Bug 1122319 - (CVE-2019-6116) VUL-0: CVE-2019-6116: ghostscript: subroutines within pseudo-operators must themselves be pseudo-operators
(CVE-2019-6116)
VUL-0: CVE-2019-6116: ghostscript: subroutines within pseudo-operators must t...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Johannes Meixner
Security Team bot
https://smash.suse.de/issue/223198/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-01-17 10:31 UTC by Marcus Meissner
Modified: 2019-06-12 09:54 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-01-17 10:31:03 UTC
embargoed report:

The subject and its initial and latest comment of
https://bugs.ghostscript.com/show_bug.cgi?id=700317
reads (excerpts):

===================================================================
ghostscript: subroutines within pseudo-operators
              must themselves be pseudo-operators

...

Tavis Ormandy 2018-12-04 01:45:28 UTC
...
I was quickly grepping through the changes in ghostscript 9.26
and noticed that not all the subroutines are pseudo-operators,
for example ... Resource/Init/pdf_draw.ps ...

1123       {
1124         currentglobal pdfdict gcheck .setglobal
1125         pdfdict /.Qqwarning_issued //true .forceput
1126         .setglobal
1127         pdfformaterror
1128       } ifelse

The reason is obvious, it's an ephemeral routine passed to ifelse,
but that is irrelevant, you can make ifelse fail via /stackoverflow
or /execstackoverflow or whatever.

Actually getting the precise operator to fail is tricky,
but I got it to work:

$ ./gs -sDEVICE=ppmraw -dSAFER -f .../test.ps
...
(Stage 10: /stackoverflow)
...
(Stage 11: Exploitation...)
(\tShould now have complete control over ghostscript,
  attempting to read /etc/passwd...)
(root:x:0:0:root:/root:/bin/bash)
...

Therefore, this is a remote code execution vulnerability.
This affects 9.26 and HEAD.

This bug is subject to a 90 day disclosure deadline.
After 90 days elapse or a patch has been made broadly
available (whichever is earlier), the bug report will
become visible to the public.

...

Tavis Ormandy 2019-01-09 20:19:44 UTC

After some discussion I think we have arrived
at a comprehensive solution.

Thanks Chris for all the work, this one turned out
to be really tough to solve, the complete patchset
is really non-trivial.

It will require extra care writing postscript in future,
I filed bug 700472 to think about ways to make sure
this doesn't accidentally regress.
Comment 1 Johannes Meixner 2019-01-17 12:02:15 UTC
Submitted fixed Ghostscript to SLE15 and SLE12:
---------------------------------------------------------------------------
$ osc -A https://api.suse.de mr -m 'Ghostscript version upgrade to 9.26a
 a special security bugfix version to fix CVE-2019-6116 bsc#1122319'
 home:jsmeix:branches:SUSE:SLE-15:Update
 ghostscript.SUSE_SLE-15_Update
 SUSE:SLE-15:Update

Using target project 'SUSE:Maintenance'
181900

$ osc -A https://api.suse.de mr -m 'Ghostscript version upgrade to 9.26a
 a special security bugfix version to fix CVE-2019-6116 bsc#1122319'
 home:jsmeix:branches:SUSE:SLE-12:Update
 ghostscript.SUSE_SLE-12_Update
 SUSE:SLE-12:Update

Using target project 'SUSE:Maintenance'
181901
---------------------------------------------------------------------------
Comment 3 Marcus Meissner 2019-01-21 13:04:22 UTC
I think I am reading
CRD: 2019-01-23 14:00UTC
Comment 4 Karol Babioch 2019-01-23 14:52:21 UTC
Public now via posting on oss-sec.
Comment 6 Johannes Meixner 2019-01-23 16:48:27 UTC
Submitted fixed ghostscript package to openSUSE:Factory
------------------------------------------------------------------------------
$ osc submitrequest -m 'Ghostscript security fix upgrade
 (purely a security fix) to fix CVE-2019-6116 bsc#1122319'
 home:jsmeix:branches:Printing ghostscript Printing ghostscript
created request id 668140

$ osc request accept -m 'Ghostscript security fix upgrade
 (purely a security fix) to fix CVE-2019-6116 bsc#1122319' 668140
Result of change request state: ok
openSUSE:Factory 
Forward this submit to it? ([y]/n)y
There are already the following submit request: 667783.
Supersede the old requests? (y/n/c) y
Ghostscript security fix upgrade (purely a security fix) to fix CVE-2019-6116 bsc#1122319 (forwarded request 668140 from jsmeix)
New request # 668141
------------------------------------------------------------------------------
Comment 7 Swamp Workflow Management 2019-01-23 17:20:07 UTC
This is an autogenerated message for OBS integration:
This bug (1122319) was mentioned in
https://build.opensuse.org/request/show/668141 Factory / ghostscript
Comment 8 Swamp Workflow Management 2019-01-23 20:09:21 UTC
SUSE-SU-2019:0145-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1122319
CVE References: CVE-2019-6116
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ghostscript-mini-9.26a-3.12.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    libspectre-0.2.8-3.6.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    ghostscript-9.26a-3.12.1
Comment 9 Swamp Workflow Management 2019-01-24 00:07:41 UTC
SUSE-SU-2019:0144-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1122319
CVE References: CVE-2019-6116
Sources used:
SUSE OpenStack Cloud 7 (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Linux Enterprise Server 12-SP4 (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Linux Enterprise Server 12-SP3 (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Linux Enterprise Server 12-LTSS (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
SUSE Enterprise Storage 4 (src):    ghostscript-9.26a-23.19.1, libspectre-0.2.7-12.6.1
Comment 10 Swamp Workflow Management 2019-01-31 14:09:42 UTC
openSUSE-SU-2019:0104-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1122319
CVE References: CVE-2019-6116
Sources used:
openSUSE Leap 15.0 (src):    ghostscript-9.26a-lp150.2.12.1, ghostscript-mini-9.26a-lp150.2.12.1, libspectre-0.2.8-lp150.2.9.2
Comment 11 Swamp Workflow Management 2019-01-31 14:10:47 UTC
openSUSE-SU-2019:0103-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1122319
CVE References: CVE-2019-6116
Sources used:
openSUSE Leap 42.3 (src):    ghostscript-9.26a-14.15.1, ghostscript-mini-9.26a-14.15.1, libspectre-0.2.7-17.7.1
Comment 12 Alexandros Toptsoglou 2019-05-14 10:02:45 UTC
all released