Security update for ghostscript SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:3036-1 Final 1 1 2018-10-05T16:05:09Z current 2018-10-05T16:05:09Z 2018-10-05T16:05:09Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ghostscript This update for ghostscript to version 9.25 fixes the following issues: These security issues were fixed: - CVE-2018-17183: Remote attackers were be able to supply crafted PostScript to potentially overwrite or replace error handlers to inject code (bsc#1109105) - CVE-2018-15909: Prevent type confusion using the .shfill operator that could have been used by attackers able to supply crafted PostScript files to crash the interpreter or potentially execute code (bsc#1106172). - CVE-2018-15908: Prevent attackers that are able to supply malicious PostScript files to bypass .tempfile restrictions and write files (bsc#1106171). - CVE-2018-15910: Prevent a type confusion in the LockDistillerParams parameter that could have been used to crash the interpreter or execute code (bsc#1106173). - CVE-2018-15911: Prevent use uninitialized memory access in the aesdecode operator that could have been used to crash the interpreter or potentially execute code (bsc#1106195). - CVE-2018-16513: Prevent a type confusion in the setcolor function that could have been used to crash the interpreter or possibly have unspecified other impact (bsc#1107412). - CVE-2018-16509: Incorrect 'restoration of privilege' checking during handling of /invalidaccess exceptions could be have been used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction (bsc#1107410). - CVE-2018-16510: Incorrect exec stack handling in the 'CS' and 'SC' PDF primitives could have been used by remote attackers able to supply crafted PDFs to crash the interpreter or possibly have unspecified other impact (bsc#1107411). - CVE-2018-16542: Prevent attackers able to supply crafted PostScript files from using insufficient interpreter stack-size checking during error handling to crash the interpreter (bsc#1107413). - CVE-2018-16541: Prevent attackers able to supply crafted PostScript files from using incorrect free logic in pagedevice replacement to crash the interpreter (bsc#1107421). - CVE-2018-16540: Prevent use-after-free in copydevice handling that could have been used to crash the interpreter or possibly have unspecified other impact (bsc#1107420). - CVE-2018-16539: Prevent attackers able to supply crafted PostScript files from using incorrect access checking in temp file handling to disclose contents of files on the system otherwise not readable (bsc#1107422). - CVE-2018-16543: gssetresolution and gsgetresolution allowed attackers to have an unspecified impact (bsc#1107423). - CVE-2018-16511: A type confusion in 'ztype' could have been used by remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact (bsc#1107426). - CVE-2018-16585: The .setdistillerkeys PostScript command was accepted even though it is not intended for use during document processing (e.g., after the startup phase). This lead to memory corruption, allowing remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact (bsc#1107581). - CVE-2018-16802: Incorrect 'restoration of privilege' checking when running out of stack during exception handling could have been used by attackers able to supply crafted PostScript to execute code using the 'pipe' instruction. This is due to an incomplete fix for CVE-2018-16509 (bsc#1108027). These non-security issues were fixed: * Fixes problems with argument handling, some unintended results of the security fixes to the SAFER file access restrictions (specifically accessing ICC profile files). * Avoid that ps2epsi fails with 'Error: /undefined in --setpagedevice--' For additional changes please check http://www.ghostscript.com/doc/9.25/News.htm and the changes file of the package. This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00011.html E-Mail link for openSUSE-SU-2018:3036-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 ghostscript-9.25-14.9.1 ghostscript-devel-9.25-14.9.1 ghostscript-mini-9.25-14.9.1 ghostscript-mini-devel-9.25-14.9.1 ghostscript-x11-9.25-14.9.1 ghostscript-9.25-14.9.1 as a component of openSUSE Leap 42.3 ghostscript-devel-9.25-14.9.1 as a component of openSUSE Leap 42.3 ghostscript-mini-9.25-14.9.1 as a component of openSUSE Leap 42.3 ghostscript-mini-devel-9.25-14.9.1 as a component of openSUSE Leap 42.3 ghostscript-x11-9.25-14.9.1 as a component of openSUSE Leap 42.3 In Artifex Ghostscript 9.23 before 2018-08-23, attackers are able to supply malicious PostScript files to bypass .tempfile restrictions and write files. CVE-2018-15908 openSUSE Leap 42.3:ghostscript-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-x11-9.25-14.9.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00011.html https://www.suse.com/security/cve/CVE-2018-15908.html CVE-2018-15908 https://bugzilla.suse.com/1105464 SUSE Bug 1105464 https://bugzilla.suse.com/1106171 SUSE Bug 1106171 In Artifex Ghostscript 9.23 before 2018-08-24, a type confusion using the .shfill operator could be used by attackers able to supply crafted PostScript files to crash the interpreter or potentially execute code. CVE-2018-15909 openSUSE Leap 42.3:ghostscript-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-x11-9.25-14.9.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00011.html https://www.suse.com/security/cve/CVE-2018-15909.html CVE-2018-15909 https://bugzilla.suse.com/1105464 SUSE Bug 1105464 https://bugzilla.suse.com/1106172 SUSE Bug 1106172 In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use a type confusion in the LockDistillerParams parameter to crash the interpreter or execute code. CVE-2018-15910 openSUSE Leap 42.3:ghostscript-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-x11-9.25-14.9.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00011.html https://www.suse.com/security/cve/CVE-2018-15910.html CVE-2018-15910 https://bugzilla.suse.com/1105464 SUSE Bug 1105464 https://bugzilla.suse.com/1106173 SUSE Bug 1106173 In Artifex Ghostscript 9.23 before 2018-08-24, attackers able to supply crafted PostScript could use uninitialized memory access in the aesdecode operator to crash the interpreter or potentially execute code. CVE-2018-15911 openSUSE Leap 42.3:ghostscript-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-x11-9.25-14.9.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00011.html https://www.suse.com/security/cve/CVE-2018-15911.html CVE-2018-15911 https://bugzilla.suse.com/1105464 SUSE Bug 1105464 https://bugzilla.suse.com/1106195 SUSE Bug 1106195 https://bugzilla.suse.com/1108027 SUSE Bug 1108027 https://bugzilla.suse.com/1109105 SUSE Bug 1109105 https://bugzilla.suse.com/1111479 SUSE Bug 1111479 https://bugzilla.suse.com/1111480 SUSE Bug 1111480 https://bugzilla.suse.com/1112229 SUSE Bug 1112229 https://bugzilla.suse.com/1117022 SUSE Bug 1117022 https://bugzilla.suse.com/1118455 SUSE Bug 1118455 An issue was discovered in Artifex Ghostscript before 9.24. Incorrect "restoration of privilege" checking during handling of /invalidaccess exceptions could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction. CVE-2018-16509 openSUSE Leap 42.3:ghostscript-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-x11-9.25-14.9.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00011.html https://www.suse.com/security/cve/CVE-2018-16509.html CVE-2018-16509 https://bugzilla.suse.com/1107410 SUSE Bug 1107410 https://bugzilla.suse.com/1108027 SUSE Bug 1108027 https://bugzilla.suse.com/1118318 SUSE Bug 1118318 An issue was discovered in Artifex Ghostscript before 9.24. Incorrect exec stack handling in the "CS" and "SC" PDF primitives could be used by remote attackers able to supply crafted PDFs to crash the interpreter or possibly have unspecified other impact. CVE-2018-16510 openSUSE Leap 42.3:ghostscript-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-x11-9.25-14.9.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00011.html https://www.suse.com/security/cve/CVE-2018-16510.html CVE-2018-16510 https://bugzilla.suse.com/1107411 SUSE Bug 1107411 An issue was discovered in Artifex Ghostscript before 9.24. A type confusion in "ztype" could be used by remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact. CVE-2018-16511 openSUSE Leap 42.3:ghostscript-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-x11-9.25-14.9.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00011.html https://www.suse.com/security/cve/CVE-2018-16511.html CVE-2018-16511 https://bugzilla.suse.com/1107426 SUSE Bug 1107426 https://bugzilla.suse.com/1111479 SUSE Bug 1111479 https://bugzilla.suse.com/1112229 SUSE Bug 1112229 In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use a type confusion in the setcolor function to crash the interpreter or possibly have unspecified other impact. CVE-2018-16513 openSUSE Leap 42.3:ghostscript-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-x11-9.25-14.9.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00011.html https://www.suse.com/security/cve/CVE-2018-16513.html CVE-2018-16513 https://bugzilla.suse.com/1107412 SUSE Bug 1107412 In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use incorrect access checking in temp file handling to disclose contents of files on the system otherwise not readable. CVE-2018-16539 openSUSE Leap 42.3:ghostscript-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-x11-9.25-14.9.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00011.html https://www.suse.com/security/cve/CVE-2018-16539.html CVE-2018-16539 https://bugzilla.suse.com/1107422 SUSE Bug 1107422 In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files to the builtin PDF14 converter could use a use-after-free in copydevice handling to crash the interpreter or possibly have unspecified other impact. CVE-2018-16540 openSUSE Leap 42.3:ghostscript-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-x11-9.25-14.9.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00011.html https://www.suse.com/security/cve/CVE-2018-16540.html CVE-2018-16540 https://bugzilla.suse.com/1107420 SUSE Bug 1107420 In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use incorrect free logic in pagedevice replacement to crash the interpreter. CVE-2018-16541 openSUSE Leap 42.3:ghostscript-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-x11-9.25-14.9.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00011.html https://www.suse.com/security/cve/CVE-2018-16541.html CVE-2018-16541 https://bugzilla.suse.com/1107421 SUSE Bug 1107421 https://bugzilla.suse.com/1108027 SUSE Bug 1108027 https://bugzilla.suse.com/1109105 SUSE Bug 1109105 https://bugzilla.suse.com/1111479 SUSE Bug 1111479 https://bugzilla.suse.com/1111480 SUSE Bug 1111480 https://bugzilla.suse.com/1112229 SUSE Bug 1112229 https://bugzilla.suse.com/1117022 SUSE Bug 1117022 https://bugzilla.suse.com/1118455 SUSE Bug 1118455 In Artifex Ghostscript before 9.24, attackers able to supply crafted PostScript files could use insufficient interpreter stack-size checking during error handling to crash the interpreter. CVE-2018-16542 openSUSE Leap 42.3:ghostscript-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-x11-9.25-14.9.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00011.html https://www.suse.com/security/cve/CVE-2018-16542.html CVE-2018-16542 https://bugzilla.suse.com/1107413 SUSE Bug 1107413 In Artifex Ghostscript before 9.24, gssetresolution and gsgetresolution allow attackers to have an unspecified impact. CVE-2018-16543 openSUSE Leap 42.3:ghostscript-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-x11-9.25-14.9.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00011.html https://www.suse.com/security/cve/CVE-2018-16543.html CVE-2018-16543 https://bugzilla.suse.com/1107423 SUSE Bug 1107423 ** DISPUTED ** An issue was discovered in Artifex Ghostscript before 9.24. The .setdistillerkeys PostScript command is accepted even though it is not intended for use during document processing (e.g., after the startup phase). This leads to memory corruption, allowing remote attackers able to supply crafted PostScript to crash the interpreter or possibly have unspecified other impact. Note: A reputable source believes that the CVE is potentially a duplicate of CVE-2018-15910 as explained in Red Hat bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1626193). CVE-2018-16585 openSUSE Leap 42.3:ghostscript-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-x11-9.25-14.9.1 low Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00011.html https://www.suse.com/security/cve/CVE-2018-16585.html CVE-2018-16585 https://bugzilla.suse.com/1107581 SUSE Bug 1107581 An issue was discovered in Artifex Ghostscript before 9.25. Incorrect "restoration of privilege" checking when running out of stack during exception handling could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction. This is due to an incomplete fix for CVE-2018-16509. CVE-2018-16802 openSUSE Leap 42.3:ghostscript-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-x11-9.25-14.9.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00011.html https://www.suse.com/security/cve/CVE-2018-16802.html CVE-2018-16802 https://bugzilla.suse.com/1107410 SUSE Bug 1107410 https://bugzilla.suse.com/1108027 SUSE Bug 1108027 https://bugzilla.suse.com/1109105 SUSE Bug 1109105 https://bugzilla.suse.com/1111479 SUSE Bug 1111479 https://bugzilla.suse.com/1111480 SUSE Bug 1111480 https://bugzilla.suse.com/1112229 SUSE Bug 1112229 https://bugzilla.suse.com/1117022 SUSE Bug 1117022 https://bugzilla.suse.com/1117327 SUSE Bug 1117327 https://bugzilla.suse.com/1118455 SUSE Bug 1118455 Artifex Ghostscript before 9.25 allowed a user-writable error exception table, which could be used by remote attackers able to supply crafted PostScript to potentially overwrite or replace error handlers to inject code. CVE-2018-17183 openSUSE Leap 42.3:ghostscript-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-mini-devel-9.25-14.9.1 openSUSE Leap 42.3:ghostscript-x11-9.25-14.9.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00011.html https://www.suse.com/security/cve/CVE-2018-17183.html CVE-2018-17183 https://bugzilla.suse.com/1108027 SUSE Bug 1108027 https://bugzilla.suse.com/1109105 SUSE Bug 1109105 https://bugzilla.suse.com/1111479 SUSE Bug 1111479 https://bugzilla.suse.com/1111480 SUSE Bug 1111480 https://bugzilla.suse.com/1112229 SUSE Bug 1112229 https://bugzilla.suse.com/1117022 SUSE Bug 1117022 https://bugzilla.suse.com/1117331 SUSE Bug 1117331 https://bugzilla.suse.com/1118455 SUSE Bug 1118455