Headline
Ubuntu Security Notice USN-6835-1
Ubuntu Security Notice 6835-1 - It was discovered that Ghostscript did not properly restrict eexec seeds to those specified by the Type 1 Font Format standard when SAFER mode is used. An attacker could use this issue to bypass SAFER restrictions and cause unspecified impact. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.10. Thomas Rinsma discovered that Ghostscript did not prevent changes to uniprint device argument strings after SAFER is activated, resulting in a format-string vulnerability. An attacker could possibly use this to execute arbitrary code.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
NotDashEscaped: You need gpg to verify this message
==========================================================================
Ubuntu Security Notice USN-6835-1
June 17, 2024
ghostscript vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Ghostscript.
Software Description:
- ghostscript: PostScript and PDF interpreter
Details:
It was discovered that Ghostscript did not properly restrict eexec
seeds to those specified by the Type 1 Font Format standard when
SAFER mode is used. An attacker could use this issue to bypass SAFER
restrictions and cause unspecified impact. (CVE-2023-52722)
This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.10.
Thomas Rinsma discovered that Ghostscript did not prevent changes to
uniprint device argument strings after SAFER is activated, resulting
in a format-string vulnerability. An attacker could possibly use this
to execute arbitrary code. (CVE-2024-29510)
Zdenek Hutyra discovered that Ghostscript did not properly perform
path reduction when validating paths. An attacker could use this to
access file locations outside of those allowed by SAFER policy and
possibly execute arbitrary code. (CVE-2024-33869)
Zdenek Hutyra discovered that Ghostscript did not properly check
arguments when reducing paths. An attacker could use this to
access file locations outside of those allowed by SAFER policy.
(CVE-2024-33870)
Zdenek Hutyra discovered that the “Driver” parameter for Ghostscript’s
“opvp"/"oprp” device allowed specifying the name of an arbitrary dynamic
library to load. An attacker could use this to execute arbitrary code.
(CVE-2024-33871)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
ghostscript 10.02.1~dfsg1-0ubuntu7.1
ghostscript-doc 10.02.1~dfsg1-0ubuntu7.1
Ubuntu 23.10
ghostscript 10.01.2~dfsg1-0ubuntu2.3
ghostscript-doc 10.01.2~dfsg1-0ubuntu2.3
ghostscript-x 10.01.2~dfsg1-0ubuntu2.3
Ubuntu 22.04 LTS
ghostscript 9.55.0~dfsg1-0ubuntu5.7
ghostscript-doc 9.55.0~dfsg1-0ubuntu5.7
ghostscript-x 9.55.0~dfsg1-0ubuntu5.7
Ubuntu 20.04 LTS
ghostscript 9.50~dfsg-5ubuntu4.12
ghostscript-doc 9.50~dfsg-5ubuntu4.12
ghostscript-x 9.50~dfsg-5ubuntu4.12
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6835-1
CVE-2023-52722, CVE-2024-29510, CVE-2024-33869, CVE-2024-33870,
CVE-2024-33871
Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/10.02.1~dfsg1-0ubuntu7.1
https://launchpad.net/ubuntu/+source/ghostscript/10.01.2~dfsg1-0ubuntu2.3
https://launchpad.net/ubuntu/+source/ghostscript/9.55.0~dfsg1-0ubuntu5.7
https://launchpad.net/ubuntu/+source/ghostscript/9.50~dfsg-5ubuntu4.12
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETB/nIDy9nvCSgAUj3gXQmO/Tr3wFAmZwxK4ACgkQ3gXQmO/T
r3yOAQ/+NUTiKTAkI/XpceJpULY0tJiBZR37xhnxiKSuFoAQY5RrRuGxpC6sPXwi
16Xoyo2gvDEfeaV4zn/jCfw4Lf4L1+JNbAOS1Yvnvg0Ags+b/bAUAlMV0E+7Jyap
gVbd7T8c2oIMFFq6S78qi5Gl4kyHYiVAgxZNtJiMztTpF+qG2frcObLIW5JpzQZ3
mZIRtoSAjyhKOoAfq2BXq/nuk0GzXu4wGEN2FEag6VRRW92Ti0rfdYjNYgcQ44Ii
VTM5bYtvIjqI+uLbUEUiPQ91OZ4yg3K/pTRLnIVyoAo95Huqc6N+lZmXD97yokXj
m4BU1iWSFBUS2kf/3aoNtkGqhIv/2sGYs3CNHBC23eE7IXsBbwaCpeF8Ogsx2eKe
phpJMeCtvdTmq4+s0l5r4mwAKhHuvklQGwHe/5sDpJbZTW1qtdWmFzXaiKyHGDDw
0nEyKkRKP0c3yC6I0Aht2gVk/pYiwhpVe5TGICl0lbRXO7DEEU5ns2t+C0xnMBz4
cV2FE6rouRDJTlFPWtLmxT0BpHn+xBMLabEuPFJAlXRjy9dLKPrZVgkXe/9NROQm
hUCuuKAHLKWK8rZC1c3T2DiE9dDQZs9KUZRKB0ZhZzLYC+pGu8DW9Ud6NDMB3LAO
yDANPKeEG+09Ho2u4NbhbuLUMSzvNazZDpm2ZMi1vECul/nZ/ns=
=WJrB
-----END PGP SIGNATURE-----
Related news
This Metasploit module exploits a format string vulnerability in Ghostscript versions before 10.03.1 to achieve a SAFER sandbox bypass and execute arbitrary commands. This vulnerability is reachable via libraries such as ImageMagick. This exploit only works against Ghostscript versions 10.03.0 and 10.01.2. Some offsets adjustment will probably be needed to make it work with other versions.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical security flaw impacting OSGeo GeoServer GeoTools to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. GeoServer is an open-source software server written in Java that allows users to share and edit geospatial data. It is the reference implementation of the Open
Red Hat Security Advisory 2024-4549-03 - An update for ghostscript is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-4544-03 - An update for ghostscript is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-4541-03 - An update for ghostscript is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-4537-03 - An update for ghostscript is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-4527-03 - An update for ghostscript is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-4462-03 - An update for ghostscript is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-4014-03 - An update for ghostscript is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-4000-03 - An update for ghostscript is now available for Red Hat Enterprise Linux 8. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-3999-03 - An update for ghostscript is now available for Red Hat Enterprise Linux 9. Issues addressed include a code execution vulnerability.