A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
DescriptionCedric Buissart
2021-09-08 11:46:13 UTC
The file access protection built into Ghostscript proved insufficient for the "%pipe%" PostScript device, when combined with Ghostscript's requirement to be able to create and control temporary files in the conventional temporary file directories (for example, "/tmp" or "/temp). This exploit is restricted to Unix-like systems (i.e., it doesn't affect Windows). The most severe claimed results are only feasible if the exploit is run as a "high privilege" user (root/superuser level) -- a practice we would discourage under any circumstances.
Resolution: The solution involves including the device specifier string ("%pipe%") in the permissions checking, meaning the entire file name string is validated, rather than (as before) only the sub-string following the device specifier.
This flaw allows to trivially escape the sandbox (enabled with the `-dSAFER` option). A specially crafted document could use this flaw to execute command on the system, in the context of the ghostscript interpreter.
This flaw affects only version from 9.50 onward.
Upstream bug :
https://bugs.ghostscript.com/show_bug.cgi?id=704342
The file access protection built into Ghostscript proved insufficient for the "%pipe%" PostScript device, when combined with Ghostscript's requirement to be able to create and control temporary files in the conventional temporary file directories (for example, "/tmp" or "/temp). This exploit is restricted to Unix-like systems (i.e., it doesn't affect Windows). The most severe claimed results are only feasible if the exploit is run as a "high privilege" user (root/superuser level) -- a practice we would discourage under any circumstances. Resolution: The solution involves including the device specifier string ("%pipe%") in the permissions checking, meaning the entire file name string is validated, rather than (as before) only the sub-string following the device specifier. This flaw allows to trivially escape the sandbox (enabled with the `-dSAFER` option). A specially crafted document could use this flaw to execute command on the system, in the context of the ghostscript interpreter. This flaw affects only version from 9.50 onward. Upstream bug : https://bugs.ghostscript.com/show_bug.cgi?id=704342