: %interp_exit .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- %loop_continue --nostringval-- --nostringval-- false 1 %stopped_push .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- Dictionary stack: --dict:726/1123(ro)(G)-- --dict:0/20(G)-- --dict:75/200(L)-- Current allocation mode is local Last OS error: Cannot allocate memory Current file position is 24 GS<2>quit -------------------------------------------------------------- so current Ghostscript 9.54 from OBS Printing project is not vulnerable with the exact reproducer because the reproducer fails with "Error: /ioerror in --file--". Versus a fixed version with CVE-2021-3781.patch as is from https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=a9bd3dec9fde (long lines shown wrapped here): -------------------------------------------------------------- # gs -dSAFER -sDEVICE=nullpage GPL Ghostscript 9.54.0 (2021-03-30) Copyright (C) 2021 Artifex Software, Inc. All rights reserved. This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY: see the file COPYING for details. GS>(%pipe%/tmp/&id)(w)file Error: /invalidfileaccess in --file-- Operand stack: (%pipe%/tmp/&id) (w) Execution stack: %interp_exit .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- %loop_continue --nostringval-- --nostringval-- false 1 %stopped_push .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- Dictionary stack: --dict:726/1123(ro)(G)-- --dict:0/20(G)-- --dict:75/200(L)-- Current allocation mode is local Last OS error: Permission denied Current file position is 24 GS<2>quit -------------------------------------------------------------- which looks better because now the reproducer gets rejected with "Error: /invalidfileaccess in --file--". Therefore I submitted that fixed version to the OBS Printing project and forwarded it to openSUSE:Factory -------------------------------------------------------------- # osc submitrequest -m \ 'Ghostscript security fix CVE-2021-3781 (bsc#1190381)' \ home:jsmeix:branches:Printing ghostscript Printing ghostscript created request id 917941 # osc request accept -m \ 'Ghostscript security fix CVE-2021-3781 (bsc#1190381)' 917941 Result of change request state: ok openSUSE:Factory Forward this submit to it? ([y]/n)y The following submit request is already open: 880734. Supersede the old request? (y/n/c) n Ghostscript security fix CVE-2021-3781 (bsc#1190381) (forwarded request 917941 from jsmeix) New request # 917942 --------------------------------------------------------------
This is an autogenerated message for OBS integration: This bug (1190381) was mentioned in https://build.opensuse.org/request/show/917942 Factory / ghostscript
Continuing "For SLE12" (cf. comment#5): It seems IBS build status is currently shown "unexpected" because all except x86_64 switched from "outdated" to "succeeded" without noticeable "building" in between but I need x86_64 to be able to test it. I have no idea how long it may take until also x86_64 switched from "outdated" to "succeeded". Because I cannot test it I submit it now "bona fide" without having it tested myself before on SLE12: ------------------------------------------------------------- # isc mr -m \ 'Ghostscript security fix CVE-2021-3781 (bsc#1190381)' \ home:jsmeix:branches:SUSE:SLE-12:Update \ ghostscript.SUSE_SLE-12_Update \ SUSE:SLE-12:Update Using target project 'SUSE:Maintenance'. (release in 'SUSE:SLE-12:Update') 249602 -------------------------------------------------------------
I subimtted it for all affected code streams so I re-assign it to security-team for further processing.
Test for SLE12: On my SLES12-SP5 test system (KVM virtual machine) without the fix (long lines shown wrapped here) ---------------------------------------------------------------- # gs -dSAFER -sDEVICE=nullpage GPL Ghostscript 9.52 (2020-03-19) Copyright (C) 2020 Artifex Software, Inc. All rights reserved. This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY: see the file COPYING for details. GS>(%pipe%/tmp/&id)(w)file GS<1>uid=0(root) gid=0(root) groups=0(root) sh: /tmp/: Is a directory quit ---------------------------------------------------------------- versus with the fix (long lines shown wrapped here) ---------------------------------------------------------------- # gs -dSAFER -sDEVICE=nullpage GPL Ghostscript 9.52 (2020-03-19) Copyright (C) 2020 Artifex Software, Inc. All rights reserved. This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY: see the file COPYING for details. GS>(%pipe%/tmp/&id)(w)file Error: /invalidfileaccess in --file-- Operand stack: (%pipe%/tmp/&id) (w) Execution stack: %interp_exit .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- %loop_continue --nostringval-- --nostringval-- false 1 %stopped_push .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- Dictionary stack: --dict:732/1123(ro)(G)-- --dict:0/20(G)-- --dict:75/200(L)-- Current allocation mode is local Last OS error: Permission denied Current file position is 24 GS<2>quit ---------------------------------------------------------------- i.e. same as the test for SLE15 in comment #2 (as expected because both use same Ghostscript sources).
# maintenance_jira_update_notice openSUSE-SU-2021:3044-1: An update that solves one vulnerability and has one errata is now available. Category: security (critical) Bug References: 1184123,1190381 CVE References: CVE-2021-3781 JIRA References: Sources used: openSUSE Leap 15.3 (src): ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1
# maintenance_jira_update_notice SUSE-SU-2021:3044-1: An update that solves one vulnerability and has one errata is now available. Category: security (critical) Bug References: 1184123,1190381 CVE References: CVE-2021-3781 JIRA References: Sources used: SUSE Manager Server 4.0 (src): ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1 SUSE Manager Retail Branch Server 4.0 (src): ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1 SUSE Manager Proxy 4.0 (src): ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1 SUSE Linux Enterprise Server for SAP 15 (src): ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1 SUSE Linux Enterprise Server 15-LTSS (src): ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): libspectre-0.2.8-3.12.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src): libspectre-0.2.8-3.12.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): ghostscript-9.52-155.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): ghostscript-9.52-155.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1 SUSE Enterprise Storage 6 (src): ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1 SUSE CaaS Platform 4.0 (src): ghostscript-9.52-155.1, libspectre-0.2.8-3.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
# maintenance_jira_update_notice openSUSE-SU-2021:1273-1: An update that solves one vulnerability and has one errata is now available. Category: security (critical) Bug References: 1184123,1190381 CVE References: CVE-2021-3781 JIRA References: Sources used: openSUSE Leap 15.2 (src): ghostscript-9.52-lp152.2.7.1, ghostscript-mini-9.52-lp152.2.7.1, libspectre-0.2.8-lp152.4.3.1
# maintenance_jira_update_notice SUSE-SU-2021:3180-1: An update that fixes one vulnerability is now available. Category: security (critical) Bug References: 1190381 CVE References: CVE-2021-3781 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1 SUSE OpenStack Cloud Crowbar 8 (src): ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1 SUSE OpenStack Cloud 9 (src): ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1 SUSE OpenStack Cloud 8 (src): ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1 SUSE Linux Enterprise Server 12-SP5 (src): ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1 HPE Helion Openstack 8 (src): ghostscript-9.52-23.42.1, libspectre-0.2.7-12.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Only for the log how it is on my SLES11-SP4 test system (KVM virtual machine) with ghostscript-library-8.62 as is from SLES11-SP4 (long lines shown wrapped here) ------------------------------------------------------------- # gs -dSAFER -sDEVICE=nullpage GPL Ghostscript 8.62 (2008-02-29) Copyright (C) 2008 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file COPYING for details. GS>(%pipe%/tmp/&id)(w)file Error: /invalidfileaccess in --execute-- Operand stack: (%pipe%/tmp/&id) (w) Execution stack: %interp_exit .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- %loop_continue 1801 2 3 %oparray_pop --nostringval-- --nostringval-- false 1 %stopped_push .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- Dictionary stack: --dict:1164/3371(ro)(G)-- --dict:0/20(G)-- --dict:70/200(L)-- Current allocation mode is local Last OS error: 2 Current file position is 24 GS<2>quit -------------------------------------------------------------
For SLE11 %pipe% is already protected by -dSAFER. I mark it as "already fixed" for those.