oss-sec mailing list archives
Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961)
From: Tavis Ormandy <taviso () google com>
Date: Tue, 9 Oct 2018 10:11:34 -0700
On Tue, Oct 9, 2018 at 9:53 AM Leonid Isaev <leonid.isaev () jila colorado edu> wrote:
On Tue, Oct 09, 2018 at 06:58:39AM -0700, Tavis Ormandy wrote:Full working exploit that works in the last few versions is attached, viewing it in evince, imagemagick, gimp, okular, etc should add a line to ~/.bashrc.Add zathura to the above list :)p.s. plz can we deprecate untrusted postscript :(Which means any postscript file downloaded from the internet... Then how should people read arXiv.org, for example?
I think we should encourage switching to other document formats that we have a better handle on securing. If you do need untrusted ps, I think treating it the same as shell script file you downloaded from the internet. I mean, technically there's a bash restricted mode and python rexec, but you probably wouldn't run it on random things you just downloaded. gs -dSAFER and bash -r are useful features, but I think ever invoking them automatically without prompts about trust, etc, is just asking for trouble. Tavis.
Current thread:
- ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Tavis Ormandy (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Leonid Isaev (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Tavis Ormandy (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Bob Friesenhahn (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Perry E. Metzger (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Tavis Ormandy (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Alex Gaynor (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Doran Moppert (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Perry E. Metzger (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Rich Felker (Oct 16)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Perry E. Metzger (Oct 17)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Rich Felker (Oct 17)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Tavis Ormandy (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Leonid Isaev (Oct 09)