Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 19 Oct 2016 16:29:43 +0200
From: Cedric Buissart <>
Subject: Re: Re: CVE Request - multiple ghostscript -dSAFER
 sandbox problems

On Wed, Oct 5, 2016 at 8:04 PM, <> wrote:

> > bug: various userparams allow %pipe% in paths, allowing remote shell
> > command execution.
> > id:
> > repro:
> > patch:;h=
> 71ac87493b1e445d6c07554d4246cf7d4f44875c
> Use CVE-2016-7976.
> There currently isn't a separate CVE ID for the earlier impact that
> occurred when "b" was in the mode argument to popen. The question of
> whether popen will execute anyway (even with the 'b" character) is,
> more or less, a reachability concern in this context, and doesn't mean
> that a second vulnerability needs to be defined.
> The original report for this bug (
show_bug.cgi?id=697178), as described by Florian, was mentioning a
directory traversal issue.
The directory traversal does not appear to be resolved after applying the
given patch :

$ cat
currentdevice null true mark /OutputICCProfile (../../../../../etc/passwd)
$ strace -f -e open gs -dSAFER |& grep passwd

Is it expected ?

Cedric Buissart,
Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ