Reference:Arrays and Security:Security Advisories/BSSA-2023-01: Difference between pages

Revision as of 16:31, 28 July 2023



Date	2023-07-25
Severity	Medium
Affected	BlueSpice Infrastructure: Ghostscript
Fixed in	Ghostscript 9.53.3 and 10.01.2
CVE	CVE-2023-36664

Problem

A bug in ghostscript can be exploited to run arbitrary code on the host machine using prepared PDF document. In BlueSpice, when a) PDFHandler is enabled and b) a PDF document is uploaded, a preview image is being generated using ghostscript. If an attacker uploads a prepared PDF, they can execute code on the server.

PDFHandler is not enabled by default, but many installations have set it active.

Solution

Upgrade Ghostscript to a fixed version and ensure the updated version is used by adding $wgPdfProcessor = '/usr/bin/gs'; to LocalSettings.php.

If upgrade of Ghostscript is not possible, disable the extension PDFHandler. This, however, removes the ability for BlueSpice to render PDF preview images.

Resources

For Debian: https://www.debian.org/security/2023/dsa-5446
For Debian10: Information on source package ghostscript (debian.org)
For Ubuntu: https://launchpad.net/ubuntu/+source/ghostscript/9.50~dfsg-5ubuntu4.8

Acknowledgements

Found during an internal security audit.

@@ Line 1: / Line 1: @@
-{{BSExtensionInfobox
+{{Featurepage|featured=true|featuredesc=Current Security Advisory: BSSA-2023-01|featurestart=07/26/2023}}
-|desc=Store and compute named arrays
+{| class="wikitable"
-|status=stable
+|+
-|developer=Li Ding, Jie Bao, Daniel Werner
+!
-|type=MediaWiki
+!
-|edition=BlueSpice pro, BlueSpice free, BlueSpice Farm, BlueSpice Cloud
+|-
-|compatible=MediaWiki
+|Date
-|category=Rich Articles
+|2023-07-25
-|license=MIT
+|-
-|docu=https://www.mediawiki.org/wiki/Extension:Arrays
+|Severity
-|features=The <nowiki>'''</nowiki>Arrays<nowiki>'''</nowiki> extension (formerly known as <nowiki>''</nowiki>ArrayExtension<nowiki>''</nowiki>) creates an additional set of parser functions <nowiki>[https://meta.wikimedia.org/wiki/Help:Parser_function]</nowiki> that operate on arrays <nowiki>[https://en.wikipedia.org/wiki/Array]</nowiki> .
+|Medium
-|active=Yes
+|-
-}}
+|Affected
-{{wcagCheck
+|
-|wcagStatus=2-testing complete
+* BlueSpice Infrastructure: Ghostscript
-|wcagCheckedfor=Web, Authoring tool
+|-
-|wcagTestdate=2022-08-04
+|Fixed in
-|wcagLevel=AA
+|
-|wcagSupport=partially supports
+* Ghostscript 9.53.3 and 10.01.2
-|wcagWorkaround=yes
+|-
-|wcagComments=parser functions - entered as text
+|CVE
-|extensionType=core
+|[https://www.cve.org/CVERecord?id=CVE-2023-36664 CVE-2023-36664]
-|extensionFocus=organizer
+|}
-}}
+== Problem ==
+A bug in ghostscript can be exploited to run arbitrary code on the host machine using prepared PDF document. In BlueSpice, when a) PDFHandler is enabled and b) a PDF document is uploaded, a preview image is being generated using ghostscript. If an attacker uploads a prepared PDF, they can execute code on the server.
+PDFHandler is not enabled by default, but many installations have set it active.
+== Solution ==
+Upgrade Ghostscript to a fixed version and ensure the updated version is used by adding <code>$wgPdfProcessor = '/usr/bin/gs';</code> to <code>LocalSettings.php</code>.
+If upgrade of Ghostscript is not possible, disable the extension PDFHandler. This, however, removes the ability for BlueSpice to render PDF preview images.
+== Resources ==
+* For Debian: https://www.debian.org/security/2023/dsa-5446
+* For Debian10: [https://security-tracker.debian.org/tracker/source-package/ghostscript Information on source package ghostscript (debian.org)]
+* For Ubuntu: https://launchpad.net/ubuntu/+source/ghostscript/9.50~dfsg-5ubuntu4.8
+== Acknowledgements ==
+Found during an internal security audit.