Bug 2293950 (CVE-2024-29510)

Summary: CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass)
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ghostscript 10.03.1 Doc Type: ---
Doc Text:
A flaw in Ghostscript has been identified where the uniprint device allows users to pass various string fragments as device options. These strings, particularly upWriteComponentCommands and upYMoveCommand, are treated as format strings for gp_fprintf and gs_snprintf. This lack of restriction permits arbitrary format strings with multiple specifiers, potentially leading to data leakage from the stack and memory corruption. In RHEL 9 or newer, an attacker could exploit this vulnerability to temporarily disable Ghostscript’s SAFER mode, which prevents Postscript code from executing commands or opening arbitrary files during the current invocation.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2293951    
Bug Blocks: 2278776    

Description Robb Gatica 2024-06-24 15:38:17 UTC 
The `uniprint` device allows the user to provide various string fragments as device options, which are later appended to the output file. Two of these parameters, `upWriteComponentCommands` and `upYMoveCommand`, are actually treated as format strings, specifically for `gp_fprintf` and `gs_snprintf`. For these, the intention is for the user to include just one format specifier in the string, but there is no logic preventing arbitrary format strings (with multiple specifiers) from being used.

With full control over the format string (by setting a page device with the respective options), and read access to the device output (by setting it to a temporary file path), an attacker can abuse this to leak data from the stack and perform memory corruption. This is specifically impactful in the cases of `gs_snprintf` (as opposed to `gp_fprintf`), as its format-string parsing logic is not hardened by compiler measures like `D_FORTIFY_SOURCE`, while it still supports the `%n` modifier.

References:
https://ghostscript.readthedocs.io/en/gs10.03.1/News.html
https://bugs.ghostscript.com/show_bug.cgi?id=707662

Upstream commit: 
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3b1735085ecef20b29e8db3416ab36de93e86d1f
Comment 1 Robb Gatica 2024-06-24 15:42:45 UTC 
Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 2293951]
Comment 3 errata-xmlrpc 2024-09-03 10:24:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:6197 https://access.redhat.com/errata/RHSA-2024:6197
Comment 4 errata-xmlrpc 2024-09-09 01:31:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:6466 https://access.redhat.com/errata/RHSA-2024:6466