Bug 1768911 (CVE-2019-14869) - CVE-2019-14869 ghostscript: -dSAFER escape in .charkeys (701841)
Summary: CVE-2019-14869 ghostscript: -dSAFER escape in .charkeys (701841)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14869
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1769341 1769343 1769340 1769342 1772050 1772486
Blocks: 1768746
TreeView+ depends on / blocked
 
Reported: 2019-11-05 14:25 UTC by Cedric Buissart 🐶
Modified: 2019-12-09 13:16 UTC (History)
7 users (show)

Fixed In Version: ghostscript 9.50
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges within the Ghostscript and access files outside of restricted areas or execute commands.
Clone Of:
Environment:
Last Closed: 2019-11-14 18:51:13 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3899 None None None 2019-11-18 12:51:26 UTC
Red Hat Product Errata RHBA-2019:3903 None None None 2019-11-18 15:40:25 UTC
Red Hat Product Errata RHSA-2019:3888 None None None 2019-11-14 18:03:20 UTC
Red Hat Product Errata RHSA-2019:3890 None None None 2019-11-14 19:40:27 UTC

Description Cedric Buissart 🐶 2019-11-05 14:25:04 UTC
While .charkeys cannot be called directly, it is called by .loadwofffont, which in turn can be recovered from .loadfontfile. Using a stack overflow and error handlers, .charkeys can be crashed at a convenient location and .forceput recovered from the stack.

This can be used to disable -dSAFER and, for example, access files outside of the restricted area, or command execution.

The vulnerability is not effective against ghostscript 9.50 thanks to the reimplementation of the SAFER feature.

Reference:
https://bugs.ghostscript.com/show_bug.cgi?id=701841

Comment 3 Cedric Buissart 🐶 2019-11-06 09:40:33 UTC
Upstream fix:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904772c5f

Comment 6 Cedric Buissart 🐶 2019-11-07 14:41:35 UTC
The .charkey operator was vulnerable in one way or another (`superexec` was used before `forceput`) since ghostscript-9.15.
Ghostscripts versions older than ghostscript-9.15 (including RHEL-7.6 and previous releases) are not affected by this flaw.

Comment 8 Cedric Buissart 🐶 2019-11-08 09:52:50 UTC
Acknowledgments:

Name: Artifex Software
Upstream: Paul Manfred, Lukas Schauer

Comment 10 Cedric Buissart 🐶 2019-11-14 09:32:03 UTC
Mitigation:

Please refer to the "Mitigation" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509

Comment 11 Cedric Buissart 🐶 2019-11-14 13:15:33 UTC
Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 1772486]

Comment 12 errata-xmlrpc 2019-11-14 18:03:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3888 https://access.redhat.com/errata/RHSA-2019:3888

Comment 13 Product Security DevOps Team 2019-11-14 18:51:13 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14869

Comment 14 errata-xmlrpc 2019-11-14 19:40:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3890 https://access.redhat.com/errata/RHSA-2019:3890


Note You need to log in before you can comment on or make changes to this bug.