2184585 – (CVE-2023-28879) CVE-2023-28879 ghostscript: buffer overflow in base/sbcp.c leading to data corruption

Bug 2184585 (CVE-2023-28879) - CVE-2023-28879 ghostscript: buffer overflow in base/sbcp.c leading to data corruption

Summary: CVE-2023-28879 ghostscript: buffer overflow in base/sbcp.c leading to data co...

Keywords:
Status:	NEW
Alias:	CVE-2023-28879
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2184586 2188297 2188299 2188300
Blocks:	2183631
TreeView+	depends on / blocked

Reported:	2023-04-05 06:00 UTC by TEJ RATHI
Modified:	2024-02-01 01:40 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:6544	0	None	None	None	2023-11-07 08:19:18 UTC
Red Hat Product Errata	RHSA-2023:7053	0	None	None	None	2023-11-14 15:19:27 UTC

Description TEJ RATHI 2023-04-05 06:00:25 UTC

In Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode, TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte less than full, and one then tries to write an escaped character, two bytes are written.

https://bugs.ghostscript.com/show_bug.cgi?id=706494
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=37ed5022cecd584de868933b5b60da2e995b3179
https://ghostscript.readthedocs.io/en/latest/News.html
https://lists.debian.org/debian-lts-announce/2023/04/msg00003.html

Comment 1 TEJ RATHI 2023-04-05 06:00:44 UTC

Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 2184586]

Comment 2 Sandipan Roy 2023-04-19 06:44:15 UTC

https://offsec.almond.consulting/ghostscript-cve-2023-28879.html
https://artifex.com/news/critical-security-vulnerability-fixed-in-ghostscript

Comment 4 Dhananjay Arunesh 2023-05-05 08:46:09 UTC

Why AV -> L ?

As per documentation [1] specially the "Invoking Ghostscript" section, Ghostscript can be used as a command line client just like any other command/executable or Ghostscript can also be used as a general engine inside other applications. Considering above use cases the "Attack vector" differs between being "Local" or "Network". If a custom application happens to be using the Python pillow library which internally uses the Ghostscript command line as shown in the original writeup [3] and accepts input over the network then there is a possibility of this being exploited over the network. However if this is not the case then attack vector can be considered "Local" someone needs to manually invoke the command line client on a given machine.


[1] https://ghostscript.com/docs/9.54.0/Use.htm
[2] https://github.com/python-pillow/Pillow/blob/main/src/PIL/EpsImagePlugin.py
[3] https://offsec.almond.consulting/ghostscript-cve-2023-28879.html

Comment 9 errata-xmlrpc 2023-11-07 08:19:17 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6544 https://access.redhat.com/errata/RHSA-2023:6544

Comment 10 errata-xmlrpc 2023-11-14 15:19:25 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7053 https://access.redhat.com/errata/RHSA-2023:7053

Note You need to log in before you can comment on or make changes to this bug.