Bugzilla – Bug 1226945
VUL-0: CVE-2024-29510: ghostscript,ghostscript-library: format string injection leads to shell command execution (SAFER bypass)
Last modified: 2024-07-04 11:20:33 UTC
The `uniprint` device allows the user to provide various string fragments as device options, which are later appended to the output file. Two of these parameters, `upWriteComponentCommands` and `upYMoveCommand`, are actually treated as format strings, specifically for `gp_fprintf` and `gs_snprintf`. For these, the intention is for the user to include just one format specifier in the string, but there is no logic preventing arbitrary format strings (with multiple specifiers) from being used. With full control over the format string (by setting a page device with the respective options), and read access to the device output (by setting it to a temporary file path), an attacker can abuse this to leak data from the stack and perform memory corruption. This is specifically impactful in the cases of `gs_snprintf` (as opposed to `gp_fprintf`), as its format-string parsing logic is not hardened by compiler measures like `D_FORTIFY_SOURCE`, while it still supports the `%n` modifier. References: https://ghostscript.readthedocs.io/en/gs10.03.1/News.html https://bugs.ghostscript.com/show_bug.cgi?id=707662 Upstream commit: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3b1735085ecef20b29e8db3416ab36de93e86d1f References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-29510 https://bugzilla.redhat.com/show_bug.cgi?id=2293950
Fixed for OBS Printing and forwared to openSUSE Factory ----------------------------------------------------------- # osc request accept -m "Security fixes for \ CVE-2024-33869 bsc#1226946 and \ CVE-2023-52722 bsc#1223852 and \ CVE-2024-33870 bsc#1226944 and \ CVE-2024-33871 bsc#1225491 and \ CVE-2024-29510 bsc#1226945 \ for ghostscript and ghostscript-mini" 1184312 ... Forward this submit to it? ([y]/n)y ... New request # 1184313 -----------------------------------------------------------
This is an autogenerated message for OBS integration: This bug (1226945) was mentioned in https://build.opensuse.org/request/show/1184313 Factory / ghostscript
SUSE-SU-2024:2276-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1226944, 1226945, 1226946 CVE References: CVE-2024-29510, CVE-2024-33869, CVE-2024-33870 Maintenance Incident: [SUSE:Maintenance:34522](https://smelt.suse.de/incident/34522/) Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): ghostscript-9.52-23.80.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): ghostscript-9.52-23.80.1 SUSE Linux Enterprise Server 12 SP5 (src): ghostscript-9.52-23.80.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): ghostscript-9.52-23.80.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:2292-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1226944, 1226945, 1226946 CVE References: CVE-2024-29510, CVE-2024-33869, CVE-2024-33870 Maintenance Incident: [SUSE:Maintenance:34519](https://smelt.suse.de/incident/34519/) Sources used: openSUSE Leap 15.5 (src): ghostscript-9.52-150000.194.1 openSUSE Leap 15.6 (src): ghostscript-9.52-150000.194.1 Basesystem Module 15-SP5 (src): ghostscript-9.52-150000.194.1 Basesystem Module 15-SP6 (src): ghostscript-9.52-150000.194.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): ghostscript-9.52-150000.194.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): ghostscript-9.52-150000.194.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): ghostscript-9.52-150000.194.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): ghostscript-9.52-150000.194.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): ghostscript-9.52-150000.194.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): ghostscript-9.52-150000.194.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): ghostscript-9.52-150000.194.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): ghostscript-9.52-150000.194.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): ghostscript-9.52-150000.194.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): ghostscript-9.52-150000.194.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): ghostscript-9.52-150000.194.1 SUSE Manager Proxy 4.3 (src): ghostscript-9.52-150000.194.1 SUSE Manager Retail Branch Server 4.3 (src): ghostscript-9.52-150000.194.1 SUSE Manager Server 4.3 (src): ghostscript-9.52-150000.194.1 SUSE Enterprise Storage 7.1 (src): ghostscript-9.52-150000.194.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.