oss-sec mailing list archives
Re: Ghostscript 9.24 issues
From: Tavis Ormandy <taviso () google com>
Date: Sun, 9 Sep 2018 12:26:01 -0700
On Sat, Sep 8, 2018 at 3:42 AM Marius Bakke <mbakke () fastmail com> wrote:
Tavis Ormandy <taviso () google com> writes:Quick update, this <http://git.ghostscript.com/?p=ghostpdl.git&a=commitdiff&h=5812b1b78fc4> commit fixes that problem, but I noticed that fix is incomplete and canbebypassed, so filed another bug for that (the new bug is 699718).I see <https://bugs.chromium.org/p/project-zero/issues/detail?id=1640> is now closed. As far as I can tell, these are the (only) commits necessary on top of 9.24[*]: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5812b1b78fc4d36fdc293b7859de69241140d590 https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=3e5d316b72e3965b7968bb1d96baa137cd063ac6 https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=643b24dbd002fb9c131313253c307cf3951b3d47 Which are all variations of CVE-2018-16509. Is my understanding correct?
Yes, I think that's enough for all the issues I reported. There are some more security commits in git (like this one <http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=fb713b3818b52d8a6cf62c951eba2e1795ff9624>) that are not from me though. That one in particular seems like a good idea, errordict is like window.onerror in PostScript, a top-level exception handler. It's hard to believe there are many legitimate untrusted documents using complex exception handling logic ¯\_(ツ)_/¯
Many thanks to Tavis and P0 for finding these and keeping us in the loop! [*] You'll also need this to make 2&3 apply: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e914f1da46e33decc534486598dc3eadf69e6efb
Current thread:
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default?, (continued)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Brandon Perry (Sep 04)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Sep 04)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Sep 05)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Perry E. Metzger (Sep 05)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Stuart Gathman (Sep 05)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Perry E. Metzger (Sep 05)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Leonid Isaev (Sep 06)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Jakub Wilk (Sep 06)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Leonid Isaev (Sep 06)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Sep 09)
- Message not available
- Re: Ghostscript 9.24 issues Tavis Ormandy (Sep 09)
- Re: Re: Ghostscript 9.24 issues Marcus Meissner (Sep 10)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Marcus Meissner (Sep 06)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Aug 22)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Aug 22)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Aug 22)
- Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Florian Weimer (Aug 22)