There is a missing type check in line 292 of zcolor.c:
Here `pPatInst` comes from the first array element of `pImpl`
which comes from `op`:
The type of `pPatInst` is not checked and is used in `r_ptr`, which accesses its `pstruct` value and then cast it into `gs_pattern_instance_t`. As `op` is an untrusted argument, this can lead to type confusion issue when parsing malicious postscript. (Access to arbitrary pointer)
Created ghostscript tracking bugs for this issue:
Affects: fedora-all [bug 1656320]
Please refer to the "Mitigation" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509
This vulnerability allows remote code execution when a user opens a specially-crafted PS or PDF file, or when a user uses the file explorer to browse a directory containing such a file (triggering thumbnail generation). CVE-2018-19134 was patched upstream on 8 November (http://git.ghostscript.com/?p=ghostpdl.git;h=693baf02152119af6e6afd30bb8ec76d14f84bbf), and a new Ghostscript version containing the patch was released three weeks ago on 20 November (version 9.26: https://www.ghostscript.com/doc/9.26/News.htm).
Debian/Ubuntu patched the vulnerability in November. As it stands, users of RedHat, Fedora, and CentOS are still vulnerable.
I'm part of the team at Semmle; my colleague Man Yue Mo discovered the vulnerability. We take coordinated/responsible disclosure very seriously. With the patch committed to a public Git repository and a new release been made available three weeks ago, we consider the details of this vulnerability to be public knowledge. Please be aware that we will therefore imminently publish more information about the discovery of this vulnerability.
We are aware of the code execution potential of this vulnerability, and the flaw is treated as Important. We are currently actively working on a solution to resolve the different recently discovered flaws without creating regressions.
It is to be noted that starting from Red Hat Enterprise Linux 7.6, the thumbnailer is executed in a sandbox.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2018:3834 https://access.redhat.com/errata/RHSA-2018:3834
Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.