ALAS2-2021-1598


Amazon Linux 2 Security Advisory: ALAS-2021-1598
Advisory Release Date: 2021-02-17 00:58 Pacific
Advisory Updated Date: 2021-02-19 22:06 Pacific
Severity: Important

Issue Overview:

Artifex Ghostscript before 9.25 allowed a user-writable error exception table, which could be used by remote attackers able to supply crafted PostScript to potentially overwrite or replace error handlers to inject code. (CVE-2018-17183 )

Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving errorhandler setup. NOTE: this issue exists because of an incomplete fix for CVE-2018-17183 . (CVE-2018-17961 )

Artifex Ghostscript allows attackers to bypass a sandbox protection mechanism by leveraging exposure of system operators in the saved execution stack in an error object. (CVE-2018-18073 )

Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving the 1Policy operator. (CVE-2018-18284 )

In Artifex Ghostscript through 9.25, the setpattern operator did not properly validate certain types. A specially crafted PostScript document could exploit this to crash Ghostscript or, possibly, execute arbitrary code in the context of the Ghostscript process. This is a type confusion issue because of failure to check whether the Implementation of a pattern dictionary was a structure type. (CVE-2018-19134 )

An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is not checked correctly if another device is used. (CVE-2018-19409 )

psi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because available stack space is not checked when the device remains the same. (CVE-2018-19475 )

psi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a setcolorspace type confusion. (CVE-2018-19476 )

psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a JBIG2Decode type confusion. (CVE-2018-19477 )

A flaw was found in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14811 )

A flaw was found in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14812 )

A flaw was found in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14813 )

A flaw was found in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14817 )

A flaw was found in the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges within the Ghostscript and access files outside of restricted areas or execute commands. (CVE-2019-14869 )

It was found that the superexec operator was available in the internal dictionary. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. (CVE-2019-3835 )

It was found that the forceput operator could be extracted from the DefineResource method. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. (CVE-2019-3838 )

It was found that some privileged operators remained accessible from various places after the CVE-2019-6116 fix. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. (CVE-2019-3839 )

It was found that ghostscript could leak sensitive operators on the operand stack when a pseudo-operator pushes a subroutine. A specially crafted PostScript file could use this flaw to escape the -dSAFER protection in order to, for example, have access to the file system outside of the SAFER constraints. (CVE-2019-6116 )


Affected Packages:

ghostscript


Issue Correction:
Run yum update ghostscript to update your system.

New Packages:
aarch64:
    ghostscript-9.25-5.amzn2.aarch64
    libgs-9.25-5.amzn2.aarch64
    libgs-devel-9.25-5.amzn2.aarch64
    ghostscript-gtk-9.25-5.amzn2.aarch64
    ghostscript-cups-9.25-5.amzn2.aarch64
    ghostscript-debuginfo-9.25-5.amzn2.aarch64

i686:
    ghostscript-9.25-5.amzn2.i686
    libgs-9.25-5.amzn2.i686
    libgs-devel-9.25-5.amzn2.i686
    ghostscript-gtk-9.25-5.amzn2.i686
    ghostscript-cups-9.25-5.amzn2.i686
    ghostscript-debuginfo-9.25-5.amzn2.i686

noarch:
    ghostscript-doc-9.25-5.amzn2.noarch

src:
    ghostscript-9.25-5.amzn2.src

x86_64:
    ghostscript-9.25-5.amzn2.x86_64
    libgs-9.25-5.amzn2.x86_64
    libgs-devel-9.25-5.amzn2.x86_64
    ghostscript-gtk-9.25-5.amzn2.x86_64
    ghostscript-cups-9.25-5.amzn2.x86_64
    ghostscript-debuginfo-9.25-5.amzn2.x86_64