oss-sec mailing list archives
Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961)
From: Doran Moppert <dmoppert () redhat com>
Date: Wed, 10 Oct 2018 02:55:17 +0000
Given the number of eyes & hours on these issues my question has to be naive, so I apologise, but couldn't seccomp provide a safe "safe mode" relatively easily? What syscalls does legit ghostscript need once the input and output streams are open?
On Tue, Oct 09, 2018 at 06:34:23PM -0400, Alex Gaynor wrote:
Would they consider making a build-time "safe PS only" flag that ensured it was compiled without things like shell-invocation? Then we could just try to convince Linux distros to package it that way :-) Alex On Tue, Oct 9, 2018 at 6:33 PM Tavis Ormandy <taviso () google com> wrote:On Tue, Oct 9, 2018 at 3:27 PM Perry E. Metzger <perry () piermont com> wrote: > I keep wondering if there isn't a way to fully remove the dangerous > bits from a postscript interpreter so it can _only_ be used to view > the document and literally has no file system access compiled in at > all, so there's no way to touch the fs etc. regardless of what flags > the interpreter is invoked with. > > (I, too, find removing the ability to look at historical postscript > documents a bit more draconian than I like.) > > I've discussed it with upstream, it's a hard no because they feel it would make ghostscript non-conforming (i.e. non-conforming with the Adobe PostScript Language Reference Manual) We probably have similar thoughts on this, but that is the final word from upstream. Tavis.
-- Doran Moppert Red Hat Product Security
Current thread:
- ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Tavis Ormandy (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Leonid Isaev (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Tavis Ormandy (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Bob Friesenhahn (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Perry E. Metzger (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Tavis Ormandy (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Alex Gaynor (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Doran Moppert (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Perry E. Metzger (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Rich Felker (Oct 16)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Perry E. Metzger (Oct 17)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Rich Felker (Oct 17)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Tavis Ormandy (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Leonid Isaev (Oct 09)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Hanno Böck (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Eddie Chapman (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Hanno Böck (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Emilio Pozuelo Monfort (Oct 11)