Bug 1654459 (CVE-2018-19475) - CVE-2018-19475 ghostscript: access bypass in psi/zdevice2.c (700153)
Summary: CVE-2018-19475 ghostscript: access bypass in psi/zdevice2.c (700153)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-19475
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1654460 1660569 1660570 1660571
Blocks: 1654472
TreeView+ depends on / blocked
 
Reported: 2018-11-28 20:37 UTC by Laura Pardo
Modified: 2019-09-29 15:03 UTC (History)
6 users (show)

Fixed In Version: ghostscript 9.26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-02-01 14:01:35 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0229 None None None 2019-01-31 18:19:36 UTC

Description Laura Pardo 2018-11-28 20:37:38 UTC
A vulnerability was found in Artifex Ghostscript before 9.26. The restore_page_device function in psi/zdevice2.c allows remote attackers to bypass intended access restrictions because available stack space is not checked when the device remains the same. 


References:
https://bugs.ghostscript.com/show_bug.cgi?id=700153 
https://www.ghostscript.com/doc/9.26/History9.htm#Version9.26

Upstream Patch:
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3005fcb9bb160af199e761e03bc70a9f249a987e

Comment 1 Laura Pardo 2018-11-28 20:38:05 UTC
Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 1654460]

Comment 2 Cedric Buissart 2018-12-05 12:37:53 UTC
Mitigation:

Please refer to the "Mitigation" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509

Comment 3 Bas van Schaik 2018-12-11 12:28:57 UTC
This vulnerability allows remote code execution when a user opens a specially-crafted PS or PDF file, or when a user uses the file explorer to browse a directory containing such a file (triggering thumbnail generation). CVE-2018-19475 was patched upstream on 12 November (http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3005fcb9bb160af199e761e03bc70a9f249a987e, http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=aeea342904978c9fe17d85f4906a0f6fcce2d315), and a new Ghostscript version containing the patch was released three weeks ago on 20 November (version 9.26: https://www.ghostscript.com/doc/9.26/News.htm).

Debian/Ubuntu patched the vulnerability in November. As it stands, users of RedHat, Fedora, and CentOS are still vulnerable.

I'm part of the team at Semmle; my colleague Man Yue Mo discovered the vulnerability. We take coordinated/responsible disclosure very seriously. With the patch committed to a public Git repository and a new release been made available three weeks ago, we consider the details of this vulnerability to be public knowledge. Please be aware that we will therefore imminently publish more information about the discovery of this vulnerability.

Comment 5 Cedric Buissart 2018-12-18 12:36:53 UTC
We are aware of the code execution potential of this vulnerability, and the flaw is treated as Important. We are currently actively working on a solution to resolve the different recently discovered flaws without creating regressions.

It is to be noted that starting from Red Hat Enterprise Linux 7.6, the thumbnailer is executed in a sandbox.

Comment 9 Cedric Buissart 2018-12-19 10:11:02 UTC
Statement:

Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 10 errata-xmlrpc 2019-01-31 18:19:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0229 https://access.redhat.com/errata/RHSA-2019:0229

Comment 11 Cedric Buissart 2019-08-21 13:03:36 UTC
External References:

https://blog.semmle.com/ghostscript-CVE-2018-19475/


Note You need to log in before you can comment on or make changes to this bug.