Bug 1744042 (CVE-2019-14817) - CVE-2019-14817 ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450)
Summary: CVE-2019-14817 ghostscript: Safer mode bypass by .forceput exposure in .pdfex...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14817
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1744229 1744231 1744228 1744230 1747909
Blocks: 1743530
TreeView+ depends on / blocked
 
Reported: 2019-08-21 08:03 UTC by Cedric Buissart 🐶
Modified: 2019-09-12 08:41 UTC (History)
8 users (show)

Fixed In Version: ghostscript 9.28
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
Clone Of:
Environment:
Last Closed: 2019-09-02 13:07:29 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2675 None None None 2019-09-05 17:27:44 UTC
Red Hat Product Errata RHSA-2019:2586 None None None 2019-09-02 07:54:06 UTC
Red Hat Product Errata RHSA-2019:2591 None None None 2019-09-02 07:54:28 UTC

Description Cedric Buissart 🐶 2019-08-21 08:03:34 UTC
There seem to be several .forceput accessible in .pdfexectoken and other procedures.

For the case of .pdfexectoken : several .forceput are available on the stack :

{-dict- /PDFSTEPcount --known-- --not-- {-dict- /PDFSTEPcount 1 --.forceput--} --executeonly-- --if-- PDFSTEP {-dict- /PDFtokencount 2 --copy-- --.knownget-- {1 --add--} {1} --ifelse-- --.forceput-- PDFSTEPcount 1 --gt-- {-dict- /PDFSTEPcount PDFSTEPcount 1 --sub-- --.forceput--} --executeonly-- {--dup-- ==only (    step # ) --print-- PDFtokencount =only ( ? ) --print-- --flush-- 1 false --.outputpage-- (%stdin) (r) --file-- 255 --string-- --readline-- {--token-- {--exch-- --pop-- -dict- /PDFSTEPcount 3 -1 --roll-- --.forceput--} --executeonly-- {-dict- /PDFSTEPcount 1 --.forceput--} --executeonly-- --ifelse--} {--pop-- /PDFSTEP false --def--} --ifelse--} --ifelse--} --executeonly-- {--dup-- ==only () = --flush--} --ifelse--}                        

As with the other recent vulnerabilities the recent mitigation included post- gs-9.27 successfully prevents arbitrary file access & code execution even when the script disables SAFER. However gs up to version 9.27 are affected.

This can be used to disable -dSAFER and, for example, access files outside of the restricted area, or command execution.

Reference:
https://bugs.ghostscript.com/show_bug.cgi?id=701450

Comment 3 Cedric Buissart 🐶 2019-08-21 15:12:31 UTC
Upstream fix (containing additional potential fixes other than .pdfexectoken) :
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19

Comment 9 Cedric Buissart 🐶 2019-08-30 09:56:06 UTC
Acknowledgments:

Name: Artifex Software

Comment 10 errata-xmlrpc 2019-09-02 07:54:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2586 https://access.redhat.com/errata/RHSA-2019:2586

Comment 11 errata-xmlrpc 2019-09-02 07:54:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2591 https://access.redhat.com/errata/RHSA-2019:2591

Comment 12 Cedric Buissart 🐶 2019-09-02 08:53:32 UTC
Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 1747909]

Comment 13 Product Security DevOps Team 2019-09-02 13:07:29 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14817


Note You need to log in before you can comment on or make changes to this bug.