Bug 1619748 (CVE-2018-16509) - CVE-2018-16509 ghostscript: /invalidaccess bypass after failed restore (699654)
Summary: CVE-2018-16509 ghostscript: /invalidaccess bypass after failed restore (699654)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-16509
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20180821,repo...
Depends On: 1621156 1621158 1621161 1641124 1654362
Blocks: 1619570 1622603 1622604
TreeView+ depends on / blocked
 
Reported: 2018-08-21 16:04 UTC by Stefan Cornelius
Modified: 2019-06-08 23:33 UTC (History)
26 users (show)

Fixed In Version: ghostscript 9.24
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the ghostscript /invalidaccess checks fail under certain conditions. An attacker could possibly exploit this to bypass the -dSAFER protection and, for example, execute arbitrary shell commands via a specially crafted PostScript document.
Clone Of:
Environment:
Last Closed: 2018-12-04 16:19:40 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2918 None None None 2018-10-16 02:25:33 UTC
Red Hat Product Errata RHSA-2018:3760 None None None 2018-12-03 23:52:48 UTC

Description Stefan Cornelius 2018-08-21 16:04:11 UTC
It was discovered that the ghostscript /invalidaccess checks fail under certain conditions. A specially crafted PostScript document could possibly exploit this to bypass the -dSAFER protection and, for example, execute arbitrary shell commands.

Comment 1 Stefan Cornelius 2018-08-21 16:25:32 UTC
External References:

http://seclists.org/oss-sec/2018/q3/142

Comment 8 Stefan Cornelius 2018-08-23 15:36:45 UTC
Acknowledgments:

Name: Tavis Ormandy (Google Project Zero)

Comment 10 Jason Shepherd 2018-08-27 08:24:35 UTC
Mediawiki was only introduced in OCP 3.x in version 3.6. Setting 3.5 and earlier as not affected. References:

https://access.redhat.com/containers/?tab=tags#/registry.access.redhat.com/openshift3/mediawiki-apb
https://access.redhat.com/containers/?tab=tags#/registry.access.redhat.com/openshift3/mediawiki-123

Comment 11 Jason Shepherd 2018-08-27 09:14:17 UTC
While the openshift3/mediawiki123-123 container has the ghostscript and ImageMagick rpms installed they aren't used by anything. Setting all OCP 3.x versions to not affected.

Comment 17 jfrank 2018-09-19 12:53:51 UTC
when will the fix for Red Hat Enterprise Linux 7 be released?
Thanks!

Comment 23 errata-xmlrpc 2018-10-16 02:25:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2918 https://access.redhat.com/errata/RHSA-2018:2918

Comment 24 Ben Russo 2018-10-19 15:31:58 UTC
Would like to ask if the recent release of EXPLOIT code on the web, and the news reports of this vulnerability being exploited in the wild increases RedHat's rating.

Also, according to https://access.redhat.com/support/policy/updates/errata/
RHEL6 in "Maintenance" mode has the same "Yes" in the column for Asynchronous Security Errata as it did under the prior life cycle phases.  

Please produce a patch for RHEL6.

Comment 25 Pedro Sampaio 2018-10-19 16:42:37 UTC
Statement:

This issue did affect the versions of ghostscript as shipped with Red Hat Enterprise Linux 5, 6, and 7. 

Red Hat Enterprise Linux 5 is now in Extended Life Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 29 Cedric Buissart 🐶 2018-11-28 15:26:04 UTC
Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 1654362]

Comment 30 errata-xmlrpc 2018-12-03 23:52:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:3760 https://access.redhat.com/errata/RHSA-2018:3760

Comment 31 Cedric Buissart 🐶 2019-02-25 16:53:54 UTC
Mitigation:

* ImageMagick relies on ghostscript when processing certain files formats. Thus, ImageMagick can be used as an attack vector. In order to prevent ImageMagick from processing those files on Red Hat Enterprise Linux 6 and 7, you can disable the use of ghostscript and the processing of PS, EPS, PDF, and XPS file formats in ImageMagick's security policy by opening /etc/ImageMagick/policy.xml and adding the following lines to the "<policymap>" section of the file:

<policy domain="coder" rights="none" pattern="PS" />
<policy domain="coder" rights="none" pattern="EPS" />
<policy domain="coder" rights="none" pattern="PDF" />
<policy domain="coder" rights="none" pattern="XPS" />
<policy domain="delegate" rights="none" pattern="gs" />


* Additionally, this issue can be triggered when processing files in order to generate thumbnails, for example when browsing a folder containing a malicious PostScript file in Nautilus. To prevent this, remove or rename the "/usr/bin/evince-thumbnailer" executable.
In Red Hat Enterprise Linux v.7.6 and above, the thumbnailing is done in a sandbox.

* It is possible to run PDF/PS viewers, such as evince and okular, in a SELinux sandbox using the `sandbox` command from the policycoreutils-sandbox package :
$ sandbox -X evince <untrusted-file.pdf>
The sandbox will prevent an attacker to make modifications on the file system.


Note You need to log in before you can comment on or make changes to this bug.