ghostscript vulnerabilities

ghostscript vulnerabilities

[Alex Vong]

[-- Attachment #1: Type: text/plain, Size: 1775 bytes --]

Hello,

Below are from the security announcement list:

Salvatore Bonaccorso <carnil@debian.org> writes:

> -------------------------------------------------------------------------
> Debian Security Advisory DSA-3691-1                   security@debian.org
> https://www.debian.org/security/                     Salvatore Bonaccorso
> October 12, 2016                      https://www.debian.org/security/faq
> -------------------------------------------------------------------------
>
> Package        : ghostscript
> CVE ID         : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 
>                  CVE-2016-7979 CVE-2016-8602
> Debian Bug     : 839118 839260 839841 839845 839846 840451
>
> Several vulnerabilities were discovered in Ghostscript, the GPL
> PostScript/PDF interpreter, which may lead to the execution of arbitrary
> code or information disclosure if a specially crafted Postscript file is
> processed.
>
> For the stable distribution (jessie), these problems have been fixed in
> version 9.06~dfsg-2+deb8u3.
>
> We recommend that you upgrade your ghostscript packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://www.debian.org/security/
>
> Mailing list: debian-security-announce@lists.debian.org

I've checked just now. GNU Ghostscript is also affected at least by
CVE-2016-8602. Looking at the patch in this bug report[0] and the
source[1], one can see that the vulnerable lines are present in GNU
Ghostscript. What should we do now?

[0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840451
[1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c

Thanks,
Alex

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 454 bytes --]

Re: ghostscript vulnerabilities

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1436 bytes --]

On Wed, Oct 12, 2016 at 11:29:07PM +0800, Alex Vong wrote:
> > Package        : ghostscript
> > CVE ID         : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 
> >                  CVE-2016-7979 CVE-2016-8602
> > Debian Bug     : 839118 839260 839841 839845 839846 840451
> >
> > Several vulnerabilities were discovered in Ghostscript, the GPL
> > PostScript/PDF interpreter, which may lead to the execution of arbitrary
> > code or information disclosure if a specially crafted Postscript file is
> > processed.

> I've checked just now. GNU Ghostscript is also affected at least by
> CVE-2016-8602. Looking at the patch in this bug report[0] and the
> source[1], one can see that the vulnerable lines are present in GNU
> Ghostscript. What should we do now?

I don't know the relationship between GNU Ghostscript and "upstream"
Ghostscript. Can anyone explain why GNU offers its own distribution?

We can try cherry-picking the upstream commits that fix each of these
bugs [0]. Hopefully they apply to our older Ghostscript version.

If the resulting package's ABI is compatible to our current package, we
can apply it with a graft on the master branch.

We should also apply these patches to the ghostscript package on
core-updates.

Do you want to try it?

Debian helpfully links to the upstream commits corresponding to each
bug:
https://security-tracker.debian.org/tracker/CVE-2013-5653

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: ghostscript vulnerabilities

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 337 bytes --]

On Wed, Oct 12, 2016 at 12:20:39PM -0400, Leo Famulari wrote:
> I don't know the relationship between GNU Ghostscript and "upstream"
> Ghostscript. Can anyone explain why GNU offers its own distribution?

Some history here:
https://en.wikipedia.org/wiki/Ghostscript#History

Hopefully the upstream patches will apply to our source code.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: ghostscript vulnerabilities

[Ludovic Courtès]

Hello Didier and all,

We are wondering about the applicability to GNU Ghostscript of the
recent vulnerabilities discovered in AGPL Ghostscript:

Alex Vong <alexvong1995@gmail.com> skribis:

> Salvatore Bonaccorso <carnil@debian.org> writes:
>
>> -------------------------------------------------------------------------
>> Debian Security Advisory DSA-3691-1                   security@debian.org
>> https://www.debian.org/security/                     Salvatore Bonaccorso
>> October 12, 2016                      https://www.debian.org/security/faq
>> -------------------------------------------------------------------------
>>
>> Package        : ghostscript
>> CVE ID         : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 
>>                  CVE-2016-7979 CVE-2016-8602
>> Debian Bug     : 839118 839260 839841 839845 839846 840451
>>
>> Several vulnerabilities were discovered in Ghostscript, the GPL
>> PostScript/PDF interpreter, which may lead to the execution of arbitrary
>> code or information disclosure if a specially crafted Postscript file is
>> processed.

[...]

> I've checked just now. GNU Ghostscript is also affected at least by
> CVE-2016-8602. Looking at the patch in this bug report[0] and the
> source[1], one can see that the vulnerable lines are present in GNU
> Ghostscript. What should we do now?
>
> [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840451
> [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c

WDYT?  Perhaps a new release incorporating the fixes is in order?

Thanks,
Ludo’.

Re: ghostscript vulnerabilities

[Mark H Weaver]

ludo@gnu.org (Ludovic Courtès) writes:

> Hello Didier and all,
>
> We are wondering about the applicability to GNU Ghostscript of the
> recent vulnerabilities discovered in AGPL Ghostscript:
>
> Alex Vong <alexvong1995@gmail.com> skribis:
>
>> Salvatore Bonaccorso <carnil@debian.org> writes:
>>
>>> -------------------------------------------------------------------------
>>> Debian Security Advisory DSA-3691-1                   security@debian.org
>>> https://www.debian.org/security/                     Salvatore Bonaccorso
>>> October 12, 2016                      https://www.debian.org/security/faq
>>> -------------------------------------------------------------------------
>>>
>>> Package        : ghostscript
>>> CVE ID         : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 
>>>                  CVE-2016-7979 CVE-2016-8602
>>> Debian Bug     : 839118 839260 839841 839845 839846 840451
>>>
>>> Several vulnerabilities were discovered in Ghostscript, the GPL
>>> PostScript/PDF interpreter, which may lead to the execution of arbitrary
>>> code or information disclosure if a specially crafted Postscript file is
>>> processed.
>
> [...]
>
>> I've checked just now. GNU Ghostscript is also affected at least by
>> CVE-2016-8602. Looking at the patch in this bug report[0] and the
>> source[1], one can see that the vulnerable lines are present in GNU
>> Ghostscript. What should we do now?
>>
>> [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840451
>> [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c
>
> WDYT?  Perhaps a new release incorporating the fixes is in order?

FYI, I ported the upstream patches to GNU ghostscript for GNU Guix.
You can find them here:

http://git.savannah.gnu.org/cgit/guix.git/commit/?id=1de17a648fa631f0074d315bfff0716220ce4880

      Mark

Re: ghostscript vulnerabilities

[Didier Link]

[-- Attachment #1.1.1: Type: text/plain, Size: 2122 bytes --]


Hello all

I will review the Mark's patches and apply them for a security release
next week.

Thanks for your help !

Best regards

Didier


Le 15/10/2016 à 09:36, Mark H Weaver a écrit :
> ludo@gnu.org (Ludovic Courtès) writes:
>
>> Hello Didier and all,
>>
>> We are wondering about the applicability to GNU Ghostscript of the
>> recent vulnerabilities discovered in AGPL Ghostscript:
>>
>> Alex Vong <alexvong1995@gmail.com> skribis:
>>
>>> Salvatore Bonaccorso <carnil@debian.org> writes:
>>>
>>>> -------------------------------------------------------------------------
>>>> Debian Security Advisory DSA-3691-1                   security@debian.org
>>>> https://www.debian.org/security/                     Salvatore Bonaccorso
>>>> October 12, 2016                      https://www.debian.org/security/faq
>>>> -------------------------------------------------------------------------
>>>>
>>>> Package        : ghostscript
>>>> CVE ID         : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 
>>>>                  CVE-2016-7979 CVE-2016-8602
>>>> Debian Bug     : 839118 839260 839841 839845 839846 840451
>>>>
>>>> Several vulnerabilities were discovered in Ghostscript, the GPL
>>>> PostScript/PDF interpreter, which may lead to the execution of arbitrary
>>>> code or information disclosure if a specially crafted Postscript file is
>>>> processed.
>> [...]
>>
>>> I've checked just now. GNU Ghostscript is also affected at least by
>>> CVE-2016-8602. Looking at the patch in this bug report[0] and the
>>> source[1], one can see that the vulnerable lines are present in GNU
>>> Ghostscript. What should we do now?
>>>
>>> [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840451
>>> [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c
>> WDYT?  Perhaps a new release incorporating the fixes is in order?
> FYI, I ported the upstream patches to GNU ghostscript for GNU Guix.
> You can find them here:
>
> http://git.savannah.gnu.org/cgit/guix.git/commit/?id=1de17a648fa631f0074d315bfff0716220ce4880
>
>       Mark



[-- Attachment #1.1.2: Type: text/html, Size: 3875 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: ghostscript vulnerabilities

[Alex Vong]

[-- Attachment #1: Type: text/plain, Size: 2474 bytes --]

Hello,

I notice the patch for CVE-2016-7977[0] handles the problem differently
than GNU Ghostscript[1] does. Maybe you can take a look at it.

[0]: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8abd22010eb4db0fb1b10e430d5f5d83e015ef70
[1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zfile.c

Thanks,
Alex

Didier Link <didier@famille-link.fr> writes:

> Hello all
>
> I will review the Mark's patches and apply them for a security release next week.
>
> Thanks for your help !
>
> Best regards
>
> Didier
>
> Le 15/10/2016 à 09:36, Mark H Weaver a écrit :
>
>  ludo@gnu.org (Ludovic Courtès) writes:
>
>  Hello Didier and all,
>
> We are wondering about the applicability to GNU Ghostscript of the
> recent vulnerabilities discovered in AGPL Ghostscript:
>
> Alex Vong <alexvong1995@gmail.com> skribis:
>
>  Salvatore Bonaccorso <carnil@debian.org> writes:
>
>  -------------------------------------------------------------------------
>  
> Debian Security Advisory DSA-3691-1                   security@debian.org
> https://www.debian.org/security/                     Salvatore Bonaccorso
> October 12, 2016                      https://www.debian.org/security/faq
> -------------------------------------------------------------------------
>
> Package        : ghostscript
> CVE ID         : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 
>                  CVE-2016-7979 CVE-2016-8602
> Debian Bug     : 839118 839260 839841 839845 839846 840451
>
> Several vulnerabilities were discovered in Ghostscript, the GPL
> PostScript/PDF interpreter, which may lead to the execution of arbitrary
> code or information disclosure if a specially crafted Postscript file is
> processed.
>
> [...]
>
>  I've checked just now. GNU Ghostscript is also affected at least by
> CVE-2016-8602. Looking at the patch in this bug report[0] and the
> source[1], one can see that the vulnerable lines are present in GNU
> Ghostscript. What should we do now?
>
> [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840451
> [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c
>
> WDYT?  Perhaps a new release incorporating the fixes is in order?
>
> FYI, I ported the upstream patches to GNU ghostscript for GNU Guix.
> You can find them here:
>
> http://git.savannah.gnu.org/cgit/guix.git/commit/?id=1de17a648fa631f0074d315bfff0716220ce4880
>
>       Mark

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 800 bytes --]

Re: ghostscript vulnerabilities

[Didier Link]

[-- Attachment #1.1.1: Type: text/plain, Size: 2908 bytes --]

Le 16/10/2016 à 17:47, Alex Vong a écrit :
> Hello,
>
> I notice the patch for CVE-2016-7977[0] handles the problem differently
> than GNU Ghostscript[1] does. Maybe you can take a look at it.
>
> [0]: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8abd22010eb4db0fb1b10e430d5f5d83e015ef70
> [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zfile.c
>
> Thanks,
> Alex

Hello,

I've just released a gnu-ghostscript point release with the CVE patches
adapted by Mark (really thanks !!!).

For the CVE-2016-7977 I've see that the file concerned was modified in
later release of gpl-ghostscript, I will see in later release of gnu
version ;)

Best regards

Didier

>
> Didier Link <didier@famille-link.fr> writes:
>
>> Hello all
>>
>> I will review the Mark's patches and apply them for a security release next week.
>>
>> Thanks for your help !
>>
>> Best regards
>>
>> Didier
>>
>> Le 15/10/2016 à 09:36, Mark H Weaver a écrit :
>>
>>  ludo@gnu.org (Ludovic Courtès) writes:
>>
>>  Hello Didier and all,
>>
>> We are wondering about the applicability to GNU Ghostscript of the
>> recent vulnerabilities discovered in AGPL Ghostscript:
>>
>> Alex Vong <alexvong1995@gmail.com> skribis:
>>
>>  Salvatore Bonaccorso <carnil@debian.org> writes:
>>
>>  -------------------------------------------------------------------------
>>  
>> Debian Security Advisory DSA-3691-1                   security@debian.org
>> https://www.debian.org/security/                     Salvatore Bonaccorso
>> October 12, 2016                      https://www.debian.org/security/faq
>> -------------------------------------------------------------------------
>>
>> Package        : ghostscript
>> CVE ID         : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 
>>                  CVE-2016-7979 CVE-2016-8602
>> Debian Bug     : 839118 839260 839841 839845 839846 840451
>>
>> Several vulnerabilities were discovered in Ghostscript, the GPL
>> PostScript/PDF interpreter, which may lead to the execution of arbitrary
>> code or information disclosure if a specially crafted Postscript file is
>> processed.
>>
>> [...]
>>
>>  I've checked just now. GNU Ghostscript is also affected at least by
>> CVE-2016-8602. Looking at the patch in this bug report[0] and the
>> source[1], one can see that the vulnerable lines are present in GNU
>> Ghostscript. What should we do now?
>>
>> [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840451
>> [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c
>>
>> WDYT?  Perhaps a new release incorporating the fixes is in order?
>>
>> FYI, I ported the upstream patches to GNU ghostscript for GNU Guix.
>> You can find them here:
>>
>> http://git.savannah.gnu.org/cgit/guix.git/commit/?id=1de17a648fa631f0074d315bfff0716220ce4880
>>
>>       Mark



[-- Attachment #1.1.2: Type: text/html, Size: 4660 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: ghostscript vulnerabilities

[Ludovic Courtès]

Hi Didier,

Didier Link <didier@famille-link.fr> skribis:

> I've just released a gnu-ghostscript point release with the CVE patches
> adapted by Mark (really thanks !!!).

Thank you!

> For the CVE-2016-7977 I've see that the file concerned was modified in
> later release of gpl-ghostscript, I will see in later release of gnu
> version ;)

So is GNU Ghostscript 9.14.1 still vulnerable to CVE-2016-7977?

Cheers,
Ludo’.