It was found that, despite -dSAFER option, when the graphics library directly opens a file for reading, insufficent restriction were applied.
This allows path traversal and information disclosure, and also command execution in recent versions (9.18 and above)
Upstream bug :
Upstream patch :
- Ghostscript's ICC profile management is a feature that started with version 9.
Thus previous versions, in particular ghostscript 8.70, do not have capability to open ICC profile files for color management, and thus are not affected by this CVE.
RHEL5 and 6 are not affected by this issue.
- Only versions 9.18 and above are affected by code execution, as a side effect of upstream commit 1fae53a7. Thus, as shipped in RHEL7 and Fedora, ghostcript is only partially affected.
please note that we're using ghostscript-9.07 in RHEL7.
(In reply to David Kaspar [Dee'Kej] from comment #3)
> Hello Cedric,
> please note that we're using ghostscript-9.07 in RHEL7.
> Best regards,
Yes. The original report was mentioning that versions pre-9.18, although protected from code execution, are still affected by a directory traversal issue, allowing an attacker to open a profile outside of the dedicated directory.
This behavior has not been prevented by the fix :
$ strace -f -e open gs -dSAFER putdevice-open.ps |& grep passwd
open("/usr/share/ghostscript/9.20/iccprofiles/../../../../../etc/passwd", O_RDONLY) = 6
The directory traversal does not seem to be considered an issue at the moment, since, in any case, if not found from the ICC profiles directory, the profile will be searched from current directory, and possibly from the root file system :
# strace -e open gs ~/ghostscript/putdevice-open2.ps |& grep passwd
open("/usr/share/ghostscript/9.20/iccprofiles//etc/passwd", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/passwd", O_RDONLY) = 6
It might get resolved later. I will currently consider only the execution part and mark RHEL7 & fedora as non-affected.
There's no clone of this BZ for Fedora, but it has been fixed there:
Commit fixing this CVE:
Fixed in version: