Bug 1768911 (CVE-2019-14869)

Summary: CVE-2019-14869 ghostscript: -dSAFER escape in .charkeys (701841)
Product: [Other] Security Response Reporter: Cedric Buissart 🐶 <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amasferr, chazlett, dkaspar, mosvald, security-response-team, twaugh, yozone, zdohnal
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ghostscript 9.50 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges within the Ghostscript and access files outside of restricted areas or execute commands.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-21 20:09:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1769343, 1769340, 1769341, 1769342, 1772050, 1772486    
Bug Blocks: 1768746    

Description Cedric Buissart 🐶 2019-11-05 14:25:04 UTC
While .charkeys cannot be called directly, it is called by .loadwofffont, which in turn can be recovered from .loadfontfile. Using a stack overflow and error handlers, .charkeys can be crashed at a convenient location and .forceput recovered from the stack.

This can be used to disable -dSAFER and, for example, access files outside of the restricted area, or command execution.

The vulnerability is not effective against ghostscript 9.50 thanks to the reimplementation of the SAFER feature.

Reference:
https://bugs.ghostscript.com/show_bug.cgi?id=701841

Comment 3 Cedric Buissart 🐶 2019-11-06 09:40:33 UTC
Upstream fix:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904772c5f

Comment 6 Cedric Buissart 🐶 2019-11-07 14:41:35 UTC
The .charkey operator was vulnerable in one way or another (`superexec` was used before `forceput`) since ghostscript-9.15.
Ghostscripts versions older than ghostscript-9.15 (including RHEL-7.6 and previous releases) are not affected by this flaw.

Comment 8 Cedric Buissart 🐶 2019-11-08 09:52:50 UTC
Acknowledgments:

Name: Artifex Software
Upstream: Paul Manfred, Lukas Schauer

Comment 10 Cedric Buissart 🐶 2019-11-14 09:32:03 UTC
Mitigation:

Please refer to the "Mitigation" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509

Comment 11 Cedric Buissart 🐶 2019-11-14 13:15:33 UTC
Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 1772486]

Comment 12 errata-xmlrpc 2019-11-14 18:03:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3888 https://access.redhat.com/errata/RHSA-2019:3888

Comment 13 Product Security DevOps Team 2019-11-14 18:51:13 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14869

Comment 14 errata-xmlrpc 2019-11-14 19:40:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3890 https://access.redhat.com/errata/RHSA-2019:3890

Comment 20 Product Security DevOps Team 2020-01-21 20:09:52 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14869

Comment 21 errata-xmlrpc 2020-01-23 19:59:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0222 https://access.redhat.com/errata/RHSA-2020:0222