Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#59778 - [libmagick] Apply workaround for Ghostscript RCE vuln

Attached to Project: Arch Linux
Opened by Tommy Schmitt (spinka) - Thursday, 23 August 2018, 16:25 GMT
Last edited by Antonio Rojas (arojas) - Monday, 22 October 2018, 15:51 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Andreas Radke (AndyRTR)
Antonio Rojas (arojas)
Levente Polyak (anthraxx)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

Recently new batch of Ghostscript RCE bugs were disclosed in public:

http://openwall.com/lists/oss-security/2018/08/21/2
https://www.kb.cert.org/vuls/id/332928

There is no upstream patch for them and there are other 2 years old still unfixed:
http://openwall.com/lists/oss-security/2018/08/22/3

The one thing that Arch can do is to add below line to '/etc/ImageMagick-7/policy.xml' which belongs to libmagick package:

<policy domain="coder" rights="none" pattern="{PS,PS2,PS3,EPS,PDF,XPS}" />

This is recommended action for all distros to do.

Steps to reproduce:
1. Install 'imagemagick' and 'ghostscript' packages.
2. Create shellexec.jpg with below content:
cat shellexec.jpeg
%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%id) currentdevice putdeviceprops

3. Execute 'convert shellexec.jpeg whatever.gif'
This task depends upon

Closed by  Antonio Rojas (arojas)
Monday, 22 October 2018, 15:51 GMT
Reason for closing:  Fixed
Additional comments about closing:  libmagick 7.0.8.13-1
Comment by Tommy Schmitt (spinka) - Saturday, 25 August 2018, 10:51 GMT
There are also public POC for evince thumbnailer which can be triggered automatically while entering folder with malicious file inside:
http://openwall.com/lists/oss-security/2018/08/23/1
http://openwall.com/lists/oss-security/2018/08/23/4
Comment by Tommy Schmitt (spinka) - Saturday, 25 August 2018, 12:44 GMT
POC for triggering this automatically by visiting webpage in chrome: https://twitter.com/taviso/status/1032649799953084416
Comment by Tommy Schmitt (spinka) - Tuesday, 28 August 2018, 14:46 GMT
  • Field changed: Percent Complete (100% → 0%)
Unfortunately, the vulnerability list is still growing and for some of them there are no patch available, see http://openwall.com/lists/oss-security/2018/08/27/4

The solution proposed here will block all known and unknown exploits thus it's still recommended.

Can you re-open this with lower severity and maybe change to "General gripe"?
Comment by Eli Schwartz (eschwartz) - Tuesday, 28 August 2018, 14:47 GMT
Huh, my bad. Did not realize that  FS#59799  does not fix all known issues.
Comment by Tommy Schmitt (spinka) - Tuesday, 28 August 2018, 20:23 GMT Comment by Jensen McKenzie (your_doomsday) - Monday, 24 September 2018, 16:17 GMT
All known vulnerabilities are fixed in ghostscript 9.25 which is in Arch Linux repos for some time. The upstream bug is now closed https://bugs.chromium.org/p/project-zero/issues/detail?id=1640#c25 . This can be closed as well.
Comment by Eli Schwartz (eschwartz) - Thursday, 18 October 2018, 14:36 GMT
So, we thought "hey, there's a round of vulnerabilities, but there's also patches so now we updated we don't need this workaround".

Except, no, not really. cf.  FS#60370 

We're just going to keep seeing more vulnerabilities, aren't we? I think this workaround is needed, the reactive approach is not working out.

EDIT: Well, it would help to assign the libmagick maintainer rather than the ghostscript maintainer. Suddenly things make sense. :o

Loading...