Bug 1744042 (CVE-2019-14817)

Summary: CVE-2019-14817 ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450)
Product: [Other] Security Response Reporter: Cedric Buissart <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: chazlett, deekej, mosvald, pdwyer, sbunciak, security-response-team, twaugh, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ghostscript 9.50 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-02 13:07:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1744228, 1744229, 1744230, 1744231, 1747909    
Bug Blocks: 1743530    

Description Cedric Buissart 2019-08-21 08:03:34 UTC 
There seem to be several .forceput accessible in .pdfexectoken and other procedures.

For the case of .pdfexectoken : several .forceput are available on the stack :

{-dict- /PDFSTEPcount --known-- --not-- {-dict- /PDFSTEPcount 1 --.forceput--} --executeonly-- --if-- PDFSTEP {-dict- /PDFtokencount 2 --copy-- --.knownget-- {1 --add--} {1} --ifelse-- --.forceput-- PDFSTEPcount 1 --gt-- {-dict- /PDFSTEPcount PDFSTEPcount 1 --sub-- --.forceput--} --executeonly-- {--dup-- ==only (    step # ) --print-- PDFtokencount =only ( ? ) --print-- --flush-- 1 false --.outputpage-- (%stdin) (r) --file-- 255 --string-- --readline-- {--token-- {--exch-- --pop-- -dict- /PDFSTEPcount 3 -1 --roll-- --.forceput--} --executeonly-- {-dict- /PDFSTEPcount 1 --.forceput--} --executeonly-- --ifelse--} {--pop-- /PDFSTEP false --def--} --ifelse--} --ifelse--} --executeonly-- {--dup-- ==only () = --flush--} --ifelse--}                        

As with the other recent vulnerabilities the recent mitigation included post- gs-9.27 successfully prevents arbitrary file access & code execution even when the script disables SAFER. However gs up to version 9.27 are affected.

This can be used to disable -dSAFER and, for example, access files outside of the restricted area, or command execution.

Reference:
https://bugs.ghostscript.com/show_bug.cgi?id=701450
Comment 3 Cedric Buissart 2019-08-21 15:12:31 UTC 
Upstream fix (containing additional potential fixes other than .pdfexectoken) :
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19
Comment 9 Cedric Buissart 2019-08-30 09:56:06 UTC 
Acknowledgments:

Name: Artifex Software
Comment 10 errata-xmlrpc 2019-09-02 07:54:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2586 https://access.redhat.com/errata/RHSA-2019:2586
Comment 11 errata-xmlrpc 2019-09-02 07:54:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2591 https://access.redhat.com/errata/RHSA-2019:2591
Comment 12 Cedric Buissart 2019-09-02 08:53:32 UTC 
Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 1747909]
Comment 13 Product Security DevOps Team 2019-09-02 13:07:29 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14817