oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

ghostscript: CVE-2019-14811, CVE-2019-14812, CVE-2019-14813 and CVE-2019-14817 (.forceput exposed)

From: Cedric Buissart <cbuissar () redhat com>
Date: Wed, 28 Aug 2019 14:29:19 +0200
Hello,

This is to report another 4 CVEs in ghostscript, rated important. They are all similar to the recently reported 
CVE-2019-10216 (reference to `.forceput` can be accessed)

Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript (PS) and Portable Document 
Format (PDF) page description languages.  Its primary purpose includes displaying (rasterization & rendering) and 
printing of document pages, as well as conversions between different document formats.
URL : www.ghostscript.com

1- CVE-2019-14811 : Safer Mode Bypass by .forceput Exposure in .pdf_hook_DSC_Creator (701445)

2- CVE-2019-14812 : Safer Mode Bypass by .forceput Exposure in setuserparams (701444)

3- CVE-2019-14813 : Safer Mode Bypass by .forceput Exposure in setsystemparams (701443)

4- CVE-2019-14817 : Safer Mode Bypass by .forceput Exposure in .pdfexectoken and other procedures (701450)

In each case, a specially crafted script could get a reference to .forceput and use that to disable the -dSAFER 
protection. This then allows the script to access file system outside of resitricted areas and execute arbitrary 
commands.
Regarding CVE-2019-14817, only the .pdfexectoken procedure was proven to be vulnerable, the other fixed methods were 
only potentially vulnerable.

Preventing the modification of the error handler might protect most of these vulnerable functions

The fixes have been pushed upstream :

CVE-2019-14811, CVE-2019-14812, CVE-2019-14813 : 
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33

CVE-2019-14817 : 
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19

Acknowledgments :
CVE-2019-14811, CVE-2019-14812, CVE-2019-14813 were reported to upstream by Hiroki MATSUKUMA of Cyber Defense 
Institute, Inc.


Noteworthy (similar to CVE-2019-10216) :
A recent modification, started in upstream commit 7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff, changed the access to file 
permissions. After this commit, the ability to modify the /PermitFile* entries from systemdict's /userparams entry 
should have no effect.
That is to say: getting a reference to highly privileged function (such as .forceput), can still be used to remove 
SAFER, and modify the /PermitFile* lists. However, the interpreter will still refuse to access files outside of a list 
provided from a set of command line options. This should mitigate the class of ghostscript vulnerabilities similar to 
the one described above.

Best regards

--
Cedric Buissart
Product Security
Red Hat
Previous By Date Next
Previous By Thread Next

Current thread: