Bug 1382294 (CVE-2016-7976)

Summary: CVE-2016-7976 ghostscript: various userparams allow %pipe% in paths, allowing remote shell
Product: [Other] Security Response Reporter: Cedric Buissart <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, deekej, dmcphers, jialiu, jokerman, kseifried, lmeyer, mmccomas, sardella, tiwillia, twaugh, yozone, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-20 13:08:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: Embargoed1380329    

Description Cedric Buissart 2016-10-06 09:30:00 UTC 
It was found that, despite -dSAFER option, when the graphics library directly opens a file for reading, insufficent restriction were applied.
This allows path traversal and information disclosure, and also command execution in recent versions (9.18 and above)

Upstream bug :
http://bugs.ghostscript.com/show_bug.cgi?id=697178

Upstream patch :
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=6d444c273da5

Reference :
http://seclists.org/oss-sec/2016/q4/37
Comment 2 Cedric Buissart 2016-10-13 08:45:11 UTC 
- Ghostscript's ICC profile management is a feature that started with version 9.
Thus previous versions, in particular ghostscript 8.70, do not have capability to open ICC profile files for color management, and thus are not affected by this CVE.
RHEL5 and 6 are not affected by this issue.

- Only versions 9.18 and above are affected by code execution, as a side effect of upstream commit 1fae53a7. Thus, as shipped in RHEL7 and Fedora, ghostcript is only partially affected.
Comment 3 David Kaspar // Dee'Kej 2016-10-13 09:40:00 UTC 
Hello Cedric,

please note that we're using ghostscript-9.07 in RHEL7.

Best regards,

Dee'Kej
Comment 4 Cedric Buissart 2016-10-19 14:37:03 UTC 
(In reply to David Kaspar [Dee'Kej] from comment #3)
> Hello Cedric,
> 
> please note that we're using ghostscript-9.07 in RHEL7.
> 
> Best regards,
> 
> Dee'Kej
Yes. The original report was mentioning that versions pre-9.18, although protected from code execution, are still affected by a directory traversal issue, allowing an attacker to open a profile outside of the dedicated directory.

This behavior has not been prevented by the fix :

$ strace -f -e open gs -dSAFER putdevice-open.ps |& grep passwd
open("/usr/share/ghostscript/9.20/iccprofiles/../../../../../etc/passwd", O_RDONLY) = 6
Comment 5 Cedric Buissart 2016-10-20 12:57:56 UTC 
The directory traversal does not seem to be considered an issue at the moment, since, in any case, if not found from the ICC profiles directory, the profile will be searched from current directory, and possibly from the root file system :

# strace -e open gs ~/ghostscript/putdevice-open2.ps |& grep passwd
open("/usr/share/ghostscript/9.20/iccprofiles//etc/passwd", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/passwd", O_RDONLY)           = 6

It might get resolved later. I will currently consider only the execution part and mark RHEL7 & fedora as non-affected.
Comment 6 David Kaspar // Dee'Kej 2016-11-01 14:14:03 UTC 
There's no clone of this BZ for Fedora, but it has been fixed there:

Commit fixing this CVE:
http://pkgs.fedoraproject.org/cgit/rpms/ghostscript.git/commit/?id=040b22b22c7cb

Fixed in version:
ghostscript-9.20-2