CVE-2019-14869 ghostscript: -dSAFER escape in .charkeys

[Cedric Buissart <cbuissar () redhat com>]

Hello,

This is to publicly disclose CVE-2019-14869 : "-dSAFER escape in
.charkeys"

This is another instance of a highly priviledged operator being
accessible by specially crafted Postscript code, that can be used to
break out of the -dSAFER limitations.

It was found that `.forceput` operator was present and unprotected in
the `.charkeys` method and could be retrieved via manipulation of the
error handler.

The `.charkeys` method was vulnerable since ghostscript-9.15, in one way
or another: the privileged operator was `superexec` instead of
`.forceput` until a more recent version.

Upstream fix:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904772c5f

Upstream bug report (currently private):
https://bugs.ghostscript.com/show_bug.cgi?id=701841

Red Hat would like to thank upstream, Artifex, for alerting us about the
flaw. The vulnerability was originally reported by Paul Manfred & Lukas Schauer.

Note: similarly to other recent ghostscript vulnerabilities, this one is
mitigated by the recent -dSAFER rework. However, ghostscript-9.27 and
older are fully impacted.

--
Cedric Buissart
Red Hat Product Security

Attachment: signature.asc
Description: