oss-sec mailing list archives
CVE-2019-14869 ghostscript: -dSAFER escape in .charkeys
From: Cedric Buissart <cbuissar () redhat com>
Date: Fri, 15 Nov 2019 09:46:02 +0100
Hello, This is to publicly disclose CVE-2019-14869 : "-dSAFER escape in .charkeys" This is another instance of a highly priviledged operator being accessible by specially crafted Postscript code, that can be used to break out of the -dSAFER limitations. It was found that `.forceput` operator was present and unprotected in the `.charkeys` method and could be retrieved via manipulation of the error handler. The `.charkeys` method was vulnerable since ghostscript-9.15, in one way or another: the privileged operator was `superexec` instead of `.forceput` until a more recent version. Upstream fix: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904772c5f Upstream bug report (currently private): https://bugs.ghostscript.com/show_bug.cgi?id=701841 Red Hat would like to thank upstream, Artifex, for alerting us about the flaw. The vulnerability was originally reported by Paul Manfred & Lukas Schauer. Note: similarly to other recent ghostscript vulnerabilities, this one is mitigated by the recent -dSAFER rework. However, ghostscript-9.27 and older are fully impacted. -- Cedric Buissart Red Hat Product Security
Attachment:
signature.asc
Description:
Current thread:
- CVE-2019-14869 ghostscript: -dSAFER escape in .charkeys Cedric Buissart (Nov 15)