ESB-2018.2970 - [SUSE] ghostscript: Multiple vulnerabilities 2018-10-03

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2970
           SUSE Security Update: Security update for ghostscript
                              3 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ghostscript
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Create Arbitrary Files          -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-17183 CVE-2018-16802 CVE-2018-16585
                   CVE-2018-16543 CVE-2018-16542 CVE-2018-16541
                   CVE-2018-16540 CVE-2018-16539 CVE-2018-16513
                   CVE-2018-16511 CVE-2018-16510 CVE-2018-16509
                   CVE-2018-15911 CVE-2018-15910 CVE-2018-15909
                   CVE-2018-15908  

Reference:         ESB-2018.2956
                   ESB-2018.2939

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2018/suse-su-20182975-1.html
   https://www.suse.com/support/update/announcement/2018/suse-su-20182976-1.html

Comment: This bulletin contains two (2) SUSE security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for ghostscript
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:2975-1
Rating:             important
References:         #1106171 #1106172 #1106173 #1106195 #1107410 
                    #1107411 #1107412 #1107413 #1107420 #1107421 
                    #1107422 #1107423 #1107426 #1107581 #1108027 
                    #1109105 
Cross-References:   CVE-2018-15908 CVE-2018-15909 CVE-2018-15910
                    CVE-2018-15911 CVE-2018-16509 CVE-2018-16510
                    CVE-2018-16511 CVE-2018-16513 CVE-2018-16539
                    CVE-2018-16540 CVE-2018-16541 CVE-2018-16542
                    CVE-2018-16543 CVE-2018-16585 CVE-2018-16802
                    CVE-2018-17183
Affected Products:
                    SUSE OpenStack Cloud 7
                    SUSE Linux Enterprise Software Development Kit 12-SP3
                    SUSE Linux Enterprise Server for SAP 12-SP2
                    SUSE Linux Enterprise Server 12-SP3
                    SUSE Linux Enterprise Server 12-SP2-LTSS
                    SUSE Linux Enterprise Server 12-SP1-LTSS
                    SUSE Linux Enterprise Server 12-LTSS
                    SUSE Linux Enterprise Desktop 12-SP3
                    SUSE Enterprise Storage 4
______________________________________________________________________________

   An update that fixes 16 vulnerabilities is now available.

Description:

   This update for ghostscript to version 9.25 fixes the following issues:

   These security issues were fixed:

   - CVE-2018-17183: Remote attackers were be able to supply crafted
     PostScript to potentially overwrite or replace error handlers to inject
     code (bsc#1109105)
   - CVE-2018-15909: Prevent type confusion using the .shfill operator that
     could have been used by attackers able to supply crafted PostScript
     files to crash the interpreter or potentially execute code (bsc#1106172).
   - CVE-2018-15908: Prevent attackers that are able to supply malicious
     PostScript files to bypass .tempfile restrictions and write files
     (bsc#1106171).
   - CVE-2018-15910: Prevent a type confusion in the LockDistillerParams
     parameter that could have been used to crash the interpreter or execute
     code (bsc#1106173).
   - CVE-2018-15911: Prevent use uninitialized memory access in the aesdecode
     operator that could have been used to crash the interpreter or
      potentially execute code (bsc#1106195).
   - CVE-2018-16513: Prevent a type confusion in the setcolor function that
     could have been used to crash the interpreter or possibly have
     unspecified other impact (bsc#1107412).
   - CVE-2018-16509: Incorrect "restoration of privilege" checking during
     handling
     of /invalidaccess exceptions could be have been used by attackers able
      to supply crafted PostScript to execute code using the "pipe"
      instruction (bsc#1107410).
   - CVE-2018-16510: Incorrect exec stack handling in the "CS" and "SC" PDF
     primitives could have been used by remote attackers able to supply
     crafted PDFs to crash the interpreter or possibly have unspecified other
     impact (bsc#1107411).
   - CVE-2018-16542: Prevent attackers able to supply crafted PostScript
     files from using insufficient interpreter stack-size checking during
     error handling to crash the interpreter (bsc#1107413).
   - CVE-2018-16541: Prevent attackers able to supply crafted PostScript
     files from using incorrect free logic in pagedevice replacement to crash
     the interpreter (bsc#1107421).
   - CVE-2018-16540: Prevent use-after-free in copydevice handling that could
     have been used to crash the interpreter or possibly have unspecified
     other impact (bsc#1107420).
   - CVE-2018-16539: Prevent attackers able to supply crafted PostScript
     files from using incorrect access checking in temp file handling to
     disclose contents
     of files on the system otherwise not readable (bsc#1107422).
   - CVE-2018-16543: gssetresolution and gsgetresolution allowed attackers to
     have an unspecified impact (bsc#1107423).
   - CVE-2018-16511: A type confusion in "ztype" could have been used by
     remote attackers able to supply crafted PostScript to crash the
     interpreter or possibly have unspecified other impact (bsc#1107426).
   - CVE-2018-16585: The .setdistillerkeys PostScript command was accepted
     even though it is not intended for use during document processing (e.g.,
     after the startup phase). This lead to memory corruption, allowing
     remote attackers able to supply crafted PostScript to crash the
     interpreter or possibly have unspecified other impact (bsc#1107581).
   - CVE-2018-16802: Incorrect "restoration of privilege" checking when
     running
     out of stack during exception handling could have been used by attackers
      able to supply crafted PostScript to execute code using the "pipe"
      instruction. This is due to an incomplete fix for CVE-2018-16509
      (bsc#1108027).

   These non-security issues were fixed:

   * Fixes problems with argument handling, some unintended results of the
     security fixes to the SAFER file access restrictions (specifically
     accessing ICC profile files).
   * Avoid that ps2epsi fails with 'Error: /undefined in --setpagedevice--'

   For additional changes please check
   http://www.ghostscript.com/doc/9.25/News.htm and the changes file of the
   package.


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud 7:

      zypper in -t patch SUSE-OpenStack-Cloud-7-2018-2121=1

   - SUSE Linux Enterprise Software Development Kit 12-SP3:

      zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-2121=1

   - SUSE Linux Enterprise Server for SAP 12-SP2:

      zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-2121=1

   - SUSE Linux Enterprise Server 12-SP3:

      zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-2121=1

   - SUSE Linux Enterprise Server 12-SP2-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-2121=1

   - SUSE Linux Enterprise Server 12-SP1-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-2121=1

   - SUSE Linux Enterprise Server 12-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-2018-2121=1

   - SUSE Linux Enterprise Desktop 12-SP3:

      zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-2121=1

   - SUSE Enterprise Storage 4:

      zypper in -t patch SUSE-Storage-4-2018-2121=1



Package List:

   - SUSE OpenStack Cloud 7 (s390x x86_64):

      ghostscript-9.25-23.13.1
      ghostscript-debuginfo-9.25-23.13.1
      ghostscript-debugsource-9.25-23.13.1
      ghostscript-x11-9.25-23.13.1
      ghostscript-x11-debuginfo-9.25-23.13.1

   - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64):

      ghostscript-debuginfo-9.25-23.13.1
      ghostscript-debugsource-9.25-23.13.1
      ghostscript-devel-9.25-23.13.1

   - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64):

      ghostscript-9.25-23.13.1
      ghostscript-debuginfo-9.25-23.13.1
      ghostscript-debugsource-9.25-23.13.1
      ghostscript-x11-9.25-23.13.1
      ghostscript-x11-debuginfo-9.25-23.13.1

   - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64):

      ghostscript-9.25-23.13.1
      ghostscript-debuginfo-9.25-23.13.1
      ghostscript-debugsource-9.25-23.13.1
      ghostscript-x11-9.25-23.13.1
      ghostscript-x11-debuginfo-9.25-23.13.1

   - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64):

      ghostscript-9.25-23.13.1
      ghostscript-debuginfo-9.25-23.13.1
      ghostscript-debugsource-9.25-23.13.1
      ghostscript-x11-9.25-23.13.1
      ghostscript-x11-debuginfo-9.25-23.13.1

   - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64):

      ghostscript-9.25-23.13.1
      ghostscript-debuginfo-9.25-23.13.1
      ghostscript-debugsource-9.25-23.13.1
      ghostscript-x11-9.25-23.13.1
      ghostscript-x11-debuginfo-9.25-23.13.1

   - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64):

      ghostscript-9.25-23.13.1
      ghostscript-debuginfo-9.25-23.13.1
      ghostscript-debugsource-9.25-23.13.1
      ghostscript-x11-9.25-23.13.1
      ghostscript-x11-debuginfo-9.25-23.13.1

   - SUSE Linux Enterprise Desktop 12-SP3 (x86_64):

      ghostscript-9.25-23.13.1
      ghostscript-debuginfo-9.25-23.13.1
      ghostscript-debugsource-9.25-23.13.1
      ghostscript-x11-9.25-23.13.1
      ghostscript-x11-debuginfo-9.25-23.13.1

   - SUSE Enterprise Storage 4 (x86_64):

      ghostscript-9.25-23.13.1
      ghostscript-debuginfo-9.25-23.13.1
      ghostscript-debugsource-9.25-23.13.1
      ghostscript-x11-9.25-23.13.1
      ghostscript-x11-debuginfo-9.25-23.13.1


References:

   https://www.suse.com/security/cve/CVE-2018-15908.html
   https://www.suse.com/security/cve/CVE-2018-15909.html
   https://www.suse.com/security/cve/CVE-2018-15910.html
   https://www.suse.com/security/cve/CVE-2018-15911.html
   https://www.suse.com/security/cve/CVE-2018-16509.html
   https://www.suse.com/security/cve/CVE-2018-16510.html
   https://www.suse.com/security/cve/CVE-2018-16511.html
   https://www.suse.com/security/cve/CVE-2018-16513.html
   https://www.suse.com/security/cve/CVE-2018-16539.html
   https://www.suse.com/security/cve/CVE-2018-16540.html
   https://www.suse.com/security/cve/CVE-2018-16541.html
   https://www.suse.com/security/cve/CVE-2018-16542.html
   https://www.suse.com/security/cve/CVE-2018-16543.html
   https://www.suse.com/security/cve/CVE-2018-16585.html
   https://www.suse.com/security/cve/CVE-2018-16802.html
   https://www.suse.com/security/cve/CVE-2018-17183.html
   https://bugzilla.suse.com/1106171
   https://bugzilla.suse.com/1106172
   https://bugzilla.suse.com/1106173
   https://bugzilla.suse.com/1106195
   https://bugzilla.suse.com/1107410
   https://bugzilla.suse.com/1107411
   https://bugzilla.suse.com/1107412
   https://bugzilla.suse.com/1107413
   https://bugzilla.suse.com/1107420
   https://bugzilla.suse.com/1107421
   https://bugzilla.suse.com/1107422
   https://bugzilla.suse.com/1107423
   https://bugzilla.suse.com/1107426
   https://bugzilla.suse.com/1107581
   https://bugzilla.suse.com/1108027
   https://bugzilla.suse.com/1109105

- ---

   SUSE Security Update: Security update for ghostscript
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:2976-1
Rating:             important
References:         #1106171 #1106172 #1106173 #1106195 #1107410 
                    #1107411 #1107412 #1107413 #1107420 #1107421 
                    #1107422 #1107423 #1107426 #1107581 #1108027 
                    #1109105 
Cross-References:   CVE-2018-15908 CVE-2018-15909 CVE-2018-15910
                    CVE-2018-15911 CVE-2018-16509 CVE-2018-16510
                    CVE-2018-16511 CVE-2018-16513 CVE-2018-16539
                    CVE-2018-16540 CVE-2018-16541 CVE-2018-16542
                    CVE-2018-16543 CVE-2018-16585 CVE-2018-16802
                    CVE-2018-17183
Affected Products:
                    SUSE Linux Enterprise Module for Desktop Applications 15
                    SUSE Linux Enterprise Module for Basesystem 15
______________________________________________________________________________

   An update that fixes 16 vulnerabilities is now available.

Description:

   This update for ghostscript to version 9.25 fixes the following issues:

   These security issues were fixed:

   - CVE-2018-17183: Remote attackers were be able to supply crafted
     PostScript to potentially overwrite or replace error handlers to inject
     code (bsc#1109105)
   - CVE-2018-15909: Prevent type confusion using the .shfill operator that
     could have been used by attackers able to supply crafted PostScript
     files to crash the interpreter or potentially execute code (bsc#1106172).
   - CVE-2018-15908: Prevent attackers that are able to supply malicious
     PostScript files to bypass .tempfile restrictions and write files
     (bsc#1106171).
   - CVE-2018-15910: Prevent a type confusion in the LockDistillerParams
     parameter that could have been used to crash the interpreter or execute
     code (bsc#1106173).
   - CVE-2018-15911: Prevent use uninitialized memory access in the aesdecode
     operator that could have been used to crash the interpreter or
      potentially execute code (bsc#1106195).
   - CVE-2018-16513: Prevent a type confusion in the setcolor function that
     could have been used to crash the interpreter or possibly have
     unspecified other impact (bsc#1107412).
   - CVE-2018-16509: Incorrect "restoration of privilege" checking during
     handling
     of /invalidaccess exceptions could be have been used by attackers able
      to supply crafted PostScript to execute code using the "pipe"
      instruction (bsc#1107410).
   - CVE-2018-16510: Incorrect exec stack handling in the "CS" and "SC" PDF
     primitives could have been used by remote attackers able to supply
     crafted PDFs to crash the interpreter or possibly have unspecified other
     impact (bsc#1107411).
   - CVE-2018-16542: Prevent attackers able to supply crafted PostScript
     files from using insufficient interpreter stack-size checking during
     error handling to crash the interpreter (bsc#1107413).
   - CVE-2018-16541: Prevent attackers able to supply crafted PostScript
     files from using incorrect free logic in pagedevice replacement to crash
     the interpreter (bsc#1107421).
   - CVE-2018-16540: Prevent use-after-free in copydevice handling that could
     have been used to crash the interpreter or possibly have unspecified
     other impact (bsc#1107420).
   - CVE-2018-16539: Prevent attackers able to supply crafted PostScript
     files from using incorrect access checking in temp file handling to
     disclose contents
     of files on the system otherwise not readable (bsc#1107422).
   - CVE-2018-16543: gssetresolution and gsgetresolution allowed attackers to
     have an unspecified impact (bsc#1107423).
   - CVE-2018-16511: A type confusion in "ztype" could have been used by
     remote attackers able to supply crafted PostScript to crash the
     interpreter or possibly have unspecified other impact (bsc#1107426).
   - CVE-2018-16585: The .setdistillerkeys PostScript command was accepted
     even though it is not intended for use during document processing (e.g.,
     after the startup phase). This lead to memory corruption, allowing
     remote attackers able to supply crafted PostScript to crash the
     interpreter or possibly have unspecified other impact (bsc#1107581).
   - CVE-2018-16802: Incorrect "restoration of privilege" checking when
     running
     out of stack during exception handling could have been used by attackers
      able to supply crafted PostScript to execute code using the "pipe"
      instruction. This is due to an incomplete fix for CVE-2018-16509
      (bsc#1108027).

   These non-security issues were fixed:

   * Fixes problems with argument handling, some unintended results of the
     security fixes to the SAFER file access restrictions (specifically
     accessing ICC profile files).
   * Avoid that ps2epsi fails with 'Error: /undefined in --setpagedevice--'

   For additional changes please check
   http://www.ghostscript.com/doc/9.25/News.htm

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Desktop Applications 15:

      zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2018-2119=1

   - SUSE Linux Enterprise Module for Basesystem 15:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-2119=1

Package List:

   - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64):

      libspectre-debugsource-0.2.8-3.2.1
      libspectre-devel-0.2.8-3.2.1
      libspectre1-0.2.8-3.2.1
      libspectre1-debuginfo-0.2.8-3.2.1

   - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64):

      ghostscript-9.25-3.6.1
      ghostscript-debuginfo-9.25-3.6.1
      ghostscript-debugsource-9.25-3.6.1
      ghostscript-devel-9.25-3.6.1
      ghostscript-x11-9.25-3.6.1
      ghostscript-x11-debuginfo-9.25-3.6.1

References:

   https://www.suse.com/security/cve/CVE-2018-15908.html
   https://www.suse.com/security/cve/CVE-2018-15909.html
   https://www.suse.com/security/cve/CVE-2018-15910.html
   https://www.suse.com/security/cve/CVE-2018-15911.html
   https://www.suse.com/security/cve/CVE-2018-16509.html
   https://www.suse.com/security/cve/CVE-2018-16510.html
   https://www.suse.com/security/cve/CVE-2018-16511.html
   https://www.suse.com/security/cve/CVE-2018-16513.html
   https://www.suse.com/security/cve/CVE-2018-16539.html
   https://www.suse.com/security/cve/CVE-2018-16540.html
   https://www.suse.com/security/cve/CVE-2018-16541.html
   https://www.suse.com/security/cve/CVE-2018-16542.html
   https://www.suse.com/security/cve/CVE-2018-16543.html
   https://www.suse.com/security/cve/CVE-2018-16585.html
   https://www.suse.com/security/cve/CVE-2018-16802.html
   https://www.suse.com/security/cve/CVE-2018-17183.html
   https://bugzilla.suse.com/1106171
   https://bugzilla.suse.com/1106172
   https://bugzilla.suse.com/1106173
   https://bugzilla.suse.com/1106195
   https://bugzilla.suse.com/1107410
   https://bugzilla.suse.com/1107411
   https://bugzilla.suse.com/1107412
   https://bugzilla.suse.com/1107413
   https://bugzilla.suse.com/1107420
   https://bugzilla.suse.com/1107421
   https://bugzilla.suse.com/1107422
   https://bugzilla.suse.com/1107423
   https://bugzilla.suse.com/1107426
   https://bugzilla.suse.com/1107581
   https://bugzilla.suse.com/1108027
   https://bugzilla.suse.com/1109105

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW7P/MGaOgq3Tt24GAQjUaw//Sf3LUCK/R5ZAjinfRnXfPkQgkiKMqCdE
kKRVOBN7eRVICP6lUUt8LFia046+uBEQnunFR6dR8ty8m77EOtqE9YXy8nM97ubi
PBh2wseKUacUkhdoHhy3bT+0iggcw8WeS89OdY1+cc5fqcli64UrGdpcqfv28Klo
uSUUhcv+MS/YIVCb/k3xdtMQ681Dtgp7Pl3vgmF+d6NFRLenb3YMiPjIr1I7QGSw
0esv12otr02TpOw/uajGJG/zp8uSIF9yimZqqziP6Ob7A5b56DtWAgMZsCt/AUpT
NC3tRYhEdz5TxwFaAkXUKupFId0GlzlqGHr/r174YIBdEpkJYCPa9jPLb4+W9Kk6
EQplfVHVoBKtFLo8vkdc5BSSjGTg53J4tC7FIhHMxliuqK27VVlIXUErHUINollr
m3rLowI4WC+bwkRJpGtN5lggpMvsxekw/b45l59+ESHrrbL2HwRLH69HxdZT9sz0
ZsJgLXPZShuHH+l2p09M0vUFqDkxG6sORTrWo/p13PmvmT08gERkUNN9xQAixtz+
YQjNJmrQkYwFMMXBHv1YQvU+mzTVCCy/aN1bbvS8xJYawRuMEI7QWu3vKieNvAch
UG5ooHm44WMHww8cl0G4d9oy5zjLItdE8ZyrElwmR04xPO1qrm6wEohWhZp/CbTJ
kfMWVEtjJBQ=
=8jKB
-----END PGP SIGNATURE-----

« Back to bulletins