Bug 1122319 – VUL-0: CVE-2019-6116: ghostscript: subroutines within pseudo-operators must themselves be pseudo-operators

Bug 1122319 - (CVE-2019-6116) VUL-0: CVE-2019-6116: ghostscript: subroutines within pseudo-operators must themselves be pseudo-operators

(CVE-2019-6116)
Summary:	VUL-0: CVE-2019-6116: ghostscript: subroutines within pseudo-operators must t...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Johannes Meixner
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/223198/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-01-17 10:31 UTC by Marcus Meissner
Modified:	2019-06-12 09:54 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2019-01-17 10:31:03 UTC

embargoed report:

The subject and its initial and latest comment of
https://bugs.ghostscript.com/show_bug.cgi?id=700317
reads (excerpts):

===================================================================
ghostscript: subroutines within pseudo-operators
              must themselves be pseudo-operators

...

Tavis Ormandy 2018-12-04 01:45:28 UTC
...
I was quickly grepping through the changes in ghostscript 9.26
and noticed that not all the subroutines are pseudo-operators,
for example ... Resource/Init/pdf_draw.ps ...

1123       {
1124         currentglobal pdfdict gcheck .setglobal
1125         pdfdict /.Qqwarning_issued //true .forceput
1126         .setglobal
1127         pdfformaterror
1128       } ifelse

The reason is obvious, it's an ephemeral routine passed to ifelse,
but that is irrelevant, you can make ifelse fail via /stackoverflow
or /execstackoverflow or whatever.

Actually getting the precise operator to fail is tricky,
but I got it to work:

$ ./gs -sDEVICE=ppmraw -dSAFER -f .../test.ps
...
(Stage 10: /stackoverflow)
...
(Stage 11: Exploitation...)
(\tShould now have complete control over ghostscript,
  attempting to read /etc/passwd...)
(root:x:0:0:root:/root:/bin/bash)
...

Therefore, this is a remote code execution vulnerability.
This affects 9.26 and HEAD.

This bug is subject to a 90 day disclosure deadline.
After 90 days elapse or a patch has been made broadly
available (whichever is earlier), the bug report will
become visible to the public.

...

Tavis Ormandy 2019-01-09 20:19:44 UTC

After some discussion I think we have arrived
at a comprehensive solution.

Thanks Chris for all the work, this one turned out
to be really tough to solve, the complete patchset
is really non-trivial.

It will require extra care writing postscript in future,
I filed bug 700472 to think about ways to make sure
this doesn't accidentally regress.

Comment 1 Johannes Meixner 2019-01-17 12:02:15 UTC

Submitted fixed Ghostscript to SLE15 and SLE12:
---------------------------------------------------------------------------
$ osc -A https://api.suse.de mr -m 'Ghostscript version upgrade to 9.26a
 a special security bugfix version to fix CVE-2019-6116 bsc#1122319'
 home:jsmeix:branches:SUSE:SLE-15:Update
 ghostscript.SUSE_SLE-15_Update
 SUSE:SLE-15:Update

Using target project 'SUSE:Maintenance'
181900

$ osc -A https://api.suse.de mr -m 'Ghostscript version upgrade to 9.26a
 a special security bugfix version to fix CVE-2019-6116 bsc#1122319'
 home:jsmeix:branches:SUSE:SLE-12:Update
 ghostscript.SUSE_SLE-12_Update
 SUSE:SLE-12:Update

Using target project 'SUSE:Maintenance'
181901
---------------------------------------------------------------------------

Comment 3 Marcus Meissner 2019-01-21 13:04:22 UTC

I think I am reading
CRD: 2019-01-23 14:00UTC

Comment 4 Karol Babioch 2019-01-23 14:52:21 UTC

Public now via posting on oss-sec.

Comment 6 Johannes Meixner 2019-01-23 16:48:27 UTC

Submitted fixed ghostscript package to openSUSE:Factory
------------------------------------------------------------------------------
$ osc submitrequest -m 'Ghostscript security fix upgrade
 (purely a security fix) to fix CVE-2019-6116 bsc#1122319'
 home:jsmeix:branches:Printing ghostscript Printing ghostscript
created request id 668140

$ osc request accept -m 'Ghostscript security fix upgrade
 (purely a security fix) to fix CVE-2019-6116 bsc#1122319' 668140
Result of change request state: ok
openSUSE:Factory 
Forward this submit to it? ([y]/n)y
There are already the following submit request: 667783.
Supersede the old requests? (y/n/c) y
Ghostscript security fix upgrade (purely a security fix) to fix CVE-2019-6116 bsc#1122319 (forwarded request 668140 from jsmeix)
New request # 668141
------------------------------------------------------------------------------

Comment 7 Swamp Workflow Management 2019-01-23 17:20:07 UTC

This is an autogenerated message for OBS integration:
This bug (1122319) was mentioned in
https://build.opensuse.org/request/show/668141 Factory / ghostscript

Comment 8 Swamp Workflow Management 2019-01-23 20:09:21 UTC

SUSE-SU-2019:0145-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1122319
CVE References: CVE-2019-6116
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ghostscript-mini-9.26a-3.12.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    libspectre-0.2.8-3.6.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    ghostscript-9.26a-3.12.1

Comment 9 Swamp Workflow Management 2019-01-24 00:07:41 UTC

SUSE-SU-2019:0144-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1122319
CVE References: CVE-2019-6116
Sources used:
SUSE OpenStack Cloud 7 (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Linux Enterprise Server 12-SP4 (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Linux Enterprise Server 12-SP3 (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Linux Enterprise Server 12-LTSS (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Enterprise Storage 4 (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1

Comment 10 Swamp Workflow Management 2019-01-31 14:09:42 UTC

openSUSE-SU-2019:0104-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1122319
CVE References: CVE-2019-6116
Sources used:
openSUSE Leap 15.0 (src):    ghostscript-9.26a-lp150.2.12.1, ghostscript-mini-9.26a-lp150.2.12.1, libspectre-0.2.8-lp150.2.9.2

Comment 11 Swamp Workflow Management 2019-01-31 14:10:47 UTC

openSUSE-SU-2019:0103-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1122319
CVE References: CVE-2019-6116
Sources used:
openSUSE Leap 42.3 (src):    ghostscript-9.26a-14.15.1, ghostscript-mini-9.26a-14.15.1, libspectre-0.2.7-17.7.1

Comment 12 Alexandros Toptsoglou 2019-05-14 10:02:45 UTC

all released