oss-sec mailing list archives

CVE Request - multiple ghostscript -dSAFER sandbox problems

From: Tavis Ormandy <taviso () google com>
Date: Wed, 5 Oct 2016 09:13:03 -0700

Hi, just an update and CVE request for various ghostscript issues. In
general, the security properties of -dSAFER are not well tested and
it's probably not wise to rely on it. The issues below were found just
by browsing the commands available, I haven't tried fuzzing it.

These are all possible to exploit via PDF or PS (or the various
similar formats, like XPS).

If you're using ImageMagick, I would recommend disabling the PS, EPS,
PDF and XPS coders in policy.xml. Applications like gimp, evince,
claws, and most other applications that generate thumbnails of PDF/PS
documents should probably not do so without a prompt (NOTE: A lot of
packages do this
https://codesearch.debian.net/search?q=-dSAFER+&perpkg=1 )

bug: various userparams allow %pipe% in paths, allowing remote shell
command execution.
id: http://bugs.ghostscript.com/show_bug.cgi?id=697178
repro: http://www.openwall.com/lists/oss-security/2016/09/30/8
patch: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=71ac874
cve: please assign

bug: .libfile doesn't check PermitFileReading array, allowing remote
file disclosure.
id: http://bugs.ghostscript.com/show_bug.cgi?id=697169
repro: http://www.openwall.com/lists/oss-security/2016/09/29/28
patch: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=cf046d2
cve: please assign

bug: reference leak in .setdevice allows use-after-free and remote
code execution
id: http://bugs.ghostscript.com/show_bug.cgi?id=697179
repro: http://bugs.ghostscript.com/show_bug.cgi?id=697179#c0
patch: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=d5ad1e02
cve: please assign

bug: type confusion in .initialize_dsc_parser allows remote code execution
id: http://bugs.ghostscript.com/show_bug.cgi?id=697190
repro: http://bugs.ghostscript.com/show_bug.cgi?id=697190#c0
patch: http://git.ghostscript.com/?p=ghostpdl.git;h=875a0095f37626a721c7ff57d606a0f95af03913
cve: please assign

There are a few other minor issues and leaks, but these are the
important ones if you're not going to disable using gs. Please also
check that you're shipping the patch for CVE-2013-5653.

Tavis.

Current thread:

CVE Request - multiple ghostscript -dSAFER sandbox problems Tavis Ormandy (Oct 05)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Hanno Böck (Oct 05)
  - Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Tavis Ormandy (Oct 05)
    - Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Tavis Ormandy (Oct 05)
    - Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Tavis Ormandy (Oct 05)
    - Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Hanno Böck (Oct 05)
  - Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Bob Friesenhahn (Oct 05)
    - Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Hanno Böck (Oct 05)
    - Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Jakub Wilk (Oct 05)
    - Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Florian Weimer (Oct 05)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems cve-assign (Oct 05)

(Thread continues...)