Reference:MergeArticles and Security:Security Advisories/BSSA-2023-01: Difference between pages

Latest revision as of 10:02, 14 November 2023



Date	2023-07-25
Severity	Medium
Affected	BlueSpice Infrastructure: Ghostscript
Fixed in	Ghostscript 9.53.3 and 10.01.2
CVE	CVE-2023-36664

Problem

A bug in ghostscript can be exploited to run arbitrary code on the host machine using prepared PDF document. In BlueSpice, when a) PDFHandler is enabled and b) a PDF document is uploaded, a preview image is being generated using ghostscript. If an attacker uploads a prepared PDF, they can execute code on the server.

PDFHandler is not enabled by default, but many installations have set it active.

Solution

Upgrade Ghostscript to a fixed version and ensure the updated version is used by adding $wgPdfProcessor = '/usr/bin/gs'; to LocalSettings.php.

If upgrade of Ghostscript is not possible, disable the extension PDFHandler. This, however, removes the ability for BlueSpice to render PDF preview images.

Resources

For Debian: https://www.debian.org/security/2023/dsa-5446
For Debian10: Information on source package ghostscript (debian.org)
For Ubuntu: https://launchpad.net/ubuntu/+source/ghostscript/9.50~dfsg-5ubuntu4.8

Acknowledgements

Found during an internal security audit.

@@ Line 1: / Line 1: @@
-{{BSExtensionInfo
+{| class="wikitable"
-|desc=Merge corresponding pages in wiki instances.
+|+
-|status=stable
+!
-|developer=HalloWelt
+!
-|type=BlueSpice
+|-
-|edition=BlueSpice Farm (deactivated)
+|Date
-|compatible=BlueSpice
+|2023-07-25
-|category=Quality Assurance
+|-
-|license=GPL v3
+|Severity
-|active=No
+|Medium
-|features=The extension '''MergeArticles''' makes it possible to merge page revisions.
+|-
+|Affected
+|
+* BlueSpice Infrastructure: Ghostscript
+|-
+|Fixed in
+|
+* Ghostscript 9.53.3 and 10.01.2
+|-
+|CVE
+|[https://www.cve.org/CVERecord?id=CVE-2023-36664 CVE-2023-36664]
+|}
-==Usage / Features==
+== Problem ==
-If a page is moved to another wiki using the '''ContentTransfer''' extension, the page is saved in a special namespace in the target wiki. From there, the page can be compared and merged with the latest revision that already exists in this wiki.
+A bug in ghostscript can be exploited to run arbitrary code on the host machine using prepared PDF document. In BlueSpice, when a) PDFHandler is enabled and b) a PDF document is uploaded, a preview image is being generated using ghostscript. If an attacker uploads a prepared PDF, they can execute code on the server.
-}}
+PDFHandler is not enabled by default, but many installations have set it active.
-{{wcagCheck}}
-{{Translation}}
+== Solution ==
+Upgrade Ghostscript to a fixed version and ensure the updated version is used by adding <code>$wgPdfProcessor = '/usr/bin/gs';</code> to <code>LocalSettings.php</code>.
+If upgrade of Ghostscript is not possible, disable the extension PDFHandler. This, however, removes the ability for BlueSpice to render PDF preview images.
+== Resources ==
+* For Debian: https://www.debian.org/security/2023/dsa-5446
+* For Debian10: [https://security-tracker.debian.org/tracker/source-package/ghostscript Information on source package ghostscript (debian.org)]
+* For Ubuntu: https://launchpad.net/ubuntu/+source/ghostscript/9.50~dfsg-5ubuntu4.8
+== Acknowledgements ==
+Found during an internal security audit.