Bug 1655599 (CVE-2018-19134) - CVE-2018-19134 ghostscript: Type confusion in setpattern (700141)
Summary: CVE-2018-19134 ghostscript: Type confusion in setpattern (700141)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-19134
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1655937 1655939 1656320 1656336
Blocks: 1655596
TreeView+ depends on / blocked
 
Reported: 2018-12-03 14:20 UTC by Cedric Buissart
Modified: 2021-02-16 22:43 UTC (History)
7 users (show)

Fixed In Version: ghostscript 9.26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-18 08:31:48 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3834 0 None None None 2018-12-17 19:58:27 UTC

Description Cedric Buissart 2018-12-03 14:20:57 UTC
There is a missing type check in line 292 of zcolor.c:

http://git.ghostscript.com/?p=ghostpdl.git;a=blob;f=psi/zcolor.c;h=74b428801eda5c75d70cf55e88c407484b554527;hb=5a4fec2a34af925993192e197ab666fe542b79d3#l292

Here `pPatInst` comes from the first array element of `pImpl`

http://git.ghostscript.com/?p=ghostpdl.git;a=blob;f=psi/zcolor.c;h=74b428801eda5c75d70cf55e88c407484b554527;hb=5a4fec2a34af925993192e197ab666fe542b79d3#l289

which comes from `op`:

http://git.ghostscript.com/?p=ghostpdl.git;a=blob;f=psi/zcolor.c;h=74b428801eda5c75d70cf55e88c407484b554527;hb=5a4fec2a34af925993192e197ab666fe542b79d3#l286

The type of `pPatInst` is not checked and is used in `r_ptr`, which accesses its `pstruct` value and then cast it into `gs_pattern_instance_t`. As `op` is an untrusted argument, this can lead to type confusion issue when parsing malicious postscript. (Access to arbitrary pointer)


Upstream bug:
https://bugs.ghostscript.com/show_bug.cgi?id=700141

Upstream fix:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=693baf02152119af6e6afd30bb8ec76d14f84bbf

Comment 3 Cedric Buissart 2018-12-05 09:12:13 UTC
Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 1656320]

Comment 5 Cedric Buissart 2018-12-05 12:38:31 UTC
Mitigation:

Please refer to the "Mitigation" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509

Comment 6 Bas van Schaik 2018-12-11 12:18:53 UTC
This vulnerability allows remote code execution when a user opens a specially-crafted PS or PDF file, or when a user uses the file explorer to browse a directory containing such a file (triggering thumbnail generation). CVE-2018-19134 was patched upstream on 8 November (http://git.ghostscript.com/?p=ghostpdl.git;h=693baf02152119af6e6afd30bb8ec76d14f84bbf), and a new Ghostscript version containing the patch was released three weeks ago on 20 November (version 9.26: https://www.ghostscript.com/doc/9.26/News.htm).

Debian/Ubuntu patched the vulnerability in November. As it stands, users of RedHat, Fedora, and CentOS are still vulnerable.

I'm part of the team at Semmle; my colleague Man Yue Mo discovered the vulnerability. We take coordinated/responsible disclosure very seriously. With the patch committed to a public Git repository and a new release been made available three weeks ago, we consider the details of this vulnerability to be public knowledge. Please be aware that we will therefore imminently publish more information about the discovery of this vulnerability.

Comment 7 Cedric Buissart 2018-12-12 09:18:25 UTC
We are aware of the code execution potential of this vulnerability, and the flaw is treated as Important. We are currently actively working on a solution to resolve the different recently discovered flaws without creating regressions.

It is to be noted that starting from Red Hat Enterprise Linux 7.6, the thumbnailer is executed in a sandbox.

Comment 9 errata-xmlrpc 2018-12-17 19:58:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3834 https://access.redhat.com/errata/RHSA-2018:3834

Comment 10 Cedric Buissart 2018-12-18 08:40:21 UTC
Statement:

Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.


Note You need to log in before you can comment on or make changes to this bug.