Bug 1036453 - (CVE-2017-8291) VUL-0: CVE-2017-8291: ghostscript,ghostscript-library: Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remotecommand execution via a "/Ou...
(CVE-2017-8291)
VUL-0: CVE-2017-8291: ghostscript,ghostscript-library: Artifex Ghostscript th...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P1 - Urgent : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/184447/
CVSSv2:SUSE:CVE-2017-8291:7.5:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-27 05:56 UTC by Marcus Meissner
Modified: 2019-05-01 13:46 UTC (History)
9 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
xx.ps (25 bytes, text/plain)
2017-05-15 12:12 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-04-27 05:56:53 UTC
CVE-2017-8291

Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remote
command execution via a "/OutputFile (%pipe%" substring in a crafted
.eps document that is an input to the gs program, as exploited in the
wild in April 2017.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8291
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8291
Comment 1 Marcus Meissner 2017-04-27 06:01:13 UTC
https://bugs.ghostscript.com/show_bug.cgi?id=697808
Comment 2 Marcus Meissner 2017-04-27 06:02:37 UTC
Created attachment 722878 [details]
exploit2.eps

QA REPRODUCER:

rm /tmp/test2
gs -q -dNOPAUSE -dSAFER -sDEVICE=ppmraw -sOutputFile=/dev/null -f exploit2.eps
ll /tmp/test2
-rw-r--r-- 1 marcus users 0 Apr 27 07:59 /tmp/test2


should not create a file /tmp/test2
Comment 3 Marcus Meissner 2017-04-27 06:05:05 UTC
there seems no fix ready, but at least some further evaluation in the ghostscript bug
Comment 4 Johannes Meixner 2017-04-27 07:31:30 UTC
No fix => NEEDINFO until fix appears.
Comment 5 Johannes Meixner 2017-04-27 08:11:17 UTC
Only FYI:

Because of the endless sequence of various kind of security issues
in programs that are used for print job processing I updated

https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings

therein the text about

"It is crucial to limit access to CUPS to trusted users."

In particular I added (excerpt):
----------------------------------------------------------------------------
In theory all those programs that run on the CUPS server
are safe against misuse.

In practice there is an endless sequence of various kind of
security issues that appear every now and then in this or that
particular program which get fixed issue by issue ad infinitum
(and ad nauseam).

In the end all together means that users who are allowed
to submit print jobs to a CUPS server are allowed
to upload arbitrary data onto the CUPS server and
run arbitrary programs in arbitrary ways (usually as user 'lp')
on the CUPS server and finally access and contol
the printer hardware as they like. 
----------------------------------------------------------------------------
Comment 6 Peter Simons 2017-04-27 08:46:48 UTC
The upstream discussion has moved to https://bugs.ghostscript.com/show_bug.cgi?id=697799, which is not accessible to the general public, i.e. I cannot access it.
Comment 8 Johannes Meixner 2017-04-27 09:01:10 UTC
After login to Ghostscript's bugzilla
I am also not authorized to access
https://bugs.ghostscript.com/show_bug.cgi?id=697799
Comment 9 Marcus Meissner 2017-04-27 14:47:11 UTC
They probably locked down the ghostscript bug. I was able to access it anonymously this morning.
Comment 11 Henry Stiles 2017-04-27 20:16:51 UTC
Of course we (Ghostscript) made parts of the bug private, it's an exploit!  Why is the data not private here?  Who can I speak to about the handling of security exploits at this forum?

Incidentally the bugs are fixed.  The information needed to get the patches in not private.
Comment 13 Marcus Meissner 2017-04-28 06:34:54 UTC
This bug contains information that was public at your site at the time I opened and worked on it.

Retroactively making things secret does not really work in the security world as a lot of vendors / third parties / threat actors do the same, publically available or not.

We made the reproducer comments in this bug private now. Others, please ask the ghostscript team for it.
Comment 15 Swamp Workflow Management 2017-04-28 22:09:45 UTC
SUSE-SU-2017:1138-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1018128,1030263,1032114,1032120,1036453
CVE References: CVE-2016-10220,CVE-2016-9601,CVE-2017-5951,CVE-2017-7207,CVE-2017-8291
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ghostscript-9.15-20.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ghostscript-9.15-20.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ghostscript-9.15-20.1
SUSE Linux Enterprise Server 12-SP2 (src):    ghostscript-9.15-20.1
SUSE Linux Enterprise Server 12-SP1 (src):    ghostscript-9.15-20.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ghostscript-9.15-20.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ghostscript-9.15-20.1
Comment 16 Henry Stiles 2017-04-30 17:13:05 UTC
(In reply to Marcus Meissner from comment #13)
> This bug contains information that was public at your site at the time I
> opened and worked on it.
> 

Yes there is a window of time between the user entering the bug and when our engineers see it, we can't control that.  I recommend using password protected zip archives to deliver the information on a public forum and leaving an email contact address to get the password.  Unfortunately the original poster did not do that.

> Retroactively making things secret does not really work in the security
> world as a lot of vendors / third parties / threat actors do the same,
> publically available or not.
> 

I believe less dissemination lowers the attack probability.

> We made the reproducer comments in this bug private now. Others, please ask
> the ghostscript team for it.

We are now using a private group for security on bugs.ghostcript.com, should I include you in the group representing Suse or is there another security representative?
Comment 36 Johannes Meixner 2017-05-02 13:16:41 UTC
Fixed Ghostscript 9.21 and submitted it to OBS Printing
and forwarded it to Factory/Tumbleweed:
---------------------------------------------------------------------------
$ osc submitrequest -m 'CVE-2017-8291.patch
 fixes a type confusion in .rsdparams and .eqproc
 see https://bugs.ghostscript.com/show_bug.cgi?id=697808
 and https://bugs.ghostscript.com/show_bug.cgi?id=697799 (bsc#1036453)'
 home:jsmeix:branches:Printing ghostscript Printing ghostscript
created request id 492484

$ osc request accept -m 'CVE-2017-8291.patch
 fixes a type confusion in .rsdparams and .eqproc
 see https://bugs.ghostscript.com/show_bug.cgi?id=697808
 and https://bugs.ghostscript.com/show_bug.cgi?id=697799 (bsc#1036453)'
492484                                                        

Result of change request state: ok
openSUSE:Factory 
Forward this submit to it? ([y]/n)There are already the following submit request: 489318.
Supersede the old requests? (y/n/c) y
CVE-2017-8291.patch fixes a type confusion in .rsdparams and .eqproc
see https://bugs.ghostscript.com/show_bug.cgi?id=697808
and https://bugs.ghostscript.com/show_bug.cgi?id=697799 (bsc#1036453)
(forwarded request 492484 from jsmeix)
New request # 492485
---------------------------------------------------------------------------
Comment 37 Swamp Workflow Management 2017-05-02 13:20:17 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-05-09.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63582
Comment 40 Bernhard Wiedemann 2017-05-02 14:01:12 UTC
This is an autogenerated message for OBS integration:
This bug (1036453) was mentioned in
https://build.opensuse.org/request/show/492485 Factory / ghostscript
Comment 42 Marcus Meissner 2017-05-02 14:44:40 UTC
    (In reply to Henry Stiles from comment #16)

    > We are now using a private group for security on bugs.ghostcript.com, should
    > I include you in the group representing Suse or is there another security
    > representative?


    I would appreciate that! Can you include me (meissner at suse.de and Johannes Meixner ) ?
Comment 43 Johannes Meixner 2017-05-03 07:44:07 UTC
Henry Stiles,
I would appreciate it if I was added to your
private group for security on bugs.ghostscript.com.
My login name at bugs.ghostscript.com is: jsmeix at suse.de
Comment 44 Johannes Meixner 2017-05-03 08:25:49 UTC
Only a side note FYI
regarding possible regressions because of
various security update patches, have a look at
https://bugs.ghostscript.com/show_bug.cgi?id=697846
and see
https://launchpad.net/ubuntu/+source/ghostscript/9.18~dfsg~0-0ubuntu2.4
what security update patches were applied there.
Comment 45 Swamp Workflow Management 2017-05-03 13:10:20 UTC
SUSE-SU-2017:1153-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1036453
CVE References: CVE-2017-8291
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ghostscript-library-8.62-32.44.1
SUSE Linux Enterprise Server 11-SP4 (src):    ghostscript-library-8.62-32.44.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ghostscript-library-8.62-32.44.1
Comment 46 Henry Stiles 2017-05-03 13:45:25 UTC
(In reply to Marcus Meissner from comment #42)
>     (In reply to Henry Stiles from comment #16)
> 
>     > We are now using a private group for security on bugs.ghostcript.com,
> should
>     > I include you in the group representing Suse or is there another
> security
>     > representative?
> 
> 
>     I would appreciate that! Can you include me (meissner at suse.de and
> Johannes Meixner ) ?


Both of you have been added.
Comment 47 Swamp Workflow Management 2017-05-08 16:16:30 UTC
openSUSE-SU-2017:1203-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1018128,1030263,1032114,1032120,1036453
CVE References: CVE-2016-10220,CVE-2016-9601,CVE-2017-5951,CVE-2017-7207,CVE-2017-8291
Sources used:
openSUSE Leap 42.2 (src):    ghostscript-9.15-11.3.1, ghostscript-mini-9.15-11.3.1
openSUSE Leap 42.1 (src):    ghostscript-9.15-17.1, ghostscript-mini-9.15-17.1
Comment 48 Leopoldo Macias 2017-05-11 14:34:01 UTC
Hello, My customer is asking for an estimated date for when this bug fix will be released for SUSE Linux Enterprise Server 11-SP3-LTSS.
Thanks
Comment 53 Swamp Workflow Management 2017-05-15 05:19:06 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-05-22.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63603
Comment 54 Marcus Meissner 2017-05-15 12:12:41 UTC
Created attachment 725025 [details]
xx.ps

smaller reproducer
Comment 55 Swamp Workflow Management 2017-05-17 10:09:39 UTC
SUSE-SU-2017:1322-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1036453
CVE References: CVE-2017-8291
Sources used:
SUSE OpenStack Cloud 5 (src):    ghostscript-library-8.62-32.46.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ghostscript-library-8.62-32.46.1
SUSE Linux Enterprise Server 11-SP4 (src):    ghostscript-library-8.62-32.46.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    ghostscript-library-8.62-32.46.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    ghostscript-library-8.62-32.46.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ghostscript-library-8.62-32.46.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    ghostscript-library-8.62-32.46.1
Comment 58 Marcus Meissner 2017-05-19 07:13:07 UTC
all done
Comment 59 Swamp Workflow Management 2017-05-24 19:14:08 UTC
SUSE-SU-2017:1404-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1018128,1030263,1032114,1032120,1036453
CVE References: CVE-2016-10220,CVE-2016-9601,CVE-2017-5951,CVE-2017-7207,CVE-2017-8291
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    ghostscript-9.15-22.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    ghostscript-9.15-22.1
SUSE Linux Enterprise Server for SAP 12 (src):    ghostscript-9.15-22.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ghostscript-9.15-22.1
SUSE Linux Enterprise Server 12-SP2 (src):    ghostscript-9.15-22.1
SUSE Linux Enterprise Server 12-SP1 (src):    ghostscript-9.15-22.1
SUSE Linux Enterprise Server 12-LTSS (src):    ghostscript-9.15-22.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ghostscript-9.15-22.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ghostscript-9.15-22.1