FS#59778 : [libmagick] Apply workaround for Ghostscript RCE vuln

FS#59778 - [libmagick] Apply workaround for Ghostscript RCE vuln

Attached to Project: Arch Linux
Opened by Tommy Schmitt (spinka) - Thursday, 23 August 2018, 16:25 GMT
Last edited by Antonio Rojas (arojas) - Monday, 22 October 2018, 15:51 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Andreas Radke (AndyRTR) Antonio Rojas (arojas) Levente Polyak (anthraxx)
Architecture	All
Severity	Critical
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	2 fightcookie (fightcookie) (2020-11-02) Tommy Schmitt (spinka) (2018-08-23)
Private	No

Details

Description:

Recently new batch of Ghostscript RCE bugs were disclosed in public:

http://openwall.com/lists/oss-security/2018/08/21/2
https://www.kb.cert.org/vuls/id/332928

There is no upstream patch for them and there are other 2 years old still unfixed:
http://openwall.com/lists/oss-security/2018/08/22/3

The one thing that Arch can do is to add below line to '/etc/ImageMagick-7/policy.xml' which belongs to libmagick package:

<policy domain="coder" rights="none" pattern="{PS,PS2,PS3,EPS,PDF,XPS}" />

This is recommended action for all distros to do.

Steps to reproduce:
1. Install 'imagemagick' and 'ghostscript' packages.
2. Create shellexec.jpg with below content:
cat shellexec.jpeg
%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%id) currentdevice putdeviceprops

3. Execute 'convert shellexec.jpeg whatever.gif'

This task depends upon

Closed by Antonio Rojas (arojas)
Monday, 22 October 2018, 15:51 GMT
Reason for closing: Fixed
Additional comments about closing: libmagick 7.0.8.13-1

Comment by Tommy Schmitt (spinka) - Saturday, 25 August 2018, 10:51 GMT

There are also public POC for evince thumbnailer which can be triggered automatically while entering folder with malicious file inside:
http://openwall.com/lists/oss-security/2018/08/23/1
http://openwall.com/lists/oss-security/2018/08/23/4

Comment by Tommy Schmitt (spinka) - Saturday, 25 August 2018, 12:44 GMT

POC for triggering this automatically by visiting webpage in chrome: https://twitter.com/taviso/status/1032649799953084416

Comment by Tommy Schmitt (spinka) - Tuesday, 28 August 2018, 14:46 GMT

Field changed: Percent Complete (100% → 0%)

Unfortunately, the vulnerability list is still growing and for some of them there are no patch available, see http://openwall.com/lists/oss-security/2018/08/27/4

The solution proposed here will block all known and unknown exploits thus it's still recommended.

Can you re-open this with lower severity and maybe change to "General gripe"?

Comment by Eli Schwartz (eschwartz) - Tuesday, 28 August 2018, 14:47 GMT

Huh, my bad. Did not realize that ~~FS#59799~~ does not fix all known issues.

Comment by Tommy Schmitt (spinka) - Tuesday, 28 August 2018, 20:23 GMT

https://bugs.chromium.org/p/project-zero/issues/detail?id=1640#c16

Comment by Jensen McKenzie (your_doomsday) - Monday, 24 September 2018, 16:17 GMT

All known vulnerabilities are fixed in ghostscript 9.25 which is in Arch Linux repos for some time. The upstream bug is now closed https://bugs.chromium.org/p/project-zero/issues/detail?id=1640#c25 . This can be closed as well.

Comment by Eli Schwartz (eschwartz) - Thursday, 18 October 2018, 14:36 GMT

So, we thought "hey, there's a round of vulnerabilities, but there's also patches so now we updated we don't need this workaround".

Except, no, not really. cf. ~~FS#60370~~

We're just going to keep seeing more vulnerabilities, aren't we? I think this workaround is needed, the reactive approach is not working out.

EDIT: Well, it would help to assign the libmagick maintainer rather than the ghostscript maintainer. Suddenly things make sense. :o

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#59778 - [libmagick] Apply workaround for Ghostscript RCE vuln

Details

Loading...