When the `gp_validate_path_len` function validates a path, it distinguishes between absolute and relative paths. In the case of relative paths, it will check the path with and without the current-directory-prefix ("foo" and "./foo"). The problem is that it doesn't take into account paths with a parent-directory-prefix. So a path like "../../foo" is also tested as "./../../foo" and if the current directory "./" is in the permitted paths, it will pass the check and you can access arbitrary files. References: ttps://ghostscript.readthedocs.io/en/gs10.03.1/News.html https://bugs.ghostscript.com/show_bug.cgi?id=707686 Upstream commit: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=79aef19c685984dc3da2dc090450407d9fbcff80
Created ghostscript tracking bugs for this issue: Affects: fedora-all [bug 2293960]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:6197 https://access.redhat.com/errata/RHSA-2024:6197
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:6466 https://access.redhat.com/errata/RHSA-2024:6466