Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJ_zFk+f8Q-4UQt0gv6X_v_gSb12UVVVQ1knJBdZjpA=MQ-S5w@mail.gmail.com>
Date: Wed, 5 Oct 2016 09:13:03 -0700
From: Tavis Ormandy <taviso@...gle.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request - multiple ghostscript -dSAFER sandbox problems

Hi, just an update and CVE request for various ghostscript issues. In
general, the security properties of -dSAFER are not well tested and
it's probably not wise to rely on it. The issues below were found just
by browsing the commands available, I haven't tried fuzzing it.

These are all possible to exploit via PDF or PS (or the various
similar formats, like XPS).

If you're using ImageMagick, I would recommend disabling the PS, EPS,
PDF and XPS coders in policy.xml. Applications like gimp, evince,
claws, and most other applications that generate thumbnails of PDF/PS
documents should probably not do so without a prompt (NOTE: A lot of
packages do this
https://codesearch.debian.net/search?q=-dSAFER+&perpkg=1 )

bug: various userparams allow %pipe% in paths, allowing remote shell
command execution.
id: http://bugs.ghostscript.com/show_bug.cgi?id=697178
repro: http://www.openwall.com/lists/oss-security/2016/09/30/8
patch: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=71ac874
cve: please assign

bug: .libfile doesn't check PermitFileReading array, allowing remote
file disclosure.
id: http://bugs.ghostscript.com/show_bug.cgi?id=697169
repro: http://www.openwall.com/lists/oss-security/2016/09/29/28
patch: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=cf046d2
cve: please assign

bug: reference leak in .setdevice allows use-after-free and remote
code execution
id: http://bugs.ghostscript.com/show_bug.cgi?id=697179
repro: http://bugs.ghostscript.com/show_bug.cgi?id=697179#c0
patch: http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=d5ad1e02
cve: please assign

bug: type confusion in .initialize_dsc_parser allows remote code execution
id: http://bugs.ghostscript.com/show_bug.cgi?id=697190
repro: http://bugs.ghostscript.com/show_bug.cgi?id=697190#c0
patch: http://git.ghostscript.com/?p=ghostpdl.git;h=875a0095f37626a721c7ff57d606a0f95af03913
cve: please assign

There are a few other minor issues and leaks, but these are the
important ones if you're not going to disable using gs. Please also
check that you're shipping the patch for CVE-2013-5653.

Tavis.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.