Bug 1105592

Summary:	VUL-0: ImageMagick, GraphicsMagick: ghostscript: various issues bypassing -dSAFER
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Marcus Meissner <meissner>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	danilo.godec, meissner, msvec, onalmpantis, pgajdos, suse-beta
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Marcus Meissner 2018-08-22 06:08:58 UTC

+++ This bug was initially created as a clone of Bug #1105464 +++

From: Tavis Ormandy <taviso@google.com>
Date: Mon, 20 Aug 2018 17:56:43 -0700
subject: ***UNCHECKED*** [vs-plain] More Ghostscript Issues

Tavis Ormandy has reported more -dSAFER bypass issues in ghostscript to distros.

... 3 new issues directly reported ... way more coming ... 

I'm kinda of the opinion that ghostscript is unsalvageable for untrusted
input, and we should use poppler for pdf and give up on untrusted
postscript.

I really *strongly* suggest that distributions start disabling PS, EPS, PDF
and XPS coders in policy.xml by default. I think this is the number one
"unexpected ghostscript" vector, imho this should happen asap.

I'll start opening upstream bugs tomorrow, at which point code changes will
likely be public quickly.

Tavis.

Comment 1 Marcus Meissner 2018-08-22 06:09:24 UTC

so if we currently do not disable ghostscript in imagemagick or graphicsmagic, 
I would now say we should start doing so.

Comment 2 Swamp Workflow Management 2018-08-22 10:00:07 UTC

This is an autogenerated message for OBS integration:
This bug (1105592) was mentioned in
https://build.opensuse.org/request/show/630850 Factory / ImageMagick

Comment 3 Swamp Workflow Management 2018-08-22 11:10:05 UTC

This is an autogenerated message for OBS integration:
This bug (1105592) was mentioned in
https://build.opensuse.org/request/show/630883 Factory / ImageMagick

Comment 5 Swamp Workflow Management 2018-08-22 14:40:06 UTC

This is an autogenerated message for OBS integration:
This bug (1105592) was mentioned in
https://build.opensuse.org/request/show/630927 15.0 / GraphicsMagick
https://build.opensuse.org/request/show/630929 42.3 / GraphicsMagick

Comment 6 Petr Gajdos 2018-08-22 15:14:39 UTC

BEFORE

TW,15,12/ImageMagick, 

$ convert rose: rose.pdf
$ convert rose: rose.xps
$ convert rose: rose.eps
$ convert rose: rose.ps
$

11/ImageMagick

$ convert rose: rose.pdf; file rose.pdf
rose.pdf: PDF document, version 1.3
$ convert rose: rose.ps; file rose.ps  
rose.ps: PostScript document text conforming DSC level 3.0, Level 1
$ convert rose: rose.eps; file rose.eps
rose.eps: PostScript document text conforming DSC level 3.0, type EPS, Level 1
$

42.3,15.0,TW/GraphicsMagick

$ gm convert rose: rose.pdf; file rose.pdf
rose.pdf: PDF document, version 1.2
$ gm convert rose: rose.ps; file rose.ps
rose.ps: PostScript document text conforming DSC level 3.0, Level 1
$ gm convert rose: rose.eps; file rose.eps
rose.eps: PostScript document text conforming DSC level 3.0, type EPS, Level 1
$


AFTER

TW,15,12/ImageMagick

$ convert rose: rose.pdf
convert: not authorized `rose.pdf' @ error/constitute.c/WriteImage/1048.
$ convert rose: rose.xps
convert: not authorized `rose.xps' @ error/constitute.c/WriteImage/1048.
$ convert rose: rose.eps
convert: not authorized `rose.eps' @ error/constitute.c/WriteImage/1048.
$ convert rose: rose.ps
convert: not authorized `rose.ps' @ error/constitute.c/WriteImage/1048.
$

11/ImageMagick

$ convert rose: rose.pdf; file rose.pdf                                                                                                                                       
rose.pdf: ASCII C program text
$ convert rose: rose.eps; file rose.eps
rose.eps: ASCII C program text
$ convert rose: rose.ps; file rose.ps  
rose.ps: ASCII C program text
$

11,42.3,15.0,TW/GraphicsMagick

$ gm convert rose: rose.pdf; file rose.pdf
rose.pdf: Netpbm image data, size = 70 x 46, rawbits, pixmap
$ gm convert rose: rose.ps; file rose.ps
rose.ps: Netpbm image data, size = 70 x 46, rawbits, pixmap
$ gm convert rose: rose.eps; file rose.eps
rose.eps: Netpbm image data, size = 70 x 46, rawbits, pixmap
$

Original behavior can be obtained by removing respective lines from policy.xml for TW,15,12/ImageMagick, using MAGICK_CODER_MODULE_PATH for 11/ImageMagick and 11/GraphicsMagick (see bug 978061 comment 43) or using MAGICK_CODER_STABILITY=BROKEN for 42.3,15.0,TW/GraphicsMagick (bug 978061 comment 13).

Comment 7 Petr Gajdos 2018-08-22 15:20:42 UTC

Packages submitted: TW,15,12,11/ImageMagick and TW,15.0,42.3,11/GraphicsMagick.

Comment 9 Swamp Workflow Management 2018-08-23 07:20:12 UTC

This is an autogenerated message for OBS integration:
This bug (1105592) was mentioned in
https://build.opensuse.org/request/show/631020 Factory / GraphicsMagick

Comment 10 Swamp Workflow Management 2018-08-26 19:10:26 UTC

openSUSE-SU-2018:2516-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1105592
CVE References: 
Sources used:
openSUSE Leap 42.3 (src):    GraphicsMagick-1.3.25-99.1
openSUSE Leap 15.0 (src):    GraphicsMagick-1.3.29-lp150.3.9.1

Comment 12 Swamp Workflow Management 2018-08-29 19:12:32 UTC

SUSE-SU-2018:2553-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1105592
CVE References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    ImageMagick-6.4.3.6-78.59.1
SUSE Linux Enterprise Server 11-SP4 (src):    ImageMagick-6.4.3.6-78.59.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ImageMagick-6.4.3.6-78.59.1

Comment 14 Swamp Workflow Management 2018-08-30 19:08:21 UTC

SUSE-SU-2018:2560-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1105592
CVE References: 
Sources used:
SUSE Studio Onsite 1.3 (src):    GraphicsMagick-1.2.5-78.66.2
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    GraphicsMagick-1.2.5-78.66.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    GraphicsMagick-1.2.5-78.66.2

Comment 15 Swamp Workflow Management 2018-08-30 19:10:24 UTC

SUSE-SU-2018:2562-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1105592
CVE References: 
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.17.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.17.1

Comment 17 Swamp Workflow Management 2018-09-04 10:09:23 UTC

openSUSE-SU-2018:2600-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1105592
CVE References: 
Sources used:
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.12.1

Comment 22 Swamp Workflow Management 2018-09-21 10:13:36 UTC

SUSE-SU-2018:2778-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1102003,1102004,1102005,1102007,1105592,1106855,1106858
CVE References: CVE-2018-14434,CVE-2018-14435,CVE-2018-14436,CVE-2018-14437,CVE-2018-16323,CVE-2018-16329
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.74.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.74.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.74.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.74.1

Comment 23 Swamp Workflow Management 2018-09-22 07:27:55 UTC

openSUSE-SU-2018:2516-2: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1105592
CVE References: 
Sources used:
openSUSE Backports SLE-15 (src):    GraphicsMagick-1.3.29-bp150.2.3.1

Comment 24 Swamp Workflow Management 2018-09-24 10:09:16 UTC

openSUSE-SU-2018:2811-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1102003,1102004,1102005,1102007,1105592,1106855,1106858
CVE References: CVE-2018-14434,CVE-2018-14435,CVE-2018-14436,CVE-2018-14437,CVE-2018-16323,CVE-2018-16329
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-67.1

Comment 25 Danilo Godec 2018-09-25 06:43:04 UTC

Should the workarounds mentioned in comment 6 still work with the latest packages? They don't seem to. :(

Typo3 (https://typo3.org/), for example, relies on functionality of converting PDF to JPG, so this will break a lot of sites.

Comment 26 Danilo Godec 2018-09-25 07:25:35 UTC

(In reply to Danilo Godec from comment #25)
> Should the workarounds mentioned in comment 6 still work with the latest
> packages? They don't seem to. :(
> 
> Typo3 (https://typo3.org/), for example, relies on functionality of
> converting PDF to JPG, so this will break a lot of sites.

The file /usr/lib64/GraphicsMagick-1.3.25/config/delegates.mgk has changed too, so I had to bring the old version back from backup, along with a 'wrapper' script to add the MAGICK_CODER_STABILITY=BROKEN.

Comment 27 Swamp Workflow Management 2018-10-01 12:20:05 UTC

This is an autogenerated message for OBS integration:
This bug (1105592) was mentioned in
https://build.opensuse.org/request/show/639374 Factory / ImageMagick

Comment 28 Petr Gajdos 2018-10-03 07:14:09 UTC

(In reply to Danilo Godec from comment #26)
> The file /usr/lib64/GraphicsMagick-1.3.25/config/delegates.mgk has changed
> too, so I had to bring the old version back from backup, along with a
> 'wrapper' script to add the MAGICK_CODER_STABILITY=BROKEN.

Ok, sorry I had not mentioned it.

Comment 29 Petr Gajdos 2018-10-03 07:23:30 UTC

Marcus,

we disabled coders for both reading and writing. Perhaps we could relax the rules just for reading?

Comment 30 Petr Gajdos 2018-10-03 07:24:28 UTC

(In reply to Petr Gajdos from comment #29)
> Marcus,
> 
> we disabled coders for both reading and writing. Perhaps we could relax the
> rules just for reading?

.. rules just to disable reading?

Comment 31 Marcus Meissner 2018-10-03 07:36:21 UTC

we can allow writing / coonverting TO postscript I think.

only evaluating postscriopt (so reading) via ghostscript is unsafe

Comment 32 Petr Gajdos 2018-10-03 08:07:34 UTC

Okay. So after upcomming change we will have:

$ convert rose: rose.eps
$ convert rose.eps rose.png
convert: not authorized `EPS' @ error/constitute.c/IsCoderAuthorized/408.
convert: no images defined `rose.png' @ error/convert.c/ConvertImageCommand/3288.
$

It is perhaps little misleading, but more relaxed for these who just want to convert image to pdf for example. It is applicable for 12,15,TW/ImageMagick only though.

Comment 33 Petr Gajdos 2018-10-03 08:39:00 UTC

Packages submitted again to TW, 15 and 12.

Comment 34 Swamp Workflow Management 2018-10-03 08:50:05 UTC

This is an autogenerated message for OBS integration:
This bug (1105592) was mentioned in
https://build.opensuse.org/request/show/639725 Factory / ImageMagick

Comment 36 Swamp Workflow Management 2018-10-08 13:51:33 UTC

SUSE-SU-2018:3072-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1105592
CVE References: 
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    ImageMagick-7.0.7.34-3.27.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    ImageMagick-7.0.7.34-3.27.1

Comment 37 Swamp Workflow Management 2018-10-11 07:08:07 UTC

openSUSE-SU-2018:3094-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1105592
CVE References: 
Sources used:
openSUSE Leap 15.0 (src):    ImageMagick-7.0.7.34-lp150.2.18.1

Comment 38 Swamp Workflow Management 2018-10-11 07:08:56 UTC

SUSE-SU-2018:3095-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1050129,1105592,1106989,1107604,1107609,1107612,1107616,1107619,1108282,1108283
CVE References: CVE-2017-11532,CVE-2018-16413,CVE-2018-16640,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645,CVE-2018-16749,CVE-2018-16750
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    ImageMagick-6.8.8.1-71.79.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ImageMagick-6.8.8.1-71.79.1
SUSE Linux Enterprise Server 12-SP3 (src):    ImageMagick-6.8.8.1-71.79.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ImageMagick-6.8.8.1-71.79.1

Comment 39 Swamp Workflow Management 2018-10-17 19:23:31 UTC

openSUSE-SU-2018:3203-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1050129,1105592,1106989,1107604,1107609,1107612,1107616,1107619,1108282,1108283
CVE References: CVE-2017-11532,CVE-2018-16413,CVE-2018-16640,CVE-2018-16642,CVE-2018-16643,CVE-2018-16644,CVE-2018-16645,CVE-2018-16749,CVE-2018-16750
Sources used:
openSUSE Leap 42.3 (src):    ImageMagick-6.8.8.1-70.2

Comment 41 Petr Gajdos 2019-01-17 12:50:36 UTC

https://fate.suse.com/326964
https://bugzilla.suse.com/show_bug.cgi?id=1122033

Comment 42 Marcus Meissner 2019-01-22 10:58:41 UTC

TID  https://www.suse.com/support/kb/doc/?id=7023657

Comment 43 Petr Gajdos 2019-01-22 11:57:37 UTC

(In reply to Marcus Meissner from comment #42)
> TID  https://www.suse.com/support/kb/doc/?id=7023657

Marcus: there is another way how to expose vulnerable coders in SLE 11: 

MAGICK_CODER_MODULE_PATH

see the last paragraph of comment 6. Using a wrapper that will mean permanent solution for customers as opposed to moving coders from one directory to another.

Comment 44 Petr Gajdos 2019-02-06 12:30:01 UTC

(In reply to Petr Gajdos from comment #43)
> (In reply to Marcus Meissner from comment #42)
> > TID  https://www.suse.com/support/kb/doc/?id=7023657
> 
> Marcus: there is another way how to expose vulnerable coders in SLE 11: 
> 
> MAGICK_CODER_MODULE_PATH
> 
> see the last paragraph of comment 6. Using a wrapper that will mean
> permanent solution for customers as opposed to moving coders from one
> directory to another.

Marcus, ping.

Comment 45 Marcus Meissner 2019-02-07 13:00:37 UTC

i asked hans to add it there

Comment 46 Swamp Workflow Management 2019-05-28 13:30:21 UTC

This is an autogenerated message for OBS integration:
This bug (1105592) was mentioned in
https://build.opensuse.org/request/show/705902 15.1 / GraphicsMagick

Comment 47 Marcus Meissner 2019-07-09 06:30:00 UTC

we solved this by having different config files