Bug 1625851 (CVE-2018-16543)

Summary: CVE-2018-16543 ghostscript: gssetresolution and gsgetresolution memory corruption (699670)
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: cbuissar, mosvald, twaugh, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ghostscript 9.24 Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the ghostscript gssetresolution and gsgetresolution procedures were available, although they have dangerous side effects. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:37:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1625852, 1625853, 1653614    
Bug Blocks: 1619570    

Description Sam Fowler 2018-09-06 05:31:01 UTC 
In Artifex Ghostscript before 9.24, gssetresolution and gsgetresolution allow attackers to have an unspecified impact.


External Reference:

https://www.kb.cert.org/vuls/id/332928
https://www.artifex.com/news/ghostscript-security-resolved/


Upstream Bug:

https://bugs.ghostscript.com/show_bug.cgi?id=699670


Upstream Patches:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=f52734ba87
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c9b362ba908c
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b5536fa88a9
Comment 1 Sam Fowler 2018-09-06 05:31:32 UTC 
Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 1625852]
Comment 9 Cedric Buissart 2018-11-27 11:56:14 UTC 
Upstream Patches:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=f52734ba87
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c9b362ba908c
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b5536fa88a9
Comment 10 Cedric Buissart 2019-02-12 09:22:49 UTC 
Statement:

CVE-2018-16543 requires the "device subclassing" feature to be present in ghostscript in order to exploit it and corrupt the interpreter's memory. This feature appeared in Ghostscript-9.18. Thus ghostscript 9.07, as shipped in Red Hat Enterprise Linux 7, and older are not affected : although the attacker has access to the gssetresolution and gsgetresolution operators, they can not use these to corrupt memory.