Bug 1666636 (CVE-2019-6116)

Summary: CVE-2019-6116 ghostscript: subroutines within pseudo-operators must themselves be pseudo-operators (700317)
Product: [Other] Security Response Reporter: Cedric Buissart <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apmukher, cww, deekej, kdudka, kent, mosvald, pravisha, security-response-team, twaugh, yozone, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ghostscript 9.27 Doc Type: If docs needed, set a value
Doc Text:
It was found that ghostscript could leak sensitive operators on the operand stack when a pseudo-operator pushes a subroutine. A specially crafted PostScript file could use this flaw to escape the -dSAFER protection in order to, for example, have access to the file system outside of the SAFER constraints.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-01 12:57:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1667442, 1667443, 1668888, 1668891, 1741040    
Bug Blocks: 1666628    

Description Cedric Buissart 2019-01-16 09:07:16 UTC 
It was found that operators did not sufficiently protect their calls to other sensitive operators.
An attacker could use this flaw to get access to sensitive operators, such as .forceput, and use these operators to disable the SAFER mode, and for example, get access to the file system outside of the restricted areas.
Comment 1 Cedric Buissart 2019-01-16 09:38:08 UTC 
Mitigation:

Please refer to the "Mitigation" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509
Comment 2 Cedric Buissart 2019-01-16 09:38:48 UTC 
External References:

https://bugs.ghostscript.com/show_bug.cgi?id=700317
Comment 7 Cedric Buissart 2019-01-22 10:14:52 UTC 
Acknowledgments:

Name: Tavis Ormandy (Google Project Zero)
Comment 8 Cedric Buissart 2019-01-23 20:02:27 UTC 
Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 1668888]
Comment 11 errata-xmlrpc 2019-01-31 18:19:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0229 https://access.redhat.com/errata/RHSA-2019:0229
Comment 13 Cedric Buissart 2019-02-01 14:01:00 UTC 
Statement:

Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 14 Cedric Buissart 2019-02-05 13:20:20 UTC 
Upstream fixes :

* http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=13b0a36f
* http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2db98f9c
* http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=99f13091
* http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=59d8f4de
Comment 18 Red Hat Bugzilla 2023-09-18 00:15:18 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days