oss-sec mailing list archives
Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961)
From: Tavis Ormandy <taviso () google com>
Date: Thu, 11 Oct 2018 10:20:17 -0700
On Tue, Oct 9, 2018 at 6:58 AM Tavis Ormandy <taviso () google com> wrote:
The fix is public now, here are the necessary commit: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a54c9e61e7d0 http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a6807394bd94
A small update, one of these commits was to mark all procedures that use dangerous operators as operators themselves. The idea is that error handlers will only see the top-level operator and not any sub-operators (I know, this is getting complicated). I noticed a procedure upstream missed, .loadfontloop. Upstream have double checked if there were any others, and I did too - we think that is all of them. So this commit is necessary as well: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a5a9bf8c6a63 Thanks, Tavis.
Current thread:
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961), (continued)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Eddie Chapman (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Hanno Böck (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Eddie Chapman (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Hanno Böck (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Emilio Pozuelo Monfort (Oct 11)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Brandon Perry (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Hanno Böck (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Alan Coopersmith (Oct 10)
- Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961) Ian Zimmerman (Oct 10)