Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#59778 - [libmagick] Apply workaround for Ghostscript RCE vuln

Attached to Project: Arch Linux
Opened by Tommy Schmitt (spinka) - Thursday, 23 August 2018, 16:25 GMT
Last edited by Eli Schwartz (eschwartz) - Tuesday, 28 August 2018, 14:48 GMT
Task Type Bug Report
Category Security
Status Assigned   Reopened
Assigned To Andreas Radke (AndyRTR)
Levente Polyak (anthraxx)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 1
Private No

Details

Description:

Recently new batch of Ghostscript RCE bugs were disclosed in public:

http://openwall.com/lists/oss-security/2018/08/21/2
https://www.kb.cert.org/vuls/id/332928

There is no upstream patch for them and there are other 2 years old still unfixed:
http://openwall.com/lists/oss-security/2018/08/22/3

The one thing that Arch can do is to add below line to '/etc/ImageMagick-7/policy.xml' which belongs to libmagick package:

<policy domain="coder" rights="none" pattern="{PS,PS2,PS3,EPS,PDF,XPS}" />

This is recommended action for all distros to do.

Steps to reproduce:
1. Install 'imagemagick' and 'ghostscript' packages.
2. Create shellexec.jpg with below content:
cat shellexec.jpeg
%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%id) currentdevice putdeviceprops

3. Execute 'convert shellexec.jpeg whatever.gif'
This task depends upon

2018-09-08: A task closure has been requested. Reason for request: Implementing https://bugs.archlinux.org/task/59982 should be enough, at least for a while.
Comment by Tommy Schmitt (spinka) - Saturday, 25 August 2018, 10:51 GMT
There are also public POC for evince thumbnailer which can be triggered automatically while entering folder with malicious file inside:
http://openwall.com/lists/oss-security/2018/08/23/1
http://openwall.com/lists/oss-security/2018/08/23/4
Comment by Tommy Schmitt (spinka) - Saturday, 25 August 2018, 12:44 GMT
POC for triggering this automatically by visiting webpage in chrome: https://twitter.com/taviso/status/1032649799953084416
Comment by Tommy Schmitt (spinka) - Tuesday, 28 August 2018, 14:46 GMT
  • Field changed: Percent Complete (100% → 0%)
Unfortunately, the vulnerability list is still growing and for some of them there are no patch available, see http://openwall.com/lists/oss-security/2018/08/27/4

The solution proposed here will block all known and unknown exploits thus it's still recommended.

Can you re-open this with lower severity and maybe change to "General gripe"?
Comment by Eli Schwartz (eschwartz) - Tuesday, 28 August 2018, 14:47 GMT
Huh, my bad. Did not realize that  FS#59799  does not fix all known issues.
Comment by Tommy Schmitt (spinka) - Tuesday, 28 August 2018, 20:23 GMT

Loading...