Bug 1859492 (CVE-2020-15900)

Summary: CVE-2020-15900 ghostscript: Memory Corruption in Ghostscript 9.52 (SAFER Sandbox Breakout)
Product: [Other] Security Response Reporter: Cedric Buissart <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: akhaitov, deekej, mosvald, security-response-team, yjog, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ghostpdl 9.53 Doc Type: If docs needed, set a value
Doc Text:
Ghostscript's rsearch procedure was vulnerable to an integer underflow, leading to a miscalculation of the size of a buffer, which then can be used to access arbitrary memory. As a result, a specially crafted postscript file could use this flaw to disable the sandbox, which allows arbitrary reads and writes on the file system and execute commands.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-30 07:27:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1862005    
Bug Blocks: 1859490    

Description Cedric Buissart 2020-07-22 09:39:20 UTC 
The vulnerability occurs in the "rsearch" Postscript function, as
implemented in:

https://github.com/ArtifexSoftware/ghostpdl/blob/master/psi/zstring.c#L109


When conducting a reverse search for an empty string in an empty string
as follows:

```
    %!PS
    () dup rsearch
```

The length of the pre-match result is decremented from zero, resulting in
a string reference of length 2**32-1. This may subsequently be used to read
and write up to 4GB of memory.
Comment 1 Cedric Buissart 2020-07-22 09:49:01 UTC 
The vulnerability affects ghostcript versions >= 9.50, and has been introduced by upstream commit 7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff
Comment 2 Cedric Buissart 2020-07-22 10:53:25 UTC 
Acknowledgments:

Name: Chris Liddell (Artifex)
Upstream: Timothy Goddard (Insomnia Security)
Comment 3 Cedric Buissart 2020-07-25 09:24:19 UTC 
Upstream fix : 
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b
Comment 5 Cedric Buissart 2020-07-30 06:51:45 UTC 
Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 1862005]
Comment 6 Product Security DevOps Team 2020-07-30 07:27:44 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-15900