Discussion:
[OpenIndiana-discuss] ghostscript / ImageMagick security problems
Udo Grabowski (IMK)
2018-08-22 18:52:47 UTC
Permalink
These security bugs are really bad ("works" on Openindiana):

<https://bugs.chromium.org/p/project-zero/issues/detail?id=1640>
<https://www.kb.cert.org/vuls/id/332928>
--
Dr.Udo Grabowski Inst.f.Meteorology a.Climate Research IMK-ASF-SAT
http://www.imk-asf.kit.edu/english/sat.php
KIT - Karlsruhe Institute of Technology http://www.kit.edu
Postfach 3640,76021 Karlsruhe,Germany T:(+49)721 608-26026 F:-926026
Reginald Beardsley via openindiana-discuss
2018-08-22 19:25:15 UTC
Permalink
How do you mitigate it? Just not read PDFs? I can't find the policy.xml file referenced in the first link.

--------------------------------------------
On Wed, 8/22/18, Udo Grabowski (IMK) <***@kit.edu> wrote:

Subject: [OpenIndiana-discuss] ghostscript / ImageMagick security problems
To: openindiana-***@openindiana.org
Date: Wednesday, August 22, 2018, 1:52 PM

These security bugs are really bad ("works"
on Openindiana):

<https://bugs.chromium.org/p/project-zero/issues/detail?id=1640>
<https://www.kb.cert.org/vuls/id/332928>
--
Dr.Udo Grabowski   
Inst.f.Meteorology a.Climate Research IMK-ASF-SAT
http://www.imk-asf.kit.edu/english/sat.php
KIT - Karlsruhe Institute of
Technology            http://www.kit.edu
Postfach 3640,76021
Karlsruhe,Germany  T:(+49)721 608-26026 F:-926026

_______________________________________________
openindiana-discuss mailing list
openindiana-***@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss
Bob Friesenhahn
2018-08-22 20:39:36 UTC
Permalink
Post by Reginald Beardsley via openindiana-discuss
How do you mitigate it? Just not read PDFs? I can't find the policy.xml file referenced in the first link.
I think that Postscript (an arbitrary powerful language) is more
dangerous than PDFs. Unfortunately, Postscript is inherent to
Ghostscript and I would not be surprised if it used Postscript code
internally to parse PDF.

Untrusted Postscript and EPS ("Encapsulated Postscript") is of
concern. EPS is commonly included inside in other types of files so
you might not be aware you are using it.

I will be looking again into whether utilities from the Poppler
package can effectively be used to replace Ghostscript for use in
GraphicsMagick when reading PDF inputs. It is not clear to me if
Poppler is actually more secure though.

Take care about printer driver software which uses Ghostscript to
render Postscript into bitmap images for submission to a
non-Postscript printer.

Bob
--
Bob Friesenhahn
***@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Bob Friesenhahn
2018-08-22 21:11:18 UTC
Permalink
If OpenIndiana's build of ImageMagick uses a "modules" build, then one
can delete the installed pdf.so, ps.so, ps2.so, and ps3.so and then it
should not be possible to read the associated formats.

Under Ubuntu 16.04 LTS, I see the ImageMagick policy.xml is available
at "/etc/ImageMagick/policy.xml".

The CERT advisory at https://www.kb.cert.org/vuls/id/332928 provides
an example which does not appear to block PS2 and PS3, which are also
entry points for reading Postscript.

Bob
--
Bob Friesenhahn
***@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Reginald Beardsley via openindiana-discuss
2018-08-22 21:11:15 UTC
Permalink
I've been aware of the Postscript issue for a very long time. I never encountered it, but I read about the Crusty the Clown image that wiped your hard drive.

With multifunction printers I suspect that even the builtin PS interpreters are a hazard.

My primary system is a Sol 10 u8 machine on an air gapped network with a duplexing Brother printer. Fortunately it's connected via a Netgear printserver, so it would take a very complex exploit to reach the Sol 10 box. If PDFs get converted to Postscript for printing, then I probably need to take ZFS snapshots before printing random material.
Michal Nowak
2018-08-29 06:05:55 UTC
Permalink
Post by Udo Grabowski (IMK)
<https://bugs.chromium.org/p/project-zero/issues/detail?id=1640>
<https://www.kb.cert.org/vuls/id/332928>
It's a week since patches were published
(https://artifex.com/news/ghostscript-security-resolved/) and no major
distribution fixed it. Anyone knows why? Are there problems with those
patches? Or the problem not that severe after all?

Thanks,
Michal
Bob Friesenhahn
2018-08-29 17:56:03 UTC
Permalink
Post by Michal Nowak
Post by Udo Grabowski (IMK)
<https://bugs.chromium.org/p/project-zero/issues/detail?id=1640>
<https://www.kb.cert.org/vuls/id/332928>
It's a week since patches were published
(https://artifex.com/news/ghostscript-security-resolved/) and no major
distribution fixed it. Anyone knows why? Are there problems with those
patches? Or the problem not that severe after all?
The patches are against the development code base targeting the next
Ghostscript release. The patches are presumably offered under the
AGPL license.

It is not uncommon for older Ghostscript versions to be distributed,
particularly given that the GNU Affero General Public License (AGPL)
is not compatible with some common usage models due to adding
additional obligations. Artifex wants to encourage commercial
licensing of their software. See https://artifex.com/licensing/.

Bob
--
Bob Friesenhahn
***@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Bob Friesenhahn
2018-08-29 18:37:27 UTC
Permalink
This Debian discussion thread reveals why the introduction of AGPL
since Ghostscript 9.07 causes some concern for distributions:

https://lists.debian.org/debian-devel/2014/05/msg00144.html

The concern is that any program linking with an AGPL library becomes
itself AGPL licensed. The license for every program/library linking
with the Ghostscript library then needs to be examined to make sure
that it is compatible with it, and to assure that the terms are
honored.

If there is any modification (even one patch!), then it is required
that a remote user be able to download the modified source code from
the server where the modified "program" runs, including all source
code linked with it.

Bob
--
Bob Friesenhahn
***@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Bob Friesenhahn
2018-08-29 20:44:43 UTC
Permalink
Another reason why Ghostscript issues have not been fixed is because
there are still issues. :-(

Today Tavis Ormandy posted a shell exploit to the oss-security list
which still works (executes an arbitrary Unix shell command due to
opening a Postscript file with 'evince') with the latest development
Ghostscript.

Bob
--
Bob Friesenhahn
***@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Loading...