Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8250f648-c517-fa70-36db-214d87671a4c@gmail.com>
Date: Thu, 19 Apr 2018 23:22:28 +0100
From: Vítor Silva <vitorhg20080@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2018-10194 Ghostscript 9.18 stack-based buffer overflow

Hello,

I think I found a possible RCE on ghostscript 9.23. I can reproduce on
9.18 (but not in 9.23) and the vendor confirmed the vulnerability and
applied a fix for 9.23.


[Suggested description]
The set_text_distance function in devices/vector/gdevpdts.c in the
pdfwrite component in Artifex Ghostscript through 9.22 does not prevent
overflows in text-positioning calculation, which allows remote attackers
to cause a denial of service (application crash) or possibly have
unspecified other impact via a crafted PDF document.

------------------------------------------

[Additional Information]
This seems to be affected only on ghostscript 9.18 or less. My
analysis seems this is a bad validation on input at
pdf_set_text_matrix at gdevpdts.c causing pprintg1 function at
spprint.c to write outbounds of the stack.

I can provide with a file use case. Even this seems not to trigger on
newer versions, this package is still available on a lot of systems
(such as ubuntu or debian) as the latest version available.

$ gs -o tested.pdf -sDEVICE=pdfwrite -dPDFSETTINGS=/prepress
-dHaveTrueTypes=true -dEmbedAllFonts=true \
  -dSubsetFonts=false -c ".setpdfwrite <</NeverEmbed [ ]>>
setdistillerparams" -f fuzzed-case1.ps
GPL Ghostscript 9.18 (2015-10-05)
Copyright (C) 2015 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Loading NimbusRomNo9L-Reg font from
/usr/share/ghostscript/9.18/Resource/Font/NimbusRomNo9L-Reg... 4743540
3133830 2015200 710957 1 done.
Loading NimbusRomNo9L-Med font from
/usr/share/ghostscript/9.18/Resource/Font/NimbusRomNo9L-Med... 4820876
3332725 2035392 735152 1 done.
Loading NimbusMono-Regular font from
/usr/share/ghostscript/9.18/Resource/Font/NimbusMono-Regular... 4900004
3527153 2055584 752136 1 done.
Loading NimbusMono-Bold font from
/usr/share/ghostscript/9.18/Resource/Font/NimbusMono-Bold... 5118700
3762771 2095968 786137 1 done.
Loading NimbusRomNo9L-RegIta font from
/usr/share/ghostscript/9.18/Resource/Font/NimbusRomNo9L-RegIta...
5357220 4001795 2156544 851571 1 done.
Loading NimbusSanL-Reg font from
/usr/share/ghostscript/9.18/Resource/Font/NimbusSanL-Reg... 5556092
4193319 2358464 1039445 1 done.
*** stack smashing detected ***: gs terminated
Aborted (core dumped)

------------------------------------------

[Vulnerability Type]
Buffer Overflow

------------------------------------------

[Vendor of Product]
ghostscript

------------------------------------------

[Affected Product Code Base]
ghostscript - 9.18

------------------------------------------

[Affected Component]
pprintg1 of ghostscript

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Code execution]
true

------------------------------------------

[Impact Denial of Service]
true

------------------------------------------

[Attack Vectors]
crafted postscript can crash and/or execute code via buffer overflow

------------------------------------------

[Reference]
https://bugs.ghostscript.com/show_bug.cgi?id=699255


Download attachment "pEpkey.asc" of type "application/pgp-keys" (1766 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.