Bug 1666636 (CVE-2019-6116)

Summary: CVE-2019-6116 ghostscript: subroutines within pseudo-operators must themselves be pseudo-operators (700317)
Product: [Other] Security Response Reporter: Cedric Buissart 🐶 <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apmukher, cww, dkaspar, kdudka, kent, mosvald, pravisha, security-response-team, twaugh, yozone, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---Flags: pravisha: needinfo? (cww)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ghostscript 9.27 Doc Type: If docs needed, set a value
Doc Text:
It was found that ghostscript could leak sensitive operators on the operand stack when a pseudo-operator pushes a subroutine. A specially crafted PostScript file could use this flaw to escape the -dSAFER protection in order to, for example, have access to the file system outside of the SAFER constraints.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-01 12:57:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1667442, 1667443, 1668888, 1668891, 1741040    
Bug Blocks: 1666628    

Description Cedric Buissart 🐶 2019-01-16 09:07:16 UTC
It was found that operators did not sufficiently protect their calls to other sensitive operators.
An attacker could use this flaw to get access to sensitive operators, such as .forceput, and use these operators to disable the SAFER mode, and for example, get access to the file system outside of the restricted areas.

Comment 1 Cedric Buissart 🐶 2019-01-16 09:38:08 UTC
Mitigation:

Please refer to the "Mitigation" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509

Comment 2 Cedric Buissart 🐶 2019-01-16 09:38:48 UTC
External References:

https://bugs.ghostscript.com/show_bug.cgi?id=700317

Comment 7 Cedric Buissart 🐶 2019-01-22 10:14:52 UTC
Acknowledgments:

Name: Tavis Ormandy (Google Project Zero)

Comment 8 Cedric Buissart 🐶 2019-01-23 20:02:27 UTC
Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 1668888]

Comment 11 errata-xmlrpc 2019-01-31 18:19:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0229 https://access.redhat.com/errata/RHSA-2019:0229

Comment 13 Cedric Buissart 🐶 2019-02-01 14:01:00 UTC
Statement:

Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.