A vulnerability was found in Artifex Ghostscript before 9.26. The restore_page_device function in psi/zdevice2.c allows remote attackers to bypass intended access restrictions because available stack space is not checked when the device remains the same.
Created ghostscript tracking bugs for this issue:
Affects: fedora-all [bug 1654460]
Please refer to the "Mitigation" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509
This vulnerability allows remote code execution when a user opens a specially-crafted PS or PDF file, or when a user uses the file explorer to browse a directory containing such a file (triggering thumbnail generation). CVE-2018-19475 was patched upstream on 12 November (http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3005fcb9bb160af199e761e03bc70a9f249a987e, http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=aeea342904978c9fe17d85f4906a0f6fcce2d315), and a new Ghostscript version containing the patch was released three weeks ago on 20 November (version 9.26: https://www.ghostscript.com/doc/9.26/News.htm).
Debian/Ubuntu patched the vulnerability in November. As it stands, users of RedHat, Fedora, and CentOS are still vulnerable.
I'm part of the team at Semmle; my colleague Man Yue Mo discovered the vulnerability. We take coordinated/responsible disclosure very seriously. With the patch committed to a public Git repository and a new release been made available three weeks ago, we consider the details of this vulnerability to be public knowledge. Please be aware that we will therefore imminently publish more information about the discovery of this vulnerability.
We are aware of the code execution potential of this vulnerability, and the flaw is treated as Important. We are currently actively working on a solution to resolve the different recently discovered flaws without creating regressions.
It is to be noted that starting from Red Hat Enterprise Linux 7.6, the thumbnailer is executed in a sandbox.
Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2019:0229 https://access.redhat.com/errata/RHSA-2019:0229