Bug 1146882 - (CVE-2019-14811) VUL-0: CVE-2019-14811,CVE-2019-14812,CVE-2019-14813: ghostscript,ghostscript-library: multiple cases of Safer Mode Bypass by .forceput Exposure
(CVE-2019-14811)
VUL-0: CVE-2019-14811,CVE-2019-14812,CVE-2019-14813: ghostscript,ghostscript-...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3:SUSE:CVE-2019-14811:7.3:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-22 14:57 UTC by Alexandros Toptsoglou
Modified: 2020-06-15 13:28 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 4 Marcus Meissner 2019-08-28 12:32:37 UTC
is public now

Hello,

This is to report another 4 CVEs in ghostscript, rated important. They are all similar to the recently reported CVE-2019-10216 (reference to `.forceput` can be accessed)

Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript (PS) and Portable Document Format (PDF) page description languages.  Its primary purpose includesi.
URL : www.ghostscript.com

1- CVE-2019-14811 : Safer Mode Bypass by .forceput Exposure in .pdf_hook_DSC_Creator (701445)

2- CVE-2019-14812 : Safer Mode Bypass by .forceput Exposure in setuserparams (701444)

3- CVE-2019-14813 : Safer Mode Bypass by .forceput Exposure in setsystemparams (701443)

....

In each case, a specially crafted script could get a reference to .forceput and use that to disable the -dSAFER protection. This then allows the script to access file system outside of ret.
Regarding CVE-2019-14817, only the .pdfexectoken procedure was proven to be vulnerable, the other fixed methods were only potentially vulnerable.

Preventing the modification of the error handler might protect most of these vulnerable functions

The fixes have been pushed upstream :

CVE-2019-14811, CVE-2019-14812, CVE-2019-14813 : 
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33
Acknowledgments :
CVE-2019-14811, CVE-2019-14812, CVE-2019-14813 were reported to upstream by Hiroki MATSUKUMA of Cyber Defense Institute, Inc.


Noteworthy (similar to CVE-2019-10216) :
A recent modification, started in upstream commit 7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff, changed the access to file permissions. After this commit, the ability to modify the /PermitFil .
That is to say: getting a reference to highly privileged function (such as .forceput), can still be used to remove SAFER, and modify the /PermitFile* lists. However, the interpreter will i.

Best regards

--
Cedric Buissart
Product Security
Red Hat
Comment 5 Dr. Werner Fink 2019-09-16 11:35:02 UTC
AFAICS NOT part of gs 9.27
Comment 6 Swamp Workflow Management 2019-09-16 13:20:10 UTC
This is an autogenerated message for OBS integration:
This bug (1146882) was mentioned in
https://build.opensuse.org/request/show/731283 Factory / ghostscript
Comment 7 Swamp Workflow Management 2019-09-16 14:10:13 UTC
This is an autogenerated message for OBS integration:
This bug (1146882) was mentioned in
https://build.opensuse.org/request/show/731293 Factory / ghostscript
Comment 10 Swamp Workflow Management 2019-09-25 13:12:32 UTC
SUSE-SU-2019:2460-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1129180,1129186,1134156,1140359,1146882,1146884
CVE References: CVE-2019-12973,CVE-2019-14811,CVE-2019-14812,CVE-2019-14813,CVE-2019-14817,CVE-2019-3835,CVE-2019-3839
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ghostscript-mini-9.27-3.21.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ghostscript-mini-9.27-3.21.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    ghostscript-9.27-3.21.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    ghostscript-9.27-3.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2019-09-26 16:17:56 UTC
SUSE-SU-2019:2478-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1129180,1131863,1134156,1140359,1146882,1146884
CVE References: CVE-2019-12973,CVE-2019-14811,CVE-2019-14812,CVE-2019-14813,CVE-2019-14817,CVE-2019-3835,CVE-2019-3839
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ghostscript-9.27-23.28.1
SUSE OpenStack Cloud 8 (src):    ghostscript-9.27-23.28.1
SUSE OpenStack Cloud 7 (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Server 12-SP5 (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Server 12-SP4 (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Desktop 12-SP5 (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ghostscript-9.27-23.28.1
SUSE Enterprise Storage 5 (src):    ghostscript-9.27-23.28.1
SUSE Enterprise Storage 4 (src):    ghostscript-9.27-23.28.1
HPE Helion Openstack 8 (src):    ghostscript-9.27-23.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2019-09-30 19:15:39 UTC
openSUSE-SU-2019:2223-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1129180,1129186,1134156,1140359,1146882,1146884
CVE References: CVE-2019-12973,CVE-2019-14811,CVE-2019-14812,CVE-2019-14813,CVE-2019-14817,CVE-2019-3835,CVE-2019-3839
Sources used:
openSUSE Leap 15.1 (src):    ghostscript-9.27-lp151.3.6.1, ghostscript-mini-9.27-lp151.3.6.1
Comment 13 Swamp Workflow Management 2019-09-30 19:19:28 UTC
openSUSE-SU-2019:2222-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1129180,1129186,1134156,1140359,1146882,1146884
CVE References: CVE-2019-12973,CVE-2019-14811,CVE-2019-14812,CVE-2019-14813,CVE-2019-14817,CVE-2019-3835,CVE-2019-3839
Sources used:
openSUSE Leap 15.0 (src):    ghostscript-9.27-lp150.2.23.1, ghostscript-mini-9.27-lp150.2.23.1
Comment 14 Dr. Werner Fink 2019-10-23 08:00:20 UTC
done
Comment 15 Marcus Meissner 2020-01-28 07:34:14 UTC
released