Bug 2217798 (CVE-2023-36664)

Summary: CVE-2023-36664 ghostscript: vulnerable to OS command injection due to mishandles permission validation for pipe devices
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bhoefer, bmason, leonfauster, mdogra, mjg, nobody, rlescak, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Ghostscript. This flaw occurs due to a mishandled permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-01 11:35:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2217799, 2217800, 2217801, 2217802, 2217803, 2217804, 2217805, 2217806, 2217807, 2217808, 2217809, 2217810    
Bug Blocks: 2213478    

Description Sandipan Roy 2023-06-27 06:45:59 UTC 
Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).

References
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d
https://bugs.ghostscript.com/show_bug.cgi?id=706761
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=505eab7782b429017eb434b2b95120855f2b0e3c
Comment 1 Sandipan Roy 2023-06-27 06:48:53 UTC 
Created ghostscript tracking bugs for this issue:

Affects: fedora-37 [bug 2217805]
Affects: fedora-38 [bug 2217806]
Comment 8 Michael J Gruber 2023-07-14 08:18:04 UTC 
(In reply to Sandipan Roy from comment #0)
> Artifex Ghostscript through 10.01.2 mishandles permission validation for
> pipe devices (with the %pipe% prefix or the | pipe character prefix).
> 
> References
> https://git.ghostscript.com/?p=ghostpdl.git;a=commit;
> h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d
> https://bugs.ghostscript.com/show_bug.cgi?id=706761
> https://git.ghostscript.com/?p=ghostpdl.git;a=commit;
> h=505eab7782b429017eb434b2b95120855f2b0e3c

Are you sure "through 10.01.2" is correct?

https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb342fdb60391073a69147cb71af1ac416a81099

seem to be the corresponding commits in the 10.01.2 release.
Comment 10 Michael J Gruber 2023-07-21 09:06:55 UTC 
FYI: If someone cares to give karma on the F37 update then that one will go stable, too. F39/F38 are already.

All the others bugs are locked. Good luck :)
Comment 11 errata-xmlrpc 2023-07-31 08:23:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:4324 https://access.redhat.com/errata/RHSA-2023:4324
Comment 12 Product Security DevOps Team 2023-08-01 11:35:42 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-36664
Comment 13 errata-xmlrpc 2023-10-05 13:49:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5459 https://access.redhat.com/errata/RHSA-2023:5459
Comment 15 Red Hat Bugzilla 2024-03-03 04:25:12 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days