Bug 1117274 - (CVE-2018-19477) VUL-0: CVE-2018-19477: ghostscript,ghostscript-library: psi/zfjbig2.c allows attackers to bypass intended access restrictions because of a JBIG2Decode type confusion
(CVE-2018-19477)
VUL-0: CVE-2018-19477: ghostscript,ghostscript-library: psi/zfjbig2.c allows ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/219611/
CVSSv3:SUSE:CVE-2018-19477:7.1:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-11-26 09:19 UTC by Robert Frohl
Modified: 2020-06-11 12:19 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Robert Frohl 2018-11-26 11:55:30 UTC
Hi Johannes,
my investigation suggests that all codestreams are affected:
- SUSE:SLE-15:Update/ghostscript
- SUSE:SLE-12:Update/ghostscript
- SUSE:SLE-11-SP1:Update/ghostscript-library
- SUSE:SLE-10-SP3:Update/ghostscript-library

There are two patches listed but they are identical as far as I can tell.
Comment 4 Swamp Workflow Management 2018-12-12 17:10:32 UTC
SUSE-SU-2018:4087-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1109105,1111479,1111480,1112229,1117022,1117274,1117313,1117327,1117331
CVE References: CVE-2018-17183,CVE-2018-17961,CVE-2018-18073,CVE-2018-18284,CVE-2018-19409,CVE-2018-19475,CVE-2018-19476,CVE-2018-19477
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ghostscript-mini-9.26-3.9.3
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    libspectre-0.2.8-3.4.3
SUSE Linux Enterprise Module for Basesystem 15 (src):    ghostscript-9.26-3.9.4
Comment 5 Swamp Workflow Management 2018-12-12 20:11:51 UTC
SUSE-SU-2018:4090-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1109105,1111479,1111480,1112229,1117022,1117274,1117313,1117327,1117331
CVE References: CVE-2018-17183,CVE-2018-17961,CVE-2018-18073,CVE-2018-18284,CVE-2018-19409,CVE-2018-19475,CVE-2018-19476,CVE-2018-19477
Sources used:
SUSE OpenStack Cloud 7 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-SP4 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-SP3 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-LTSS (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Enterprise Storage 4 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
Comment 6 Swamp Workflow Management 2018-12-15 11:11:47 UTC
openSUSE-SU-2018:4138-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1109105,1111479,1111480,1112229,1117022,1117274,1117313,1117327,1117331
CVE References: CVE-2018-17183,CVE-2018-17961,CVE-2018-18073,CVE-2018-18284,CVE-2018-19409,CVE-2018-19475,CVE-2018-19476,CVE-2018-19477
Sources used:
openSUSE Leap 15.0 (src):    ghostscript-9.26-lp150.2.9.1, ghostscript-mini-9.26-lp150.2.9.1, libspectre-0.2.8-lp150.2.6.2
Comment 7 Swamp Workflow Management 2018-12-15 11:15:12 UTC
openSUSE-SU-2018:4140-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1109105,1111479,1111480,1112229,1117022,1117274,1117313,1117327,1117331
CVE References: CVE-2018-17183,CVE-2018-17961,CVE-2018-18073,CVE-2018-18284,CVE-2018-19409,CVE-2018-19475,CVE-2018-19476,CVE-2018-19477
Sources used:
openSUSE Leap 42.3 (src):    ghostscript-9.26-14.12.1, ghostscript-mini-9.26-14.12.1, libspectre-0.2.7-17.4.2
Comment 8 Swamp Workflow Management 2019-04-27 22:38:55 UTC
SUSE-SU-2018:4090-2: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1109105,1111479,1111480,1112229,1117022,1117274,1117313,1117327,1117331
CVE References: CVE-2018-17183,CVE-2018-17961,CVE-2018-18073,CVE-2018-18284,CVE-2018-19409,CVE-2018-19475,CVE-2018-19476,CVE-2018-19477
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Alexandros Toptsoglou 2019-05-14 08:58:21 UTC
The issue is reproducable in SLE11 by running: 

gs -q -sDEVICE=ppmraw -dSAFER -dJBIG2
GS><</.jbig2globalctx 16#41 >> /JBIG2Decode filter

Valgrind output: 

GS><</.jbig2globalctx 16#41 >> /JBIG2Decode filter
==16921== Invalid read of size 8
==16921==    at 0x505D92B: s_jbig2decode_set_global_data (sjbig2.c:139)
==16921==    by 0x505D7D6: z_jbig2decode (zfjbig2.c:75)
==16921==    by 0x4F8EC12: interp (interp.c:1163)
==16921==    by 0x4F902BA: gs_interpret (interp.c:496)
==16921==    by 0x4F84D66: gs_main_run_string_continue (imain.c:214)
==16921==    by 0x4F850EC: gs_main_run_string_with_length (imain.c:483)
==16921==    by 0x400CF6: main (dxmainc.c:87)
==16921==  Address 0x41 is not stack'd, malloc'd or (recently) free'd
==16921== 
==16921== 
==16921== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==16921==  Access not within mapped region at address 0x41
==16921==    at 0x505D92B: s_jbig2decode_set_global_data (sjbig2.c:139)
==16921==    by 0x505D7D6: z_jbig2decode (zfjbig2.c:75)
==16921==    by 0x4F8EC12: interp (interp.c:1163)
==16921==    by 0x4F902BA: gs_interpret (interp.c:496)
==16921==    by 0x4F84D66: gs_main_run_string_continue (imain.c:214)
==16921==    by 0x4F850EC: gs_main_run_string_with_length (imain.c:483)
==16921==    by 0x400CF6: main (dxmainc.c:87)
Comment 13 Marcus Meissner 2020-01-28 07:24:49 UTC
released