Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 12 Aug 2019 15:25:15 +0200
From: Cedric Buissart <cbuissar@...hat.com>
To: oss-security@...ts.openwall.com
Subject: ghostscript CVE-2019-10216: -dSAFER escape via .buildfont1

Hello,

This is to disclose a new vulnerability in ghostscript, rated as Important.

Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript (PS) and Portable Document Format (PDF) page description languages.  Its primary purpose includes displaying (rasterization & rendering) and printing of document pages, as well as conversions between different document formats.
URL : www.ghostscript.com

The flaw is a usual "getting a reference to a privileged function" (the script must successfully be able to overload the error handling code to take advantage of that flaw), allowing arbitrary file access.


* CVE-2019-10216 ghostscript: -dSAFER escape via .buildfont1 (701394):
It was found that the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could use this flaw to escalate its privileges and, for example, access files outside of restricted areas.

All released versions of ghostscript are believed to be impacted, up to, and including, 9.27 (however, master should not be affected: see below for builds post commit 7ecbfda92).

Upstream bug report (currently restricted) : https://bugs.ghostscript.com/show_bug.cgi?id=701394
Upstream fix : http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19 

Acknowledgements:
* Red Hat would like to thank Artifex for alerting us.
* The vulnerability was originally discovered by Netanel from Cloudinary.


Noteworthy : 
A recent modification, started in upstream commit 7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff, changed the access to file permissions. After this commit, the ability to modify the /PermitFile* entries from systemdict's /userparams entry should have no effect.
That is to say: getting a reference to highly privileged function (such as .forceput), can still be used to remove SAFER, and modify the /PermitFile* lists. However, the interpreter will still refuse to access files outside of a list provided from a set of command line options. This should mitigate the class of ghostscript vulnerabilities similar to the one described above.

Best regards,

--
Cedric Buissart
Product Security
Red Hat

Download attachment "signature.asc" of type "application/pgp-signature" (456 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.