oss-sec mailing list archives

ghostscript CVE-2019-10216: -dSAFER escape via .buildfont1

From: Cedric Buissart <cbuissar () redhat com>
Date: Mon, 12 Aug 2019 15:25:15 +0200

Hello,

This is to disclose a new vulnerability in ghostscript, rated as Important.

Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript (PS) and Portable Document
Format (PDF) page description languages. Its primary purpose includes displaying (rasterization & rendering) and
printing of document pages, as well as conversions between different document formats.
URL : www.ghostscript.com

The flaw is a usual "getting a reference to a privileged function" (the script must successfully be able to overload
the error handling code to take advantage of that flaw), allowing arbitrary file access.

* CVE-2019-10216 ghostscript: -dSAFER escape via .buildfont1 (701394):
It was found that the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass
`-dSAFER` restrictions. A specially crafted PostScript file could use this flaw to escalate its privileges and, for
example, access files outside of restricted areas.

All released versions of ghostscript are believed to be impacted, up to, and including, 9.27 (however, master should
not be affected: see below for builds post commit 7ecbfda92).

Upstream bug report (currently restricted) : https://bugs.ghostscript.com/show_bug.cgi?id=701394
Upstream fix : http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19

Acknowledgements:
* Red Hat would like to thank Artifex for alerting us.
* The vulnerability was originally discovered by Netanel from Cloudinary.

Noteworthy :
A recent modification, started in upstream commit 7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff, changed the access to file
permissions. After this commit, the ability to modify the /PermitFile* entries from systemdict's /userparams entry
should have no effect.
That is to say: getting a reference to highly privileged function (such as .forceput), can still be used to remove
SAFER, and modify the /PermitFile* lists. However, the interpreter will still refuse to access files outside of a list
provided from a set of command line options. This should mitigate the class of ghostscript vulnerabilities similar to
the one described above.

Best regards,

--
Cedric Buissart
Product Security
Red Hat

Attachment: signature.asc
Description:

Current thread:

ghostscript CVE-2019-10216: -dSAFER escape via .buildfont1 Cedric Buissart (Aug 12)
- Re: ghostscript CVE-2019-10216: -dSAFER escape via .buildfont1 Bob Friesenhahn (Aug 12)
  - Re: ghostscript CVE-2019-10216: -dSAFER escape via .buildfont1 Cedric Buissart (Aug 13)