Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190812132515.GA4647@cbuissar-ltop.localdomain>
Date: Mon, 12 Aug 2019 15:25:15 +0200
From: Cedric Buissart <cbuissar@...hat.com>
To: oss-security@...ts.openwall.com
Subject: ghostscript CVE-2019-10216: -dSAFER escape via .buildfont1

Hello,

This is to disclose a new vulnerability in ghostscript, rated as Important.

Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript (PS) and Portable Document Format (PDF) page description languages.  Its primary purpose includes displaying (rasterization & rendering) and printing of document pages, as well as conversions between different document formats.
URL : www.ghostscript.com

The flaw is a usual "getting a reference to a privileged function" (the script must successfully be able to overload the error handling code to take advantage of that flaw), allowing arbitrary file access.


* CVE-2019-10216 ghostscript: -dSAFER escape via .buildfont1 (701394):
It was found that the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could use this flaw to escalate its privileges and, for example, access files outside of restricted areas.

All released versions of ghostscript are believed to be impacted, up to, and including, 9.27 (however, master should not be affected: see below for builds post commit 7ecbfda92).

Upstream bug report (currently restricted) : https://bugs.ghostscript.com/show_bug.cgi?id=701394
Upstream fix : http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19 

Acknowledgements:
* Red Hat would like to thank Artifex for alerting us.
* The vulnerability was originally discovered by Netanel from Cloudinary.


Noteworthy : 
A recent modification, started in upstream commit 7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff, changed the access to file permissions. After this commit, the ability to modify the /PermitFile* entries from systemdict's /userparams entry should have no effect.
That is to say: getting a reference to highly privileged function (such as .forceput), can still be used to remove SAFER, and modify the /PermitFile* lists. However, the interpreter will still refuse to access files outside of a list provided from a set of command line options. This should mitigate the class of ghostscript vulnerabilities similar to the one described above.

Best regards,

--
Cedric Buissart
Product Security
Red Hat

Download attachment "signature.asc" of type "application/pgp-signature" (456 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.