Bug 1144621 - (CVE-2019-10216) VUL-0: CVE-2019-10216: ghostscript, ghostscript-library: privilege escalation via specially crafted PostScript file
(CVE-2019-10216)
VUL-0: CVE-2019-10216: ghostscript, ghostscript-library: privilege escalation...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3:SUSE:CVE-2019-10216:7.3:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-07 08:30 UTC by Alexandros Toptsoglou
Modified: 2020-06-15 13:28 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 12 Marcus Meissner 2019-08-12 13:29:05 UTC
To: oss-security@lists.openwall.com
Date: Mon, 12 Aug 2019 15:25:15 +0200
Subject: [oss-security] ghostscript CVE-2019-10216: -dSAFER escape via .buildfont1

Hello,

This is to disclose a new vulnerability in ghostscript, rated as Important.

Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript (PS) and Portable Document Format (PDF) page description languages.  Its primary purpose includesi.
URL : www.ghostscript.com

The flaw is a usual "getting a reference to a privileged function" (the script must successfully be able to overload the error handling code to take advantage of that flaw), allowing arbia.


* CVE-2019-10216 ghostscript: -dSAFER escape via .buildfont1 (701394):
It was found that the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could use i.

All released versions of ghostscript are believed to be impacted, up to, and including, 9.27 (however, master should not be affected: see below for builds post commit 7ecbfda92).

Upstream bug report (currently restricted) : https://bugs.ghostscript.com/show_bug.cgi?id=701394
Upstream fix : http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19 

Acknowledgements:
* Red Hat would like to thank Artifex for alerting us.
* The vulnerability was originally discovered by Netanel from Cloudinary.


Noteworthy : 
A recent modification, started in upstream commit 7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff, changed the access to file permissions. After this commit, the ability to modify the /PermitFil .
That is to say: getting a reference to highly privileged function (such as .forceput), can still be used to remove SAFER, and modify the /PermitFile* lists. However, the interpreter will i.

Best regards,

--
Cedric Buissart
Product Security
Red Hat
Comment 13 Swamp Workflow Management 2019-09-10 16:12:40 UTC
SUSE-SU-2019:2347-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1144621
CVE References: CVE-2019-10216
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ghostscript-9.26a-23.25.1
SUSE Linux Enterprise Server 12-SP4 (src):    ghostscript-9.26a-23.25.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ghostscript-9.26a-23.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2019-09-10 16:15:40 UTC
SUSE-SU-2019:2348-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1144621
CVE References: CVE-2019-10216
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ghostscript-mini-9.26a-3.18.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ghostscript-mini-9.26a-3.18.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    ghostscript-9.26a-3.18.2
SUSE Linux Enterprise Module for Basesystem 15 (src):    ghostscript-9.26a-3.18.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2019-09-16 10:10:55 UTC
openSUSE-SU-2019:2139-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1144621
CVE References: CVE-2019-10216
Sources used:
openSUSE Leap 15.1 (src):    ghostscript-9.26a-lp151.3.3.1, ghostscript-mini-9.26a-lp151.3.3.1
Comment 16 Dr. Werner Fink 2019-09-16 13:17:03 UTC
Also NOT part of ghostscript 9.27
Comment 17 Swamp Workflow Management 2019-09-16 14:10:10 UTC
This is an autogenerated message for OBS integration:
This bug (1144621) was mentioned in
https://build.opensuse.org/request/show/731293 Factory / ghostscript
Comment 18 Swamp Workflow Management 2019-09-24 13:23:17 UTC
openSUSE-SU-2019:2160-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1144621
CVE References: CVE-2019-10216
Sources used:
openSUSE Leap 15.0 (src):    ghostscript-9.26a-lp150.2.20.1, ghostscript-mini-9.26a-lp150.2.20.1
Comment 19 Dr. Werner Fink 2019-10-23 08:00:48 UTC
done
Comment 20 Marcus Meissner 2020-01-28 07:33:34 UTC
released