Date: Wed, 5 Oct 2016 09:13:03 -0700 From: Tavis Ormandy <taviso@...gle.com> To: oss-security@...ts.openwall.com Subject: CVE Request - multiple ghostscript -dSAFER sandbox problems Hi, just an update and CVE request for various ghostscript issues. In general, the security properties of -dSAFER are not well tested and it's probably not wise to rely on it. The issues below were found just by browsing the commands available, I haven't tried fuzzing it. These are all possible to exploit via PDF or PS (or the various similar formats, like XPS). If you're using ImageMagick, I would recommend disabling the PS, EPS, PDF and XPS coders in policy.xml. Applications like gimp, evince, claws, and most other applications that generate thumbnails of PDF/PS documents should probably not do so without a prompt (NOTE: A lot of packages do this https://codesearch.debian.net/search?q=-dSAFER+&perpkg=1 ) bug: various userparams allow %pipe% in paths, allowing remote shell command execution. id: http://bugs.ghostscript.com/show_bug.cgi?id=697178 repro: http://www.openwall.com/lists/oss-security/2016/09/30/8 patch: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=71ac874 cve: please assign bug: .libfile doesn't check PermitFileReading array, allowing remote file disclosure. id: http://bugs.ghostscript.com/show_bug.cgi?id=697169 repro: http://www.openwall.com/lists/oss-security/2016/09/29/28 patch: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=cf046d2 cve: please assign bug: reference leak in .setdevice allows use-after-free and remote code execution id: http://bugs.ghostscript.com/show_bug.cgi?id=697179 repro: http://bugs.ghostscript.com/show_bug.cgi?id=697179#c0 patch: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=d5ad1e02 cve: please assign bug: type confusion in .initialize_dsc_parser allows remote code execution id: http://bugs.ghostscript.com/show_bug.cgi?id=697190 repro: http://bugs.ghostscript.com/show_bug.cgi?id=697190#c0 patch: http://git.ghostscript.com/?p=ghostpdl.git;h=875a0095f37626a721c7ff57d606a0f95af03913 cve: please assign There are a few other minor issues and leaks, but these are the important ones if you're not going to disable using gs. Please also check that you're shipping the patch for CVE-2013-5653. Tavis.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.