Date: Wed, 5 Oct 2016 09:13:03 -0700 From: Tavis Ormandy <taviso@...gle.com> To: oss-security@...ts.openwall.com Subject: CVE Request - multiple ghostscript -dSAFER sandbox problems Hi, just an update and CVE request for various ghostscript issues. In general, the security properties of -dSAFER are not well tested and it's probably not wise to rely on it. The issues below were found just by browsing the commands available, I haven't tried fuzzing it. These are all possible to exploit via PDF or PS (or the various similar formats, like XPS). If you're using ImageMagick, I would recommend disabling the PS, EPS, PDF and XPS coders in policy.xml. Applications like gimp, evince, claws, and most other applications that generate thumbnails of PDF/PS documents should probably not do so without a prompt (NOTE: A lot of packages do this https://codesearch.debian.net/search?q=-dSAFER+&perpkg=1 ) bug: various userparams allow %pipe% in paths, allowing remote shell command execution. id: http://bugs.ghostscript.com/show_bug.cgi?id=697178 repro: http://www.openwall.com/lists/oss-security/2016/09/30/8 patch: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=71ac874 cve: please assign bug: .libfile doesn't check PermitFileReading array, allowing remote file disclosure. id: http://bugs.ghostscript.com/show_bug.cgi?id=697169 repro: http://www.openwall.com/lists/oss-security/2016/09/29/28 patch: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=cf046d2 cve: please assign bug: reference leak in .setdevice allows use-after-free and remote code execution id: http://bugs.ghostscript.com/show_bug.cgi?id=697179 repro: http://bugs.ghostscript.com/show_bug.cgi?id=697179#c0 patch: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=d5ad1e02 cve: please assign bug: type confusion in .initialize_dsc_parser allows remote code execution id: http://bugs.ghostscript.com/show_bug.cgi?id=697190 repro: http://bugs.ghostscript.com/show_bug.cgi?id=697190#c0 patch: http://git.ghostscript.com/?p=ghostpdl.git;h=875a0095f37626a721c7ff57d606a0f95af03913 cve: please assign There are a few other minor issues and leaks, but these are the important ones if you're not going to disable using gs. Please also check that you're shipping the patch for CVE-2013-5653. Tavis.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ