oss-sec mailing list archives

ghostscript: 2 -dSAFER bypass: CVE-2019-3835 & CVE-2019-3838

From: Cedric Buissart <cbuissar () redhat com>
Date: Thu, 21 Mar 2019 16:31:01 +0100

Hi,

This is to disclose 2 vulnerabilities in ghostscript (https://ghostscript.com/).


1- CVE-2019-3835 ghostscript: superexec operator is available

It was found that the superexec operator was available in the internal dictionary.  A specially crafted PostScript file 
could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by 
-dSAFER.

This one is considered particularly Important because it can be easily triggered inside popular Linux PostScript 
viewers, or embedded in a PDF when read by the `gs` command, and could be used to modify the content of bashrc.

Upstream fixes:
 * Fix bug 700585: Restrict superexec and remove it from internals and gs_cet.ps
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917
 * Bug 700585: Obliterate "superexec". We don't need it, nor do any known apps.
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e6

Upstream bug report (currently restricted) : https://bugs.ghostscript.com/show_bug.cgi?id=700585

Note: The only important fix is the second one, d683d1e6, the other one is only a dependency.

To test if you are affected (on recent ghostscript, starting from gs-9.22 [starting from commit 8556b698892]):

$ gs -dSAFER -dNODISPLAY
GS> 1183615869 internaldict /superexec known { (VULNERABLE\n) } { (SAFE\n) } ifelse print

On versions older than 9.22, this would be sufficient :

GS> /superexec where { (VULNERABLE\n) } { (SAFE\n) } ifelse print



2- CVE-2019-3838 ghostscript: forceput in DefineResource is still accessible

It was found that the forceput operator could be extracted from the DefineResource method using methods similar to the 
ones described in CVE-2019-6116. A specially crafted PostScript file could use this flaw in order to, for example, have 
access to the file system outside of the constrains imposed by -dSAFER.

Upstream bug report (currently restricted) : https://bugs.ghostscript.com/show_bug.cgi?id=700576

Upstream fixes:
* https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd95bb01
* https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e8f95a

Don't hesitate to let me know if further information is required

Best regards,

--
Cedric Buissart
Red Hat Product Security

Attachment: signature.asc
Description:

Current thread:

ghostscript: 2 -dSAFER bypass: CVE-2019-3835 & CVE-2019-3838 Cedric Buissart (Mar 21)