Bug 1664980

Summary: CVE-2018-15908 breaks reading from stdin
Product: Red Hat Enterprise Linux 7 Reporter: Simon Matter <simon.matter>
Component: ghostscriptAssignee: Martin Osvald 🛹 <mosvald>
Status: CLOSED DUPLICATE QA Contact: qe-baseos-daemons
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.6CC: simon.matter
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-01-10 08:17:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Simon Matter 2019-01-10 08:05:14 UTC 
Description of problem:
When gs is run to read a file from stdin, it adds an error to the output file. This makes the postscript file invalid and unusable.

Version-Release number of selected component (if applicable):
ghostscript-9.07-31.el7_6.6

How reproducible:
Always

Steps to Reproduce:
1. cat in.pdf | gs -q -dNOPAUSE -dBATCH -P- -dSAFER -sDEVICE=ps2write -sOutputFile=- -c save pop -f - > out.ps
2.
3.

Actual results:
GPL Ghostscript 9.07: Unrecoverable error, exit code 1

The out.ps file starts with the following lines:
Error: /invalidfileaccess in --run--
Operand stack:
   (/tmp/gs_Mjcxno)
Execution stack:
   %interp_exit   .runexec2   --nostringval--   run   --nostringval--   2   %stopped_push   --nostringval--   run   run   false   1   %stopped_push   1907   1   3   %oparray_pop   1906   1   3   %oparray_pop   1887   1   3   %oparray_pop
Dictionary stack:
   --dict:938/1684(ro)(G)--   --dict:1/20(G)--   --dict:77/200(L)--
Current allocation mode is local
%!PS-Adobe-3.0
%%BoundingBox: 0 0 172 65
%%HiResBoundingBox: 0 0 172.00 65.00


Expected results:
The out.ps file should be valid.

Additional info:
Comment 2 Simon Matter 2019-01-10 08:13:51 UTC 
Also, gs lefts temporary files in /tmp with names something like gs_Mjcxno.
Comment 3 Martin Osvald 🛹 2019-01-10 08:17:28 UTC 
Thank you very much for reporting this problem!


I can reproduce the same.

Responsible patch:

ghostscript-cve-2018-16539.patch

This problem is known to us already:

Bug 1661210 - ghostscript: Regression: pdf2ps reports an error when reading from stdin (Error: /invalidfileaccess in --run--)

TEMPORARY WORKAROUND:

- either pass the input file as command line argument instead of letting it be read through stdin
- or ignore the error (the error doesn't look to be influencing contents of the resulting output file)
- or downgrade to ghostscript-9.07-31.el7
- or temporarily remove '-dSAFER' from /usr/bin/pdf2ps

Going to close this BZ as DUPLICATE.

*** This bug has been marked as a duplicate of bug 1661210 ***