Bug 1747956
| Summary: | CVE-2019-3839 ghostscript: missing attack vector protections for CVE-2019-6116 [fedora-all] | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Cedric Buissart <cbuissar> |
| Component: | ghostscript | Assignee: | Martin Osvald 🛹 <mosvald> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 30 | CC: | deekej, mosvald, twaugh, zdohnal |
| Target Milestone: | --- | Keywords: | Security, SecurityTracking |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ghostscript-9.27-1.fc31 ghostscript-9.27-1.fc30 ghostscript-9.27-1.fc29 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-09-22 01:21:18 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1673304 | ||
|
Description
Cedric Buissart
2019-09-02 10:48:33 UTC
Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # low, medium, high, urgent (required) severity=high # testing, stable request=testing # Bug numbers: 1234,9876 bugs=1673304,1747956 # Description of your update notes=Security fix for [PUT CVEs HERE] # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi web interface to submit updates: https://bodhi.fedoraproject.org/updates/new in reply to BZ: Bug 1741605 - jbig2dec needs to be rebased to 0.16 (currently 0.14) for ghostscript rebase to 9.27 especially to this comment: https://bugzilla.redhat.com/show_bug.cgi?id=1741605#c1: ~~~ 0.16 is in rawhide now (thanks for the ping). Please let me know which Fedora branches you see fit for gs27/jbig2dec - presumably F31, maybe F30, presumably not F29. ~~~ I am deciding whether to rebase to 9.27 even in f29, because I would have to alter some of the existing patches present already in f29: ~~~ [mosvald@localhost f29]$ ls -l total 140 -rw-rw-r--. 1 mosvald mosvald 923 Sep 2 14:02 ghostscript-9.23-100-run-dvipdf-securely.patch -rw-rw-r--. 1 mosvald mosvald 1558 Sep 2 14:02 ghostscript-cve-2019-10216.patch -rw-rw-r--. 1 mosvald mosvald 23014 Sep 2 14:02 ghostscript-cve-2019-3835.patch -rw-rw-r--. 1 mosvald mosvald 1805 Sep 2 14:02 ghostscript-cve-2019-3838.patch -rw-rw-r--. 1 mosvald mosvald 27261 Sep 2 14:02 ghostscript-cve-2019-6116.patch -rw-rw-r--. 1 mosvald mosvald 66907 Sep 2 14:02 ghostscript.spec -rw-rw-r--. 1 mosvald mosvald 1349 Sep 2 14:02 ghostscript-subclassing-devices-fix-put_image-method.patch -rw-rw-r--. 1 mosvald mosvald 164 Sep 2 14:02 sources [mosvald@localhost f29]$ vim ghostscript.spec ... 96 Patch000: ghostscript-cve-2019-6116.patch 97 Patch001: ghostscript-subclassing-devices-fix-put_image-method.patch 98 Patch002: ghostscript-cve-2019-3835.patch 99 Patch003: ghostscript-cve-2019-3838.patch 100 Patch004: ghostscript-cve-2019-10216.patch ~~~ to match what we fixed in RHEL-8.0.0 not to miss anything: ~~~ [mosvald@localhost rhel-8.0.0]$ vim ghostscript.spec ... 98 Patch008: ghostscript-cve-2019-6116.patch 99 Patch009: ghostscript-cve-2019-6116-downstream.patch 100 Patch010: ghostscript-cve-2019-3839.patch 101 Patch011: ghostscript-cve-2019-3835.patch 102 Patch012: ghostscript-cve-2019-3838.patch 103 Patch013: ghostscript-fix-DSC-comment-parsing.patch 104 Patch014: ghostscript-pdf2dsc-regression.patch 105 Patch015: ghostscript-cve-2019-10216.patch ~~~ which means adding the below commits originally added for rhel-8.0.0 (removed some of them because 9.26 was released on November 2018 just before the first-mentioned advised patch): ~~~ 10. [ASSIGNED] Bug 1692798 - EMBARGOED CVE-2019-3839 ghostscript: missing attack vector protections for CVE-2019-6116 [rhel-8.0.z] ... advised: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fe4c47d8e25d6366ecbb5ff487348148b908a89e Wed, 14 Nov 2018 20:06:38 +0100 dep: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=932f4106a00e99e4ee32dcc02e57d3636f383ea1 Thu, 29 Nov 2018 19:59:26 +0100 advised: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e7ff64cf9b756278f19c87d295ee0fd95c955c05 Thu, 24 Jan 2019 17:21:44 +0100 https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4ec9ca74bed49f2a82acb4bf430eae0d8b3b75c9 Fri, 1 Feb 2019 16:49:52 +0100 + advised small change in https://bugzilla.redhat.com/show_bug.cgi?id=1668891#c7 ~~~ so I could continue with backporting new CVE which depends on prev changes hiding pdfdict: Bug 1747909 - CVE-2019-14817 ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450) [fedora-all] http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19 FEDORA-2019-ebd6c4f15a has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ebd6c4f15a FEDORA-2019-953fc0f16d has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-953fc0f16d ghostscript-9.27-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-953fc0f16d ghostscript-9.27-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-0a9d525d71 ghostscript-9.27-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ebd6c4f15a ghostscript-9.27-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. ghostscript-9.27-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. ghostscript-9.27-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |