[Secure-testing-team] Bug#859662: ghostscript: CVE-2016-10217

Salvatore Bonaccorso carnil at debian.org
Wed Apr 5 17:22:48 UTC 2017 

Source: ghostscript
Version: 9.20~dfsg-3
Severity: important
Tags: upstream security
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=697456

Hi,

the following vulnerability was published for ghostscript.

CVE-2016-10217[0]:
| The pdf14_open function in base/gdevp14.c in Artifex Software, Inc.
| Ghostscript 9.20 allows remote attackers to cause a denial of service
| (use-after-free and application crash) via a crafted file that is
| mishandled in the color management module.

To verify with an ASAN build of ghostscript:

----cut---------cut---------cut---------cut---------cut---------cut-----
# LD_LIBRARY_PATH=./sobin ./debian/tmp/usr/bin/gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER /root/gs_uaf_pdf14_cleanup_parent_color_profiles -c quit
GPL Ghostscript 9.20 (2016-09-26)
Copyright (C) 2016 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
=================================================================
==4082==ERROR: AddressSanitizer: heap-use-after-free on address 0x62a00053b840 at pc 0x7f9c09ebff67 bp 0x7ffe337bb2a0 sp 0x7ffe337bb298
READ of size 8 at 0x62a00053b840 thread T0
    #0 0x7f9c09ebff66 in pdf14_cleanup_parent_color_profiles base/gdevp14.c:2016
    #1 0x7f9c09eefcef in pdf14_device_finalize base/gdevp14.c:8293
    #2 0x7f9c0a7fd262 in restore_finalize psi/isave.c:952
    #3 0x7f9c0a7fc066 in alloc_restore_step_in psi/isave.c:759
    #4 0x7f9c0a7fcbfb in alloc_restore_all psi/isave.c:886
    #5 0x7f9c0a700455 in gs_main_finit psi/imain.c:978
    #6 0x7f9c0a700a74 in gs_to_exit_with_code psi/imain.c:1013
    #7 0x7f9c0a700a9b in gs_to_exit psi/imain.c:1018
    #8 0x7f9c0a70b97b in gsapi_exit psi/iapi.c:561
    #9 0x557197880114 in main psi/dxmainc.c:90
    #10 0x7f9c0976b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #11 0x55719787fd29 in _start (/root/ghostscript-9.20~dfsg/debian/tmp/usr/bin/gs+0xd29)

0x62a00053b840 is located 5696 bytes inside of 20048-byte region [0x62a00053a200,0x62a00053f050)
freed by thread T0 here:
    #0 0x7f9c0b8b7a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
    #1 0x7f9c0a4c960f in gs_heap_free_object base/gsmalloc.c:348
    #2 0x7f9c0a46655d in alloc_free_clump base/gsalloc.c:2593
    #3 0x7f9c0a45f7d1 in free_all_not_allocator base/gsalloc.c:1000
    #4 0x7f9c0a45cf20 in clump_splay_app base/gsalloc.c:602
    #5 0x7f9c0a45fa30 in i_free_all base/gsalloc.c:1036
    #6 0x7f9c0a7fd475 in restore_free psi/isave.c:989
    #7 0x7f9c0a7fc7b8 in restore_space psi/isave.c:847
    #8 0x7f9c0a7fc220 in alloc_restore_step_in psi/isave.c:784
    #9 0x7f9c0a7fcbfb in alloc_restore_all psi/isave.c:886
    #10 0x7f9c0a700455 in gs_main_finit psi/imain.c:978
    #11 0x7f9c0a700a74 in gs_to_exit_with_code psi/imain.c:1013
    #12 0x7f9c0a700a9b in gs_to_exit psi/imain.c:1018
    #13 0x7f9c0a70b97b in gsapi_exit psi/iapi.c:561
    #14 0x557197880114 in main psi/dxmainc.c:90
    #15 0x7f9c0976b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

previously allocated by thread T0 here:
    #0 0x7f9c0b8b7d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x7f9c0a4c8aac in gs_heap_alloc_bytes base/gsmalloc.c:183
    #2 0x7f9c0a46560b in alloc_acquire_clump base/gsalloc.c:2430
    #3 0x7f9c0a4651c0 in alloc_add_clump base/gsalloc.c:2379
    #4 0x7f9c0a4635d3 in alloc_obj base/gsalloc.c:1991
    #5 0x7f9c0a46097c in i_alloc_struct base/gsalloc.c:1229
    #6 0x7f9c0a7dbb9c in gs_istate_alloc psi/zgstate.c:590
    #7 0x7f9c0a4ea417 in gstate_clone base/gsstate.c:1008
    #8 0x7f9c0a4e6eaf in gs_gsave base/gsstate.c:325
    #9 0x7f9c0a4e712a in gs_gsave_for_save base/gsstate.c:370
    #10 0x7f9c0a7879a0 in zsave psi/zvmem.c:84
    #11 0x7f9c0a6f3b8a in z2save psi/zdevice2.c:219
    #12 0x7f9c0a721f63 in interp psi/interp.c:1310
    #13 0x7f9c0a71d2eb in gs_call_interp psi/interp.c:511
    #14 0x7f9c0a71cc52 in gs_interpret psi/interp.c:468
    #15 0x7f9c0a6fb8d2 in gs_main_interpret psi/imain.c:245
    #16 0x7f9c0a6fe323 in gs_main_run_string_end psi/imain.c:663
    #17 0x7f9c0a6fdf6a in gs_main_run_string_with_length psi/imain.c:621
    #18 0x7f9c0a6fdedc in gs_main_run_string psi/imain.c:603
    #19 0x7f9c0a705d7c in run_string psi/imainarg.c:977
    #20 0x7f9c0a705b87 in runarg psi/imainarg.c:967
    #21 0x7f9c0a705539 in argproc psi/imainarg.c:900
    #22 0x7f9c0a701d22 in gs_main_init_with_args psi/imainarg.c:238
    #23 0x7f9c0a70b18e in gsapi_init_with_args psi/iapi.c:353
    #24 0x5571978800d4 in main psi/dxmainc.c:86
    #25 0x7f9c0976b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-use-after-free base/gdevp14.c:2016 in pdf14_cleanup_parent_color_profiles
Shadow bytes around the buggy address:
  0x0c548009f6b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c548009f6c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c548009f6d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c548009f6e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c548009f6f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c548009f700: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0c548009f710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c548009f720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c548009f730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c548009f740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c548009f750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4082==ABORTING
----cut---------cut---------cut---------cut---------cut---------cut-----

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-10217
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10217
[1] https://bugs.ghostscript.com/show_bug.cgi?id=697456
[2] http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=90fd0c7ca3efc1ddff64a86f4104b13b3ac969eb

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the Secure-testing-team mailing list