Page MenuHomePhabricator

ghostscript dSafer bypass
Closed, ResolvedPublic

Description

https://bugs.ghostscript.com/show_bug.cgi?id=697808 refers to a new vulnerability in ghostscript which allows bypass of -DSafer. Apparently this was used for the recent Hipchat compromise. There's no upstream fix yet.

We have one extension running on the cluster which also shells out to Ghostscript, extensions/PdfHandler/extension.json which sets "PdfProcessor" to gs. I don't know anything about that extension myself, just noticed it when looking around.

I suggest we wrap this extension with firejail, both to neuter the immediate vulnerability and as hardening going forward. We already have a wrapper installed on all application servers which launches ghostscript with a strict firejail confinement (the same we also use for imagemagick): /usr/local/bin/mediawiki-firejail-ghostscript, so I assume all that would be needed would be to deploy a change which switched PdfProcessor to /usr/local/bin/mediawiki-firejail-ghostscript

Details

Related Gerrit Patches:
operations/mediawiki-config : masterRe-instate "Run Pdf Processors in firejails"
operations/mediawiki-config : masterRun Pdf Processors in firejails

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 27 2017, 2:53 PM

Thanks for the heads up @MoritzMuehlenhoff. While we're at it, I think it makes sense to set both pertinent PdfHandler config items to be firejailed:

  • PdfPostProcessor - /usr/local/bin/mediawiki-firejail-convert ($wgImageMagickConvertCommand)
  • PdfProcessor - /usr/local/bin/mediawiki-firejail-ghostscript
dpatrick triaged this task as High priority.Apr 27 2017, 5:39 PM

Indeed, I totally missed PdfPostProcessor, /usr/local/bin/mediawiki-firejail-convert is a very similar wrapper around /usr/bin/convert

Reedy added a comment.Apr 27 2017, 7:18 PM

Because copying files through multiple hosts to my laptop in a hotel in zambia is more effort than I can be bothered with at this moment in time... ;)

From 3d063e2bc5034e1d6e21373e01ad8c00f0f5de70 Mon Sep 17 00:00:00 2001
From: Reedy <reedy@wikimedia.org>
Date: Thu, 27 Apr 2017 20:16:52 +0100
Subject: [PATCH] Run Pdf Processors in firejails

Bug: T164000
Change-Id: I3e66f699a9bfe4eeb26e17fac4a114e6ae610b22
---
 wmf-config/CommonSettings.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/wmf-config/CommonSettings.php b/wmf-config/CommonSettings.php
index 839e219a..4241f047 100644
--- a/wmf-config/CommonSettings.php
+++ b/wmf-config/CommonSettings.php
@@ -1842,6 +1842,8 @@ $wgAbuseFilterEmergencyDisableAge = $wmgAbuseFilterEmergencyDisableAge;
 
 if ( $wmgUsePdfHandler ) {
 	wfLoadExtension( 'PdfHandler' );
+	$wgPdfProcessor = '/usr/local/bin/mediawiki-firejail-ghostscript';
+	$wgPdfPostProcessor = '/usr/local/bin/mediawiki-firejail-convert';
 }
 
 wfLoadExtension( 'WikiEditor' );
-- 
2.11.0
Reedy added a comment.Apr 27 2017, 7:27 PM

https://gerrit.wikimedia.org/r/350643 merged and deployed

[20:24:10] <logmsgbot> !log reedy@naos Synchronized wmf-config/CommonSettings.php: Run pdf processors in firejails T164000 (duration: 01m 20s)
Reedy added a comment.Apr 27 2017, 7:32 PM

Can this be resolved and opened to the public now?

The vulnerability itself is public, seems fine.

Reedy closed this task as Resolved.Apr 27 2017, 8:06 PM
Reedy claimed this task.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".

Change 352572 had a related patch set uploaded (by Reedy; owner: Reedy):
[operations/mediawiki-config@master] Re-instate "Run Pdf Processors in firejails"

https://gerrit.wikimedia.org/r/352572

Change 352572 merged by jenkins-bot:
[operations/mediawiki-config@master] Re-instate "Run Pdf Processors in firejails"

https://gerrit.wikimedia.org/r/352572

Mentioned in SAL (#wikimedia-operations) [2017-06-05T21:01:55Z] <reedy@tin> Synchronized wmf-config/CommonSettings.php: Run Pdf Processors in firejails T164145 T164000 (duration: 00m 40s)