Bug 1156275 – VUL-0: CVE-2019-14869: ghostscript: -dSAFER bypass

Bug 1156275 - (CVE-2019-14869) VUL-0: CVE-2019-14869: ghostscript: -dSAFER bypass

(CVE-2019-14869)
Summary:	VUL-0: CVE-2019-14869: ghostscript: -dSAFER bypass

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv3.1:SUSE:CVE-2019-14869:7.3:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-11-08 09:40 UTC by Robert Frohl
Modified:	2020-06-12 20:54 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2019-11-08 09:40:23 UTC

This is to privately disclose CVE-2019-14869 : "-dSAFER escape in
.charkeys"

This is another instance of a highly priviledged operator being
accessible by specially crafted Postscript code, that can be used to
break out of the -dSAFER limitations.

It was found that `.forceput` operator was present and unprotected in
the `.charkeys` method and could be retrieved via manipulation of the
error handler. The method can be called from `.loadfontfile`.

The `.charkeys` method was vulnerable since ghostscript-9.15, in one way
or another: the privileged operator was `superexec` instead of
`.forceput` until a more recent version.

Upstream fix:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904772c5f

Disclosure date : Thursday 2019/11/14, at around 1PM UTC.

Upstream bug report (currently private):
https://bugs.ghostscript.com/show_bug.cgi?id=701841

Red Hat would like to thank upstream, Artifex, for alerting us about the
flaw. The vulnerability was originally reported by Paul Manfred & Lukas
Schauer.

Note: similarly to other recent ghostscript vulnerabilities, this one is
mitigated by the recent -dSAFER rework. However, ghostscript-9.27 and
older are fully impacted.

Comment 15 Robert Frohl 2019-11-15 09:44:32 UTC

public via oss-security

Comment 16 Swamp Workflow Management 2019-11-15 14:19:56 UTC

SUSE-SU-2019:2981-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1156275
CVE References: CVE-2019-14869
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ghostscript-mini-9.27-3.24.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ghostscript-mini-9.27-3.24.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    ghostscript-9.27-3.24.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    ghostscript-9.27-3.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Swamp Workflow Management 2019-11-15 14:20:50 UTC

SUSE-SU-2019:2983-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1156275
CVE References: CVE-2019-14869
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ghostscript-9.27-23.31.1
SUSE OpenStack Cloud 8 (src):    ghostscript-9.27-23.31.1
SUSE OpenStack Cloud 7 (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Server 12-SP5 (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Server 12-SP4 (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ghostscript-9.27-23.31.1
SUSE Enterprise Storage 5 (src):    ghostscript-9.27-23.31.1
HPE Helion Openstack 8 (src):    ghostscript-9.27-23.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Swamp Workflow Management 2019-11-20 17:12:27 UTC

openSUSE-SU-2019:2534-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1156275
CVE References: CVE-2019-14869
Sources used:
openSUSE Leap 15.0 (src):    ghostscript-9.27-lp150.2.26.1, ghostscript-mini-9.27-lp150.2.26.1

Comment 19 Swamp Workflow Management 2019-11-20 17:16:14 UTC

openSUSE-SU-2019:2535-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1156275
CVE References: CVE-2019-14869
Sources used:
openSUSE Leap 15.1 (src):    ghostscript-9.27-lp151.3.9.1, ghostscript-mini-9.27-lp151.3.9.1

Comment 20 Marcus Meissner 2020-01-27 13:06:22 UTC

released