Bug 1106173 - (CVE-2018-15910) VUL-0: CVE-2018-15910: ghostscript,ghostscript-library: LockDistillerParams type confusion (699656)
(CVE-2018-15910)
VUL-0: CVE-2018-15910: ghostscript,ghostscript-library: LockDistillerParams t...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/213375/
CVSSv3:SUSE:CVE-2018-15910:7.3:(AV:N/...
:
Depends on:
Blocks: 1105464
  Show dependency treegraph
 
Reported: 2018-08-28 06:58 UTC by Alexander Bergmann
Modified: 2020-06-08 19:13 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2018-08-28 06:58:03 UTC
rh#1619751

In Artifex Ghostscript 9.23 before 2018-08-23, attackers able to supply crafted
PostScript files could use a type confusion in the LockDistillerParams parameter
to crash the interpreter or execute code.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1619751
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15910
http://www.cvedetails.com/cve/CVE-2018-15910/
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=c3476dde7743761a4e1d39a631716199b696b880
Comment 1 Alexander Bergmann 2018-08-28 08:06:55 UTC
Upstream fix:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde

Mitigation:
(https://bugzilla.redhat.com/show_bug.cgi?id=1619748#c3)

ImageMagick relies on ghostscript when processing certain files formats. Thus, ImageMagick can be used as an attack vector. In order to prevent ImageMagick from processing those files on Red Hat Enterprise Linux 6 and 7, you can disable the use of ghostscript and the processing of PS, EPS, PDF, and XPS file formats in ImageMagick's security policy by opening /etc/ImageMagick/policy.xml and adding the following lines to the "<policymap>" section of the file:

<policy domain="coder" rights="none" pattern="PS" />
<policy domain="coder" rights="none" pattern="EPS" />
<policy domain="coder" rights="none" pattern="PDF" />
<policy domain="coder" rights="none" pattern="XPS" />
<policy domain="delegate" rights="none" pattern="gs" />


Additionally, this issue can be triggered when processing files in order to generate thumbnails, for example when browsing a folder containing a malicious PostScript file in Nautilus. To prevent this, remove or rename the "/usr/bin/evince-thumbnailer" executable.
Comment 2 Alexander Bergmann 2018-08-28 08:58:58 UTC
QA Reproducer:

#> echo "<< /LockDistillerParams 16#4141414141414141 >> .setdistillerparams" | gs -q -sDEVICE=ppmraw -dSAFER
GS>Segmentation fault (core dumped)
Comment 3 Alexander Bergmann 2018-08-28 09:03:40 UTC
QA Reproducer:

#> echo "<< /Whatever 16#414141414141 >> setpattern" | gs -q -sDEVICE=ppmraw -dSAFER
GS>Segmentation fault (core dumped)
Comment 8 Swamp Workflow Management 2018-10-02 19:08:52 UTC
SUSE-SU-2018:2975-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1106171,1106172,1106173,1106195,1107410,1107411,1107412,1107413,1107420,1107421,1107422,1107423,1107426,1107581,1108027,1109105
CVE References: CVE-2018-15908,CVE-2018-15909,CVE-2018-15910,CVE-2018-15911,CVE-2018-16509,CVE-2018-16510,CVE-2018-16511,CVE-2018-16513,CVE-2018-16539,CVE-2018-16540,CVE-2018-16541,CVE-2018-16542,CVE-2018-16543,CVE-2018-16585,CVE-2018-16802,CVE-2018-17183
Sources used:
SUSE OpenStack Cloud 7 (src):    ghostscript-9.25-23.13.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ghostscript-9.25-23.13.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ghostscript-9.25-23.13.1
SUSE Linux Enterprise Server 12-SP3 (src):    ghostscript-9.25-23.13.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ghostscript-9.25-23.13.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ghostscript-9.25-23.13.1
SUSE Linux Enterprise Server 12-LTSS (src):    ghostscript-9.25-23.13.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ghostscript-9.25-23.13.1
SUSE Enterprise Storage 4 (src):    ghostscript-9.25-23.13.1
Comment 9 Swamp Workflow Management 2018-10-02 19:11:20 UTC
SUSE-SU-2018:2976-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1106171,1106172,1106173,1106195,1107410,1107411,1107412,1107413,1107420,1107421,1107422,1107423,1107426,1107581,1108027,1109105
CVE References: CVE-2018-15908,CVE-2018-15909,CVE-2018-15910,CVE-2018-15911,CVE-2018-16509,CVE-2018-16510,CVE-2018-16511,CVE-2018-16513,CVE-2018-16539,CVE-2018-16540,CVE-2018-16541,CVE-2018-16542,CVE-2018-16543,CVE-2018-16585,CVE-2018-16802,CVE-2018-17183
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    libspectre-0.2.8-3.2.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    ghostscript-9.25-3.6.1
Comment 10 Swamp Workflow Management 2018-10-05 19:11:00 UTC
openSUSE-SU-2018:3036-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1106171,1106172,1106173,1106195,1107410,1107411,1107412,1107413,1107420,1107421,1107422,1107423,1107426,1107581,1108027,1109105
CVE References: CVE-2018-15908,CVE-2018-15909,CVE-2018-15910,CVE-2018-15911,CVE-2018-16509,CVE-2018-16510,CVE-2018-16511,CVE-2018-16513,CVE-2018-16539,CVE-2018-16540,CVE-2018-16541,CVE-2018-16542,CVE-2018-16543,CVE-2018-16585,CVE-2018-16802,CVE-2018-17183
Sources used:
openSUSE Leap 42.3 (src):    ghostscript-9.25-14.9.1, ghostscript-mini-9.25-14.9.1
Comment 11 Swamp Workflow Management 2018-10-05 19:13:45 UTC
openSUSE-SU-2018:3038-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1106171,1106172,1106173,1106195,1107410,1107411,1107412,1107413,1107420,1107421,1107422,1107423,1107426,1107581,1108027,1109105
CVE References: CVE-2018-15908,CVE-2018-15909,CVE-2018-15910,CVE-2018-15911,CVE-2018-16509,CVE-2018-16510,CVE-2018-16511,CVE-2018-16513,CVE-2018-16539,CVE-2018-16540,CVE-2018-16541,CVE-2018-16542,CVE-2018-16543,CVE-2018-16585,CVE-2018-16802,CVE-2018-17183
Sources used:
openSUSE Leap 15.0 (src):    ghostscript-9.25-lp150.2.6.1, ghostscript-mini-9.25-lp150.2.6.1, libspectre-0.2.8-lp150.2.3.1
Comment 17 Swamp Workflow Management 2018-10-18 18:00:52 UTC
SUSE-SU-2018:2975-2: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1106171,1106172,1106173,1106195,1107410,1107411,1107412,1107413,1107420,1107421,1107422,1107423,1107426,1107581,1108027,1109105
CVE References: CVE-2018-15908,CVE-2018-15909,CVE-2018-15910,CVE-2018-15911,CVE-2018-16509,CVE-2018-16510,CVE-2018-16511,CVE-2018-16513,CVE-2018-16539,CVE-2018-16540,CVE-2018-16541,CVE-2018-16542,CVE-2018-16543,CVE-2018-16585,CVE-2018-16802,CVE-2018-17183
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ghostscript-9.25-23.13.1
Comment 19 Swamp Workflow Management 2018-10-23 16:13:26 UTC
SUSE-SU-2018:3330-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1050893,1106173,1107410,1107412,1107413,1107420,1107421,1107426
CVE References: CVE-2017-9611,CVE-2018-15910,CVE-2018-16509,CVE-2018-16511,CVE-2018-16513,CVE-2018-16540,CVE-2018-16541,CVE-2018-16542
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ghostscript-library-8.62-32.47.13.1
SUSE Linux Enterprise Server 11-SP4 (src):    ghostscript-library-8.62-32.47.13.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    ghostscript-library-8.62-32.47.13.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    ghostscript-library-8.62-32.47.13.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ghostscript-library-8.62-32.47.13.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    ghostscript-library-8.62-32.47.13.1
Comment 20 Swamp Workflow Management 2018-10-31 10:51:56 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2018-11-07.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64172
Comment 21 Swamp Workflow Management 2019-04-27 22:41:26 UTC
SUSE-SU-2018:2975-3: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1106171,1106172,1106173,1106195,1107410,1107411,1107412,1107413,1107420,1107421,1107422,1107423,1107426,1107581,1108027,1109105
CVE References: CVE-2018-15908,CVE-2018-15909,CVE-2018-15910,CVE-2018-15911,CVE-2018-16509,CVE-2018-16510,CVE-2018-16511,CVE-2018-16513,CVE-2018-16539,CVE-2018-16540,CVE-2018-16541,CVE-2018-16542,CVE-2018-16543,CVE-2018-16585,CVE-2018-16802,CVE-2018-17183
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    ghostscript-9.25-23.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Marcus Meissner 2020-01-28 07:16:20 UTC
released