Bug 2184585 (CVE-2023-28879)

Summary: CVE-2023-28879 ghostscript: buffer overflow in base/sbcp.c leading to data corruption
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: kyoshida, mschibli, nobody
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2184586, 2188297, 2188299, 2188300    
Bug Blocks: 2183631    

Description TEJ RATHI 2023-04-05 06:00:25 UTC 
In Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode, TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte less than full, and one then tries to write an escaped character, two bytes are written.

https://bugs.ghostscript.com/show_bug.cgi?id=706494
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=37ed5022cecd584de868933b5b60da2e995b3179
https://ghostscript.readthedocs.io/en/latest/News.html
https://lists.debian.org/debian-lts-announce/2023/04/msg00003.html
Comment 1 TEJ RATHI 2023-04-05 06:00:44 UTC 
Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 2184586]
Comment 2 Sandipan Roy 2023-04-19 06:44:15 UTC 
https://offsec.almond.consulting/ghostscript-cve-2023-28879.html
https://artifex.com/news/critical-security-vulnerability-fixed-in-ghostscript
Comment 4 Dhananjay Arunesh 2023-05-05 08:46:09 UTC 
Why AV -> L ?

As per documentation [1] specially the "Invoking Ghostscript" section, Ghostscript can be used as a command line client just like any other command/executable or Ghostscript can also be used as a general engine inside other applications. Considering above use cases the "Attack vector" differs between being "Local" or "Network". If a custom application happens to be using the Python pillow library which internally uses the Ghostscript command line as shown in the original writeup [3] and accepts input over the network then there is a possibility of this being exploited over the network. However if this is not the case then attack vector can be considered "Local" someone needs to manually invoke the command line client on a given machine.


[1] https://ghostscript.com/docs/9.54.0/Use.htm
[2] https://github.com/python-pillow/Pillow/blob/main/src/PIL/EpsImagePlugin.py
[3] https://offsec.almond.consulting/ghostscript-cve-2023-28879.html
Comment 9 errata-xmlrpc 2023-11-07 08:19:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6544 https://access.redhat.com/errata/RHSA-2023:6544
Comment 10 errata-xmlrpc 2023-11-14 15:19:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7053 https://access.redhat.com/errata/RHSA-2023:7053