Ubuntu 14.04 LTS / 16.04 LTS : Ghostscript regression (USN-3272-2)

2017-05-1700:00:00

www.tenable.com

USN-3272-1 fixed vulnerabilities in Ghostscript. This change introduced a regression when the DELAYBIND feature is used with the eqproc command. This update fixes the problem.

We apologize for the inconvenience.

It was discovered that Ghostscript improperly handled parameters to the rsdparams and eqproc commands. An attacker could use these to craft a malicious document that could disable -dSAFER protections, thereby allowing the execution of arbitrary code, or cause a denial of service (application crash). (CVE-2017-8291)

Kamil Frankowicz discovered a use-after-free vulnerability in the color management module of Ghostscript. An attacker could use this to cause a denial of service (application crash). (CVE-2016-10217)

Kamil Frankowicz discovered a divide-by-zero error in the scan conversion code in Ghostscript. An attacker could use this to cause a denial of service (application crash).
(CVE-2016-10219)

Kamil Frankowicz discovered multiple NULL pointer dereference errors in Ghostscript. An attacker could use these to cause a denial of service (application crash).
(CVE-2016-10220, CVE-2017-5951, CVE-2017-7207).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3272-2. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('compat.inc');

if (description)
{
  script_id(100247);
  script_version("3.14");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/20");

  script_cve_id(
    "CVE-2016-10217",
    "CVE-2016-10219",
    "CVE-2016-10220",
    "CVE-2017-5951",
    "CVE-2017-7207",
    "CVE-2017-8291"
  );
  script_xref(name:"USN", value:"3272-2");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/06/14");

  script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS : Ghostscript regression (USN-3272-2)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"USN-3272-1 fixed vulnerabilities in Ghostscript. This change
introduced a regression when the DELAYBIND feature is used with the
eqproc command. This update fixes the problem.

We apologize for the inconvenience.

It was discovered that Ghostscript improperly handled parameters to
the rsdparams and eqproc commands. An attacker could use these to
craft a malicious document that could disable -dSAFER protections,
thereby allowing the execution of arbitrary code, or cause a denial of
service (application crash). (CVE-2017-8291)

Kamil Frankowicz discovered a use-after-free vulnerability
in the color management module of Ghostscript. An attacker
could use this to cause a denial of service (application
crash). (CVE-2016-10217)

Kamil Frankowicz discovered a divide-by-zero error in the
scan conversion code in Ghostscript. An attacker could use
this to cause a denial of service (application crash).
(CVE-2016-10219)

Kamil Frankowicz discovered multiple NULL pointer
dereference errors in Ghostscript. An attacker could use
these to cause a denial of service (application crash).
(CVE-2016-10220, CVE-2017-5951, CVE-2017-7207).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-3272-2");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-8291");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/05/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/17");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ghostscript");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ghostscript-x");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgs-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgs9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libgs9-common");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2017-2023 Canonical, Inc. / NASL script (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release || '16.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04 / 16.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var pkgs = [
    {'osver': '14.04', 'pkgname': 'ghostscript', 'pkgver': '9.10~dfsg-0ubuntu10.9'},
    {'osver': '14.04', 'pkgname': 'ghostscript-x', 'pkgver': '9.10~dfsg-0ubuntu10.9'},
    {'osver': '14.04', 'pkgname': 'libgs-dev', 'pkgver': '9.10~dfsg-0ubuntu10.9'},
    {'osver': '14.04', 'pkgname': 'libgs9', 'pkgver': '9.10~dfsg-0ubuntu10.9'},
    {'osver': '14.04', 'pkgname': 'libgs9-common', 'pkgver': '9.10~dfsg-0ubuntu10.9'},
    {'osver': '16.04', 'pkgname': 'ghostscript', 'pkgver': '9.18~dfsg~0-0ubuntu2.6'},
    {'osver': '16.04', 'pkgname': 'ghostscript-x', 'pkgver': '9.18~dfsg~0-0ubuntu2.6'},
    {'osver': '16.04', 'pkgname': 'libgs-dev', 'pkgver': '9.18~dfsg~0-0ubuntu2.6'},
    {'osver': '16.04', 'pkgname': 'libgs9', 'pkgver': '9.18~dfsg~0-0ubuntu2.6'},
    {'osver': '16.04', 'pkgname': 'libgs9-common', 'pkgver': '9.18~dfsg~0-0ubuntu2.6'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var osver = NULL;
  var pkgname = NULL;
  var pkgver = NULL;
  if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
  if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
  if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
  if (osver && pkgname && pkgver) {
    if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  var tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ghostscript / ghostscript-x / libgs-dev / libgs9 / libgs9-common');
}

VendorProductVersionCPE
canonicalubuntu_linuxghostscriptp-cpe:/a:canonical:ubuntu_linux:ghostscript
canonicalubuntu_linuxghostscript-xp-cpe:/a:canonical:ubuntu_linux:ghostscript-x
canonicalubuntu_linuxlibgs-devp-cpe:/a:canonical:ubuntu_linux:libgs-dev
canonicalubuntu_linuxlibgs9p-cpe:/a:canonical:ubuntu_linux:libgs9
canonicalubuntu_linuxlibgs9-commonp-cpe:/a:canonical:ubuntu_linux:libgs9-common
canonicalubuntu_linux14.04cpe:/o:canonical:ubuntu_linux:14.04:-:lts
canonicalubuntu_linux16.04cpe:/o:canonical:ubuntu_linux:16.04:-:lts

Vendor	Product	Version	CPE
canonical	ubuntu_linux	ghostscript	p-cpe:/a:canonical:ubuntu_linux:ghostscript
canonical	ubuntu_linux	ghostscript-x	p-cpe:/a:canonical:ubuntu_linux:ghostscript-x
canonical	ubuntu_linux	libgs-dev	p-cpe:/a:canonical:ubuntu_linux:libgs-dev
canonical	ubuntu_linux	libgs9	p-cpe:/a:canonical:ubuntu_linux:libgs9
canonical	ubuntu_linux	libgs9-common	p-cpe:/a:canonical:ubuntu_linux:libgs9-common
canonical	ubuntu_linux	14.04	cpe:/o:canonical:ubuntu_linux:14.04:-:lts
canonical	ubuntu_linux	16.04	cpe:/o:canonical:ubuntu_linux:16.04:-:lts