Bugzilla – Bug 1036453
VUL-0: CVE-2017-8291: ghostscript,ghostscript-library: Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remotecommand execution via a "/Ou...
Last modified: 2019-05-01 13:46:09 UTC
CVE-2017-8291 Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remote command execution via a "/OutputFile (%pipe%" substring in a crafted .eps document that is an input to the gs program, as exploited in the wild in April 2017. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8291 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8291
https://bugs.ghostscript.com/show_bug.cgi?id=697808
Created attachment 722878 [details] exploit2.eps QA REPRODUCER: rm /tmp/test2 gs -q -dNOPAUSE -dSAFER -sDEVICE=ppmraw -sOutputFile=/dev/null -f exploit2.eps ll /tmp/test2 -rw-r--r-- 1 marcus users 0 Apr 27 07:59 /tmp/test2 should not create a file /tmp/test2
there seems no fix ready, but at least some further evaluation in the ghostscript bug
No fix => NEEDINFO until fix appears.
Only FYI: Because of the endless sequence of various kind of security issues in programs that are used for print job processing I updated https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings therein the text about "It is crucial to limit access to CUPS to trusted users." In particular I added (excerpt): ---------------------------------------------------------------------------- In theory all those programs that run on the CUPS server are safe against misuse. In practice there is an endless sequence of various kind of security issues that appear every now and then in this or that particular program which get fixed issue by issue ad infinitum (and ad nauseam). In the end all together means that users who are allowed to submit print jobs to a CUPS server are allowed to upload arbitrary data onto the CUPS server and run arbitrary programs in arbitrary ways (usually as user 'lp') on the CUPS server and finally access and contol the printer hardware as they like. ----------------------------------------------------------------------------
The upstream discussion has moved to https://bugs.ghostscript.com/show_bug.cgi?id=697799, which is not accessible to the general public, i.e. I cannot access it.
After login to Ghostscript's bugzilla I am also not authorized to access https://bugs.ghostscript.com/show_bug.cgi?id=697799
They probably locked down the ghostscript bug. I was able to access it anonymously this morning.
Of course we (Ghostscript) made parts of the bug private, it's an exploit! Why is the data not private here? Who can I speak to about the handling of security exploits at this forum? Incidentally the bugs are fixed. The information needed to get the patches in not private.
from https://bugs.ghostscript.com/show_bug.cgi?id=697799 This is fixed with: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4f83478c88 and https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=04b37bbce1
This bug contains information that was public at your site at the time I opened and worked on it. Retroactively making things secret does not really work in the security world as a lot of vendors / third parties / threat actors do the same, publically available or not. We made the reproducer comments in this bug private now. Others, please ask the ghostscript team for it.
SUSE-SU-2017:1138-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1018128,1030263,1032114,1032120,1036453 CVE References: CVE-2016-10220,CVE-2016-9601,CVE-2017-5951,CVE-2017-7207,CVE-2017-8291 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): ghostscript-9.15-20.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): ghostscript-9.15-20.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): ghostscript-9.15-20.1 SUSE Linux Enterprise Server 12-SP2 (src): ghostscript-9.15-20.1 SUSE Linux Enterprise Server 12-SP1 (src): ghostscript-9.15-20.1 SUSE Linux Enterprise Desktop 12-SP2 (src): ghostscript-9.15-20.1 SUSE Linux Enterprise Desktop 12-SP1 (src): ghostscript-9.15-20.1
(In reply to Marcus Meissner from comment #13) > This bug contains information that was public at your site at the time I > opened and worked on it. > Yes there is a window of time between the user entering the bug and when our engineers see it, we can't control that. I recommend using password protected zip archives to deliver the information on a public forum and leaving an email contact address to get the password. Unfortunately the original poster did not do that. > Retroactively making things secret does not really work in the security > world as a lot of vendors / third parties / threat actors do the same, > publically available or not. > I believe less dissemination lowers the attack probability. > We made the reproducer comments in this bug private now. Others, please ask > the ghostscript team for it. We are now using a private group for security on bugs.ghostcript.com, should I include you in the group representing Suse or is there another security representative?
Fixed Ghostscript 9.21 and submitted it to OBS Printing and forwarded it to Factory/Tumbleweed: --------------------------------------------------------------------------- $ osc submitrequest -m 'CVE-2017-8291.patch fixes a type confusion in .rsdparams and .eqproc see https://bugs.ghostscript.com/show_bug.cgi?id=697808 and https://bugs.ghostscript.com/show_bug.cgi?id=697799 (bsc#1036453)' home:jsmeix:branches:Printing ghostscript Printing ghostscript created request id 492484 $ osc request accept -m 'CVE-2017-8291.patch fixes a type confusion in .rsdparams and .eqproc see https://bugs.ghostscript.com/show_bug.cgi?id=697808 and https://bugs.ghostscript.com/show_bug.cgi?id=697799 (bsc#1036453)' 492484 Result of change request state: ok openSUSE:Factory Forward this submit to it? ([y]/n)There are already the following submit request: 489318. Supersede the old requests? (y/n/c) y CVE-2017-8291.patch fixes a type confusion in .rsdparams and .eqproc see https://bugs.ghostscript.com/show_bug.cgi?id=697808 and https://bugs.ghostscript.com/show_bug.cgi?id=697799 (bsc#1036453) (forwarded request 492484 from jsmeix) New request # 492485 ---------------------------------------------------------------------------
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2017-05-09. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63582
This is an autogenerated message for OBS integration: This bug (1036453) was mentioned in https://build.opensuse.org/request/show/492485 Factory / ghostscript
(In reply to Henry Stiles from comment #16) > We are now using a private group for security on bugs.ghostcript.com, should > I include you in the group representing Suse or is there another security > representative? I would appreciate that! Can you include me (meissner at suse.de and Johannes Meixner ) ?
Henry Stiles, I would appreciate it if I was added to your private group for security on bugs.ghostscript.com. My login name at bugs.ghostscript.com is: jsmeix at suse.de
Only a side note FYI regarding possible regressions because of various security update patches, have a look at https://bugs.ghostscript.com/show_bug.cgi?id=697846 and see https://launchpad.net/ubuntu/+source/ghostscript/9.18~dfsg~0-0ubuntu2.4 what security update patches were applied there.
SUSE-SU-2017:1153-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1036453 CVE References: CVE-2017-8291 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): ghostscript-library-8.62-32.44.1 SUSE Linux Enterprise Server 11-SP4 (src): ghostscript-library-8.62-32.44.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): ghostscript-library-8.62-32.44.1
(In reply to Marcus Meissner from comment #42) > (In reply to Henry Stiles from comment #16) > > > We are now using a private group for security on bugs.ghostcript.com, > should > > I include you in the group representing Suse or is there another > security > > representative? > > > I would appreciate that! Can you include me (meissner at suse.de and > Johannes Meixner ) ? Both of you have been added.
openSUSE-SU-2017:1203-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1018128,1030263,1032114,1032120,1036453 CVE References: CVE-2016-10220,CVE-2016-9601,CVE-2017-5951,CVE-2017-7207,CVE-2017-8291 Sources used: openSUSE Leap 42.2 (src): ghostscript-9.15-11.3.1, ghostscript-mini-9.15-11.3.1 openSUSE Leap 42.1 (src): ghostscript-9.15-17.1, ghostscript-mini-9.15-17.1
Hello, My customer is asking for an estimated date for when this bug fix will be released for SUSE Linux Enterprise Server 11-SP3-LTSS. Thanks
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2017-05-22. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63603
Created attachment 725025 [details] xx.ps smaller reproducer
SUSE-SU-2017:1322-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1036453 CVE References: CVE-2017-8291 Sources used: SUSE OpenStack Cloud 5 (src): ghostscript-library-8.62-32.46.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): ghostscript-library-8.62-32.46.1 SUSE Linux Enterprise Server 11-SP4 (src): ghostscript-library-8.62-32.46.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): ghostscript-library-8.62-32.46.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): ghostscript-library-8.62-32.46.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): ghostscript-library-8.62-32.46.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): ghostscript-library-8.62-32.46.1
all done
SUSE-SU-2017:1404-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1018128,1030263,1032114,1032120,1036453 CVE References: CVE-2016-10220,CVE-2016-9601,CVE-2017-5951,CVE-2017-7207,CVE-2017-8291 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): ghostscript-9.15-22.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): ghostscript-9.15-22.1 SUSE Linux Enterprise Server for SAP 12 (src): ghostscript-9.15-22.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): ghostscript-9.15-22.1 SUSE Linux Enterprise Server 12-SP2 (src): ghostscript-9.15-22.1 SUSE Linux Enterprise Server 12-SP1 (src): ghostscript-9.15-22.1 SUSE Linux Enterprise Server 12-LTSS (src): ghostscript-9.15-22.1 SUSE Linux Enterprise Desktop 12-SP2 (src): ghostscript-9.15-22.1 SUSE Linux Enterprise Desktop 12-SP1 (src): ghostscript-9.15-22.1