oss-sec mailing list archives
ghostscript: 2 -dSAFER bypass: CVE-2019-3835 & CVE-2019-3838
From: Cedric Buissart <cbuissar () redhat com>
Date: Thu, 21 Mar 2019 16:31:01 +0100
Hi, This is to disclose 2 vulnerabilities in ghostscript (https://ghostscript.com/). 1- CVE-2019-3835 ghostscript: superexec operator is available It was found that the superexec operator was available in the internal dictionary. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. This one is considered particularly Important because it can be easily triggered inside popular Linux PostScript viewers, or embedded in a PDF when read by the `gs` command, and could be used to modify the content of bashrc. Upstream fixes: * Fix bug 700585: Restrict superexec and remove it from internals and gs_cet.ps http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917 * Bug 700585: Obliterate "superexec". We don't need it, nor do any known apps. http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e6 Upstream bug report (currently restricted) : https://bugs.ghostscript.com/show_bug.cgi?id=700585 Note: The only important fix is the second one, d683d1e6, the other one is only a dependency. To test if you are affected (on recent ghostscript, starting from gs-9.22 [starting from commit 8556b698892]): $ gs -dSAFER -dNODISPLAY GS> 1183615869 internaldict /superexec known { (VULNERABLE\n) } { (SAFE\n) } ifelse print On versions older than 9.22, this would be sufficient : GS> /superexec where { (VULNERABLE\n) } { (SAFE\n) } ifelse print 2- CVE-2019-3838 ghostscript: forceput in DefineResource is still accessible It was found that the forceput operator could be extracted from the DefineResource method using methods similar to the ones described in CVE-2019-6116. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. Upstream bug report (currently restricted) : https://bugs.ghostscript.com/show_bug.cgi?id=700576 Upstream fixes: * https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd95bb01 * https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e8f95a Don't hesitate to let me know if further information is required Best regards, -- Cedric Buissart Red Hat Product Security
Attachment:
signature.asc
Description:
Current thread:
- ghostscript: 2 -dSAFER bypass: CVE-2019-3835 & CVE-2019-3838 Cedric Buissart (Mar 21)