Bug 1666636 (CVE-2019-6116) - CVE-2019-6116 ghostscript: subroutines within pseudo-operators must themselves be pseudo-operators (700317) [NEEDINFO]
Summary: CVE-2019-6116 ghostscript: subroutines within pseudo-operators must themselve...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-6116
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1667442 1667443 1668888 1668891 1741040
Blocks: 1666628
TreeView+ depends on / blocked
 
Reported: 2019-01-16 09:07 UTC by Cedric Buissart
Modified: 2020-07-01 02:55 UTC (History)
11 users (show)

Fixed In Version: ghostscript 9.27
Doc Type: If docs needed, set a value
Doc Text:
It was found that ghostscript could leak sensitive operators on the operand stack when a pseudo-operator pushes a subroutine. A specially crafted PostScript file could use this flaw to escape the -dSAFER protection in order to, for example, have access to the file system outside of the SAFER constraints.
Clone Of:
Environment:
Last Closed: 2019-02-01 12:57:19 UTC
pravisha: needinfo? (cww)


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0229 None None None 2019-01-31 18:19:40 UTC

Description Cedric Buissart 2019-01-16 09:07:16 UTC
It was found that operators did not sufficiently protect their calls to other sensitive operators.
An attacker could use this flaw to get access to sensitive operators, such as .forceput, and use these operators to disable the SAFER mode, and for example, get access to the file system outside of the restricted areas.

Comment 1 Cedric Buissart 2019-01-16 09:38:08 UTC
Mitigation:

Please refer to the "Mitigation" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509

Comment 2 Cedric Buissart 2019-01-16 09:38:48 UTC
External References:

https://bugs.ghostscript.com/show_bug.cgi?id=700317

Comment 7 Cedric Buissart 2019-01-22 10:14:52 UTC
Acknowledgments:

Name: Tavis Ormandy (Google Project Zero)

Comment 8 Cedric Buissart 2019-01-23 20:02:27 UTC
Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 1668888]

Comment 11 errata-xmlrpc 2019-01-31 18:19:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0229 https://access.redhat.com/errata/RHSA-2019:0229

Comment 13 Cedric Buissart 2019-02-01 14:01:00 UTC
Statement:

Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.


Note You need to log in before you can comment on or make changes to this bug.