Bug 1380327 (CVE-2013-5653) - CVE-2013-5653 ghostscript: getenv and filenameforall ignore -dSAFER
Summary: CVE-2013-5653 ghostscript: getenv and filenameforall ignore -dSAFER
Status: CLOSED ERRATA
Alias: CVE-2013-5653
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20131021,repor...
Keywords: Security
Depends On: 1390299 1390300 1390301 1390302 1390486
Blocks: 1380329
TreeView+ depends on / blocked
 
Reported: 2016-09-29 10:03 UTC by Adam Mariš
Modified: 2017-01-04 11:10 UTC (History)
13 users (show)

(edit)
It was found that the ghostscript functions getenv and filenameforall did not honor the -dSAFER option, usually used when processing untrusted documents, leading to information disclosure. A specially crafted postscript document could read environment variable and list directory respectively, from the target.
Clone Of:
(edit)
Last Closed: 2017-01-04 11:10:03 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0013 normal SHIPPED_LIVE Moderate: ghostscript security update 2017-01-04 15:09:56 UTC
Red Hat Product Errata RHSA-2017:0014 normal SHIPPED_LIVE Moderate: ghostscript security update 2017-01-04 15:09:47 UTC

Description Adam Mariš 2016-09-29 10:03:47 UTC
It was found that getenv and filenameforall ignore -dSAFER possibly allowing filesystem enumeration.

Upstream bug:

http://bugs.ghostscript.com/show_bug.cgi?id=694724

Upstream patch:

http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ab109aaeb3ddba59518b036fb288402a65cf7ce8

Reference:
http://seclists.org/oss-sec/2016/q3/651


Reproducer:

%!PS
(HOME) getenv { print (\n) print } { (variable not found\n) print } ifelse

Comment 5 Cedric Buissart 🐶 2016-11-01 08:42:05 UTC
Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 1390486]

Comment 12 errata-xmlrpc 2017-01-04 10:10:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0014 https://rhn.redhat.com/errata/RHSA-2017-0014.html

Comment 13 errata-xmlrpc 2017-01-04 10:11:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:0013 https://rhn.redhat.com/errata/RHSA-2017-0013.html


Note You need to log in before you can comment on or make changes to this bug.