(Difference between pages)
No edit summary Tag: 2017 source edit |
No edit summary Tag: 2017 source edit |
||
Line 1: | Line 1: | ||
{ | {| class="wikitable" | ||
| | |+ | ||
| | ! | ||
| | ! | ||
| | |- | ||
| | |Date | ||
| | |2023-07-25 | ||
| | |- | ||
| | |Severity | ||
| | |Medium | ||
| | |- | ||
|Affected | |||
| | |||
* BlueSpice Infrastructure: Ghostscript | |||
|- | |||
|Fixed in | |||
| | |||
* Ghostscript 9.53.3 and 10.01.2 | |||
|- | |||
|CVE | |||
|[https://www.cve.org/CVERecord?id=CVE-2023-36664 CVE-2023-36664] | |||
|} | |||
== | == Problem == | ||
A bug in ghostscript can be exploited to run arbitrary code on the host machine using prepared PDF document. In BlueSpice, when a) PDFHandler is enabled and b) a PDF document is uploaded, a preview image is being generated using ghostscript. If an attacker uploads a prepared PDF, they can execute code on the server. | |||
PDFHandler is not enabled by default, but many installations have set it active. | |||
== Solution == | |||
Upgrade Ghostscript to a fixed version and ensure the updated version is used by adding <code>$wgPdfProcessor = '/usr/bin/gs';</code> to <code>LocalSettings.php</code>. | |||
If upgrade of Ghostscript is not possible, disable the extension PDFHandler. This, however, removes the ability for BlueSpice to render PDF preview images. | |||
== Resources == | |||
* For Debian: https://www.debian.org/security/2023/dsa-5446 | |||
* For Debian10: [https://security-tracker.debian.org/tracker/source-package/ghostscript Information on source package ghostscript (debian.org)] | |||
* For Ubuntu: https://launchpad.net/ubuntu/+source/ghostscript/9.50~dfsg-5ubuntu4.8 | |||
== Acknowledgements == | |||
Found during an internal security audit. |
Latest revision as of 10:02, 14 November 2023
Date | 2023-07-25 |
Severity | Medium |
Affected |
|
Fixed in |
|
CVE | CVE-2023-36664 |
Problem
A bug in ghostscript can be exploited to run arbitrary code on the host machine using prepared PDF document. In BlueSpice, when a) PDFHandler is enabled and b) a PDF document is uploaded, a preview image is being generated using ghostscript. If an attacker uploads a prepared PDF, they can execute code on the server.
PDFHandler is not enabled by default, but many installations have set it active.
Solution
Upgrade Ghostscript to a fixed version and ensure the updated version is used by adding $wgPdfProcessor = '/usr/bin/gs';
to LocalSettings.php
.
If upgrade of Ghostscript is not possible, disable the extension PDFHandler. This, however, removes the ability for BlueSpice to render PDF preview images.
Resources
- For Debian: https://www.debian.org/security/2023/dsa-5446
- For Debian10: Information on source package ghostscript (debian.org)
- For Ubuntu: https://launchpad.net/ubuntu/+source/ghostscript/9.50~dfsg-5ubuntu4.8
Acknowledgements
Found during an internal security audit.