Security:Security Advisories/BSSA-2023-01 and Ghostscript-CVE-2023-36664 - How to fix: Difference between pages

(Difference between pages)
VisualWikitext
No edit summary
Tag: 2017 source edit
 
No edit summary
Tag: 2017 source edit
 
Line 1: Line 1:
{| class="wikitable"
==Overview==
|+
This page is related to the [[Security:Security Advisories/BSSA-2023-01|BSSA-2023-01 Security Advisory]].
!
!
|-
|Date
|2023-07-25
|-
|Severity
|Medium
|-
|Affected
|
* BlueSpice Infrastructure: Ghostscript
|-
|Fixed in
|
* Ghostscript 9.53.3 and 10.01.2
|-
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2023-36664 CVE-2023-36664]
|}


== Problem ==
Older versions of Ghostscript open a way for script infusion.
A bug in ghostscript can be exploited to run arbitrary code on the host machine using prepared PDF document. In BlueSpice, when a) PDFHandler is enabled and b) a PDF document is uploaded, a preview image is being generated using ghostscript. If an attacker uploads a prepared PDF, they can execute code on the server.


PDFHandler is not enabled by default, but many installations have set it active.
Because of bugs in the Ghostscript binary out of the BlueSpice package manager, Hallo Welt! mostly installed manually on Linux systems. These bugs no longer seem to be a problem.
==How to update  - Linux==


== Solution ==
# '''Check '''the system for manual installation and delete it:<syntaxhighlight lang="bash">ls -al /usr/local/bin</syntaxhighlight>If there is a binary called<syntaxhighlight lang="bash">gs</syntaxhighlight>delete it:<syntaxhighlight lang="bash">
Upgrade Ghostscript to a fixed version and ensure the updated version is used by adding <code>$wgPdfProcessor = '/usr/bin/gs';</code> to <code>LocalSettings.php</code>.  
rm -fr /usr/local/bin/gs</syntaxhighlight>
#'''Check''' the system for an installation out of the package manager (Ghostscript comes as a dependency of ImageMagik):<syntaxhighlight lang="bash">
dpkg -l ghostscript
</syntaxhighlight>for  Debian 11 this should look like:<syntaxhighlight lang="bash">
root@XXXXXXXXXXXX:~# dpkg -l ghostscript
Gewünscht=Unbekannt/Installieren/R=Entfernen/P=Vollständig Löschen/Halten
| Status=Nicht/Installiert/Config/U=Entpackt/halb konFiguriert/
        Halb installiert/Trigger erWartet/Trigger anhängig
|/ Fehler?=(kein)/R=Neuinstallation notwendig (Status, Fehler: GROSS=schlecht)
||/ Name          Version              Architektur  Beschreibung
+++-==============-=====================-============-===================================================
ii  ghostscript    9.53.3~dfsg-7+deb11u5 amd64        interpreter for the PostScript language and for PDF


If upgrade of Ghostscript is not possible, disable the extension PDFHandler. This, however, removes the ability for BlueSpice to render PDF preview images.
</syntaxhighlight>For Debian 12 the Version is "10.0.0~dfsg-11+deb12u1"<br>For Ubuntu 22 the Version is "9.50~dfsg-5ubuntu4.8"<br><br>If it does not match the needed Version please do an:<syntaxhighlight lang="bash">
apt update
apt upgrade -y
</syntaxhighlight>and recheck.<br /><br />
#'''Change''' the settings in the codebase.  <br /><br>Go to the directory where the codebase is saved (check your ApacheConfiguration for''DocumentRoot'' if you are not sure). Normally it should look like this:<syntaxhighlight lang="bash">
root@XXXXX:/var/www/bluespice/w/settings.d# grep -rin PdfProcessor
005-PdfHandler.php:5:$wgPdfProcessor = '/usr/local/bin/gs';
</syntaxhighlight>It could be <code>005-PdfHandler.php</code> or some other configuration file.<br /><br />
#'''Find'''  '''and change''' the variable to the correct path, for example with this command:<syntaxhighlight lang="bash">
sed -i 's/local\///g' 005-PdfHandler.php
</syntaxhighlight>Double-check:<syntaxhighlight lang="bash">
root@XXXXXXXXXXX:/var/www/bluespice/w/settings.d# grep -rin PdfProcessor
005-PdfHandler.php:5:$wgPdfProcessor = '/usr/bin/gs';


== Resources ==
</syntaxhighlight>
* For Debian: https://www.debian.org/security/2023/dsa-5446
* For Debian10: [https://security-tracker.debian.org/tracker/source-package/ghostscript Information on source package ghostscript (debian.org)]
* For Ubuntu: https://launchpad.net/ubuntu/+source/ghostscript/9.50~dfsg-5ubuntu4.8


Your system is now patched.


== Acknowledgements ==
==How to update  -  Windows==
Found during an internal security audit.
 
#'''Deinstall''' the package ''GPL Ghostscript''.
#'''Download''' the package ''Ghostscript AGPL Release'' from https://www.ghostscript.com/releases/gsdnld.html .
#'''Install''' the new package.
 
Your system is now patched.
 
__FORCETOC__

Latest revision as of 10:03, 14 November 2023

Overview

This page is related to the BSSA-2023-01 Security Advisory.

Older versions of Ghostscript open a way for script infusion.

Because of bugs in the Ghostscript binary out of the BlueSpice package manager, Hallo Welt! mostly installed manually on Linux systems. These bugs no longer seem to be a problem.

How to update - Linux

  1. Check the system for manual installation and delete it:
    ls -al /usr/local/bin
    If there is a binary called
    gs
    delete it:
    rm -fr /usr/local/bin/gs
  2. Check the system for an installation out of the package manager (Ghostscript comes as a dependency of ImageMagik):
    dpkg -l ghostscript
    for Debian 11 this should look like:
    root@XXXXXXXXXXXX:~# dpkg -l ghostscript
Gewünscht=Unbekannt/Installieren/R=Entfernen/P=Vollständig Löschen/Halten
| Status=Nicht/Installiert/Config/U=Entpackt/halb konFiguriert/
         Halb installiert/Trigger erWartet/Trigger anhängig
|/ Fehler?=(kein)/R=Neuinstallation notwendig (Status, Fehler: GROSS=schlecht)
||/ Name           Version               Architektur  Beschreibung
+++-==============-=====================-============-===================================================
ii  ghostscript    9.53.3~dfsg-7+deb11u5 amd64        interpreter for the PostScript language and for PDF
    For Debian 12 the Version is "10.0.0~dfsg-11+deb12u1"
    For Ubuntu 22 the Version is "9.50~dfsg-5ubuntu4.8"

    If it does not match the needed Version please do an:
    apt update
apt upgrade -y
    and recheck.

  3. Change the settings in the codebase.

    Go to the directory where the codebase is saved (check your ApacheConfiguration forDocumentRoot if you are not sure). Normally it should look like this:
    root@XXXXX:/var/www/bluespice/w/settings.d# grep -rin PdfProcessor
005-PdfHandler.php:5:$wgPdfProcessor = '/usr/local/bin/gs';
    It could be 005-PdfHandler.php or some other configuration file.

  4. Find and change the variable to the correct path, for example with this command:
    sed -i 's/local\///g' 005-PdfHandler.php
    Double-check:
    root@XXXXXXXXXXX:/var/www/bluespice/w/settings.d# grep -rin PdfProcessor
005-PdfHandler.php:5:$wgPdfProcessor = '/usr/bin/gs';

Your system is now patched.

How to update - Windows

  1. Deinstall the package GPL Ghostscript.
  2. Download the package Ghostscript AGPL Release from https://www.ghostscript.com/releases/gsdnld.html .
  3. Install the new package.

Your system is now patched.


Retrieved from "https://en.wiki.bluespice.com/w/index.php?title=Security:Security_Advisories/BSSA-2023-01&oldid=7469"
No categories assignedEdit

Discussions