Page MenuHomePhabricator
Create Task
Maniphest T164000

ghostscript dSafer bypass
Closed, ResolvedPublic
Actions

Description

https://bugs.ghostscript.com/show_bug.cgi?id=697808 refers to a new vulnerability in ghostscript which allows bypass of -DSafer. Apparently this was used for the recent Hipchat compromise. There's no upstream fix yet.

We have one extension running on the cluster which also shells out to Ghostscript, extensions/PdfHandler/extension.json which sets "PdfProcessor" to gs. I don't know anything about that extension myself, just noticed it when looking around.

I suggest we wrap this extension with firejail, both to neuter the immediate vulnerability and as hardening going forward. We already have a wrapper installed on all application servers which launches ghostscript with a strict firejail confinement (the same we also use for imagemagick): /usr/local/bin/mediawiki-firejail-ghostscript, so I assume all that would be needed would be to deploy a change which switched PdfProcessor to /usr/local/bin/mediawiki-firejail-ghostscript

Details

SubjectRepoBranchLines +/-
Re-instate "Run Pdf Processors in firejails"operations/mediawiki-configmaster+2 -0
Run Pdf Processors in firejailsoperations/mediawiki-configmaster+2 -0
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 DeclinedNoneT172584 Securing external binaries run by MediaWiki
 ResolvedReedyT164000 ghostscript dSafer bypass

Event Timeline

MoritzMuehlenhoff created this task.Apr 27 2017, 2:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 27 2017, 2:53 PM
MoritzMuehlenhoff added subscribers: dpatrick, Bawolff, Reedy.Apr 27 2017, 2:53 PM
dpatrick added a comment.Apr 27 2017, 5:38 PM

Thanks for the heads up @MoritzMuehlenhoff. While we're at it, I think it makes sense to set both pertinent PdfHandler config items to be firejailed:

  • PdfPostProcessor - /usr/local/bin/mediawiki-firejail-convert ($wgImageMagickConvertCommand)
  • PdfProcessor - /usr/local/bin/mediawiki-firejail-ghostscript
dpatrick triaged this task as High priority.Apr 27 2017, 5:39 PM
MoritzMuehlenhoff added a comment.Apr 27 2017, 5:43 PM

Indeed, I totally missed PdfPostProcessor, /usr/local/bin/mediawiki-firejail-convert is a very similar wrapper around /usr/bin/convert

Reedy added a comment.Apr 27 2017, 7:18 PM

Because copying files through multiple hosts to my laptop in a hotel in zambia is more effort than I can be bothered with at this moment in time... ;)

From 3d063e2bc5034e1d6e21373e01ad8c00f0f5de70 Mon Sep 17 00:00:00 2001
From: Reedy <reedy@wikimedia.org>
Date: Thu, 27 Apr 2017 20:16:52 +0100
Subject: [PATCH] Run Pdf Processors in firejails

Bug: T164000
Change-Id: I3e66f699a9bfe4eeb26e17fac4a114e6ae610b22
---
 wmf-config/CommonSettings.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/wmf-config/CommonSettings.php b/wmf-config/CommonSettings.php
index 839e219a..4241f047 100644
--- a/wmf-config/CommonSettings.php
+++ b/wmf-config/CommonSettings.php
@@ -1842,6 +1842,8 @@ $wgAbuseFilterEmergencyDisableAge = $wmgAbuseFilterEmergencyDisableAge;
 
 if ( $wmgUsePdfHandler ) {
 	wfLoadExtension( 'PdfHandler' );
+	$wgPdfProcessor = '/usr/local/bin/mediawiki-firejail-ghostscript';
+	$wgPdfPostProcessor = '/usr/local/bin/mediawiki-firejail-convert';
 }
 
 wfLoadExtension( 'WikiEditor' );
-- 
2.11.0
Reedy added a comment.Apr 27 2017, 7:27 PM

https://gerrit.wikimedia.org/r/350643 merged and deployed

[20:24:10] <logmsgbot> !log reedy@naos Synchronized wmf-config/CommonSettings.php: Run pdf processors in firejails T164000 (duration: 01m 20s)
Reedy added a comment.Apr 27 2017, 7:32 PM

Can this be resolved and opened to the public now?

MoritzMuehlenhoff added a comment.Apr 27 2017, 7:49 PM

The vulnerability itself is public, seems fine.

Reedy closed this task as Resolved.Apr 27 2017, 8:06 PM
Reedy claimed this task.
Reedy added a project: WMF-General-or-Unknown.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".
Reedy mentioned this in T164145: Investigate why firejails break PdfHandler.Apr 29 2017, 9:54 AM
gerritbot subscribed.May 8 2017, 11:41 AM

Change 352572 had a related patch set uploaded (by Reedy; owner: Reedy):
[operations/mediawiki-config@master] Re-instate "Run Pdf Processors in firejails"

https://gerrit.wikimedia.org/r/352572

gerritbot added a project: Patch-For-Review.May 8 2017, 11:41 AM
gerritbot added a comment.Jun 5 2017, 8:59 PM

Change 352572 merged by jenkins-bot:
[operations/mediawiki-config@master] Re-instate "Run Pdf Processors in firejails"

https://gerrit.wikimedia.org/r/352572

Stashbot subscribed.Jun 5 2017, 9:01 PM

Mentioned in SAL (#wikimedia-operations) [2017-06-05T21:01:55Z] <reedy@tin> Synchronized wmf-config/CommonSettings.php: Run Pdf Processors in firejails T164145 T164000 (duration: 00m 40s)

Reedy mentioned this in T147041: Multiple ghostscript vulnerabilities.Aug 5 2017, 2:14 AM
Reedy mentioned this in T172584: Securing external binaries run by MediaWiki.
Reedy added a parent task: T172584: Securing external binaries run by MediaWiki.Aug 28 2017, 11:40 PM
chasemp added a project: Security.Feb 10 2020, 10:55 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL