Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 21 Mar 2019 16:31:01 +0100
From: Cedric Buissart <cbuissar@...hat.com>
To: oss-security@...ts.openwall.com
Subject: ghostscript: 2 -dSAFER bypass: CVE-2019-3835 & CVE-2019-3838

Hi,

This is to disclose 2 vulnerabilities in ghostscript (https://ghostscript.com/).


1- CVE-2019-3835 ghostscript: superexec operator is available

It was found that the superexec operator was available in the internal dictionary.  A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER.

This one is considered particularly Important because it can be easily triggered inside popular Linux PostScript viewers, or embedded in a PDF when read by the `gs` command, and could be used to modify the content of bashrc.

Upstream fixes:
 * Fix bug 700585: Restrict superexec and remove it from internals and gs_cet.ps
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917
 * Bug 700585: Obliterate "superexec". We don't need it, nor do any known apps.
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e6

Upstream bug report (currently restricted) : https://bugs.ghostscript.com/show_bug.cgi?id=700585

Note: The only important fix is the second one, d683d1e6, the other one is only a dependency.

To test if you are affected (on recent ghostscript, starting from gs-9.22 [starting from commit 8556b698892]):

$ gs -dSAFER -dNODISPLAY
GS> 1183615869 internaldict /superexec known { (VULNERABLE\n) } { (SAFE\n) } ifelse print

On versions older than 9.22, this would be sufficient :

GS> /superexec where { (VULNERABLE\n) } { (SAFE\n) } ifelse print



2- CVE-2019-3838 ghostscript: forceput in DefineResource is still accessible

It was found that the forceput operator could be extracted from the DefineResource method using methods similar to the ones described in CVE-2019-6116. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER.

Upstream bug report (currently restricted) : https://bugs.ghostscript.com/show_bug.cgi?id=700576

Upstream fixes:
* https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd95bb01
* https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e8f95a

Don't hesitate to let me know if further information is required

Best regards,

--
Cedric Buissart
Red Hat Product Security

Download attachment "signature.asc" of type "application/pgp-signature" (456 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.