Bug 1129180 - (CVE-2019-3835) VUL-1: CVE-2019-3835: ghostscript,ghostscript-library: superexec operator is available
(CVE-2019-3835)
VUL-1: CVE-2019-3835: ghostscript,ghostscript-library: superexec operator is...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/226092/
CVSSv3:SUSE:CVE-2019-3835:8.8:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-03-14 09:34 UTC by Marcus Meissner
Modified: 2020-06-08 19:14 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Marcus Meissner 2019-03-21 15:35:44 UTC
iw now public

1- CVE-2019-3835 ghostscript: superexec operator is available

It was found that the superexec operator was available in the internal dictionary.  A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER.

This one is considered particularly Important because it can be easily triggered inside popular Linux PostScript viewers, or embedded in a PDF when read by the `gs` command, and could be used to modify the content of bashrc.

Upstream fixes:
 * Fix bug 700585: Restrict superexec and remove it from internals and gs_cet.ps
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917
 * Bug 700585: Obliterate "superexec". We don't need it, nor do any known apps.
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e6

Upstream bug report (currently restricted) : https://bugs.ghostscript.com/show_bug.cgi?id=700585

Note: The only important fix is the second one, d683d1e6, the other one is only a dependency.

To test if you are affected (on recent ghostscript, starting from gs-9.22 [starting from commit 8556b698892]):

$ gs -dSAFER -dNODISPLAY
GS> 1183615869 internaldict /superexec known { (VULNERABLE\n) } { (SAFE\n) } ifelse print

On versions older than 9.22, this would be sufficient :

GS> /superexec where { (VULNERABLE\n) } { (SAFE\n) } ifelse print
Comment 8 Swamp Workflow Management 2019-09-25 13:12:02 UTC
SUSE-SU-2019:2460-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1129180,1129186,1134156,1140359,1146882,1146884
CVE References: CVE-2019-12973,CVE-2019-14811,CVE-2019-14812,CVE-2019-14813,CVE-2019-14817,CVE-2019-3835,CVE-2019-3839
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ghostscript-mini-9.27-3.21.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ghostscript-mini-9.27-3.21.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    ghostscript-9.27-3.21.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    ghostscript-9.27-3.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-09-26 16:17:27 UTC
SUSE-SU-2019:2478-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1129180,1131863,1134156,1140359,1146882,1146884
CVE References: CVE-2019-12973,CVE-2019-14811,CVE-2019-14812,CVE-2019-14813,CVE-2019-14817,CVE-2019-3835,CVE-2019-3839
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ghostscript-9.27-23.28.1
SUSE OpenStack Cloud 8 (src):    ghostscript-9.27-23.28.1
SUSE OpenStack Cloud 7 (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Server 12-SP5 (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Server 12-SP4 (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Desktop 12-SP5 (src):    ghostscript-9.27-23.28.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ghostscript-9.27-23.28.1
SUSE Enterprise Storage 5 (src):    ghostscript-9.27-23.28.1
SUSE Enterprise Storage 4 (src):    ghostscript-9.27-23.28.1
HPE Helion Openstack 8 (src):    ghostscript-9.27-23.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2019-09-30 19:15:10 UTC
openSUSE-SU-2019:2223-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1129180,1129186,1134156,1140359,1146882,1146884
CVE References: CVE-2019-12973,CVE-2019-14811,CVE-2019-14812,CVE-2019-14813,CVE-2019-14817,CVE-2019-3835,CVE-2019-3839
Sources used:
openSUSE Leap 15.1 (src):    ghostscript-9.27-lp151.3.6.1, ghostscript-mini-9.27-lp151.3.6.1
Comment 11 Swamp Workflow Management 2019-09-30 19:18:59 UTC
openSUSE-SU-2019:2222-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1129180,1129186,1134156,1140359,1146882,1146884
CVE References: CVE-2019-12973,CVE-2019-14811,CVE-2019-14812,CVE-2019-14813,CVE-2019-14817,CVE-2019-3835,CVE-2019-3839
Sources used:
openSUSE Leap 15.0 (src):    ghostscript-9.27-lp150.2.23.1, ghostscript-mini-9.27-lp150.2.23.1
Comment 13 Marcus Meissner 2020-01-28 07:30:16 UTC
released