1382294 – (CVE-2016-7976) CVE-2016-7976 ghostscript: various userparams allow %pipe% in paths, allowing remote shell

Bug 1382294 (CVE-2016-7976) - CVE-2016-7976 ghostscript: various userparams allow %pipe% in paths, allowing remote shell

Summary: CVE-2016-7976 ghostscript: various userparams allow %pipe% in paths, allowing...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2016-7976
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1380329
TreeView+	depends on / blocked

Reported:	2016-10-06 09:30 UTC by Cedric Buissart
Modified:	2021-02-04 00:56 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2016-10-20 13:08:44 UTC
Embargoed:

Attachments	(Terms of Use)

Description Cedric Buissart 2016-10-06 09:30:00 UTC

It was found that, despite -dSAFER option, when the graphics library directly opens a file for reading, insufficent restriction were applied.
This allows path traversal and information disclosure, and also command execution in recent versions (9.18 and above)

Upstream bug :
http://bugs.ghostscript.com/show_bug.cgi?id=697178

Upstream patch :
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=6d444c273da5

Reference :
http://seclists.org/oss-sec/2016/q4/37

Comment 2 Cedric Buissart 2016-10-13 08:45:11 UTC

- Ghostscript's ICC profile management is a feature that started with version 9.
Thus previous versions, in particular ghostscript 8.70, do not have capability to open ICC profile files for color management, and thus are not affected by this CVE.
RHEL5 and 6 are not affected by this issue.

- Only versions 9.18 and above are affected by code execution, as a side effect of upstream commit 1fae53a7. Thus, as shipped in RHEL7 and Fedora, ghostcript is only partially affected.

Comment 3 David Kaspar // Dee'Kej 2016-10-13 09:40:00 UTC

Hello Cedric,

please note that we're using ghostscript-9.07 in RHEL7.

Best regards,

Dee'Kej

Comment 4 Cedric Buissart 2016-10-19 14:37:03 UTC

(In reply to David Kaspar [Dee'Kej] from comment #3)
> Hello Cedric,
> 
> please note that we're using ghostscript-9.07 in RHEL7.
> 
> Best regards,
> 
> Dee'Kej
Yes. The original report was mentioning that versions pre-9.18, although protected from code execution, are still affected by a directory traversal issue, allowing an attacker to open a profile outside of the dedicated directory.

This behavior has not been prevented by the fix :

$ strace -f -e open gs -dSAFER putdevice-open.ps |& grep passwd
open("/usr/share/ghostscript/9.20/iccprofiles/../../../../../etc/passwd", O_RDONLY) = 6

Comment 5 Cedric Buissart 2016-10-20 12:57:56 UTC

The directory traversal does not seem to be considered an issue at the moment, since, in any case, if not found from the ICC profiles directory, the profile will be searched from current directory, and possibly from the root file system :

# strace -e open gs ~/ghostscript/putdevice-open2.ps |& grep passwd
open("/usr/share/ghostscript/9.20/iccprofiles//etc/passwd", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/passwd", O_RDONLY)           = 6

It might get resolved later. I will currently consider only the execution part and mark RHEL7 & fedora as non-affected.

Comment 6 David Kaspar // Dee'Kej 2016-11-01 14:14:03 UTC

There's no clone of this BZ for Fedora, but it has been fixed there:

Commit fixing this CVE:
http://pkgs.fedoraproject.org/cgit/rpms/ghostscript.git/commit/?id=040b22b22c7cb

Fixed in version:
ghostscript-9.20-2

Note You need to log in before you can comment on or make changes to this bug.