Ghostscript CVE-2023-28879: "Shell in the Ghost"

[Alan Coopersmith <alan.coopersmith () oracle com>]

I haven't seen mail to the list about this yet, so FYI for those who haven't
seen it via other channels.

https://artifex.com/news/critical-security-vulnerability-fixed-in-ghostscript
says:

> Artifex is pleased to announce that our team of developers have
> successfully addressed and fixed a critical security vulnerability in
> Artifex Ghostscript, version 10.01.0. A CVE (Common Vulnerabilities
> and Exposures) identifier has been assigned to the issue,
> https://nvd.nist.gov/vuln/detail/CVE-2023-28879.
>
> On March 23, 2023, a security researcher, Hadrien Perrineau, reported
> the buffer overflow and exploit, on March 24 Artifex fixed the overflow
> and removed other related code reducing the attack surface. Fixes were
> published here:
>
> https://git.ghostscript.com/?p=ghostpdl.git;h=37ed5022cecd584de868933b5b60da2e995b3179
>
> https://git.ghostscript.com/?p=ghostpdl.git;h=37ed5022cecd584de868933b5b60da2e995b3179
>
> A release, Ghostscript and GhostPDL 10.01.1, was published on March 27.
> An email alert was sent out to all Artifex customers on March 27
> notifying them of the bug and the fix. Artifex worked with customers to
> integrate the solution into their products as quickly as possible.
> On April 7 the bug was made public.
>
> Users of Ghostscript are urged to update their software to the latest
> version immediately. By doing so, they will be able to mitigate the risk
> associated with this vulnerability and ensure the security and integrity
> of their systems.

A report from those who found the bug, including their POC, was published
yesterday:

https://offsec.almond.consulting/ghostscript-cve-2023-28879.html

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris