Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961)

[Tavis Ormandy <taviso () google com>]

On Tue, Oct 9, 2018 at 6:58 AM Tavis Ormandy <taviso () google com> wrote:

> The fix is public now, here are the necessary commit:
>
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a54c9e61e7d0
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a6807394bd94
A small update, one of these commits was to mark all procedures that use
dangerous operators as operators themselves. The idea is that error
handlers will only see the top-level operator and not any sub-operators (I
know, this is getting complicated).

I noticed a procedure upstream missed, .loadfontloop. Upstream have double
checked if there were any others, and I did too - we think that is all of
them.

So this commit is necessary as well:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a5a9bf8c6a63

Thanks, Tavis.