Bug 1156275 - (CVE-2019-14869) VUL-0: CVE-2019-14869: ghostscript: -dSAFER bypass
(CVE-2019-14869)
VUL-0: CVE-2019-14869: ghostscript: -dSAFER bypass
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3.1:SUSE:CVE-2019-14869:7.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-11-08 09:40 UTC by Robert Frohl
Modified: 2020-06-12 20:54 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2019-11-08 09:40:23 UTC
This is to privately disclose CVE-2019-14869 : "-dSAFER escape in
.charkeys"

This is another instance of a highly priviledged operator being
accessible by specially crafted Postscript code, that can be used to
break out of the -dSAFER limitations.

It was found that `.forceput` operator was present and unprotected in
the `.charkeys` method and could be retrieved via manipulation of the
error handler. The method can be called from `.loadfontfile`.

The `.charkeys` method was vulnerable since ghostscript-9.15, in one way
or another: the privileged operator was `superexec` instead of
`.forceput` until a more recent version.

Upstream fix:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904772c5f

Disclosure date : Thursday 2019/11/14, at around 1PM UTC.

Upstream bug report (currently private):
https://bugs.ghostscript.com/show_bug.cgi?id=701841

Red Hat would like to thank upstream, Artifex, for alerting us about the
flaw. The vulnerability was originally reported by Paul Manfred & Lukas
Schauer.

Note: similarly to other recent ghostscript vulnerabilities, this one is
mitigated by the recent -dSAFER rework. However, ghostscript-9.27 and
older are fully impacted.
Comment 15 Robert Frohl 2019-11-15 09:44:32 UTC
public via oss-security
Comment 16 Swamp Workflow Management 2019-11-15 14:19:56 UTC
SUSE-SU-2019:2981-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1156275
CVE References: CVE-2019-14869
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ghostscript-mini-9.27-3.24.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ghostscript-mini-9.27-3.24.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    ghostscript-9.27-3.24.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    ghostscript-9.27-3.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2019-11-15 14:20:50 UTC
SUSE-SU-2019:2983-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1156275
CVE References: CVE-2019-14869
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ghostscript-9.27-23.31.1
SUSE OpenStack Cloud 8 (src):    ghostscript-9.27-23.31.1
SUSE OpenStack Cloud 7 (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Server 12-SP5 (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Server 12-SP4 (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ghostscript-9.27-23.31.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ghostscript-9.27-23.31.1
SUSE Enterprise Storage 5 (src):    ghostscript-9.27-23.31.1
HPE Helion Openstack 8 (src):    ghostscript-9.27-23.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2019-11-20 17:12:27 UTC
openSUSE-SU-2019:2534-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1156275
CVE References: CVE-2019-14869
Sources used:
openSUSE Leap 15.0 (src):    ghostscript-9.27-lp150.2.26.1, ghostscript-mini-9.27-lp150.2.26.1
Comment 19 Swamp Workflow Management 2019-11-20 17:16:14 UTC
openSUSE-SU-2019:2535-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1156275
CVE References: CVE-2019-14869
Sources used:
openSUSE Leap 15.1 (src):    ghostscript-9.27-lp151.3.9.1, ghostscript-mini-9.27-lp151.3.9.1
Comment 20 Marcus Meissner 2020-01-27 13:06:22 UTC
released