Bug 1666636 (CVE-2019-6116) - CVE-2019-6116 ghostscript: subroutines within pseudo-operators must themselves be pseudo-operators (700317)
Summary: CVE-2019-6116 ghostscript: subroutines within pseudo-operators must themselve...
Alias: CVE-2019-6116
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1667442 1667443 1668888 1668891 1741040
Blocks: 1666628
TreeView+ depends on / blocked
Reported: 2019-01-16 09:07 UTC by Cedric Buissart
Modified: 2023-09-18 00:15 UTC (History)
11 users (show)

Fixed In Version: ghostscript 9.27
Doc Type: If docs needed, set a value
Doc Text:
It was found that ghostscript could leak sensitive operators on the operand stack when a pseudo-operator pushes a subroutine. A specially crafted PostScript file could use this flaw to escape the -dSAFER protection in order to, for example, have access to the file system outside of the SAFER constraints.
Clone Of:
Last Closed: 2019-02-01 12:57:19 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0229 0 None None None 2019-01-31 18:19:40 UTC

Description Cedric Buissart 2019-01-16 09:07:16 UTC
It was found that operators did not sufficiently protect their calls to other sensitive operators.
An attacker could use this flaw to get access to sensitive operators, such as .forceput, and use these operators to disable the SAFER mode, and for example, get access to the file system outside of the restricted areas.

Comment 1 Cedric Buissart 2019-01-16 09:38:08 UTC

Please refer to the "Mitigation" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509

Comment 2 Cedric Buissart 2019-01-16 09:38:48 UTC
External References:


Comment 7 Cedric Buissart 2019-01-22 10:14:52 UTC

Name: Tavis Ormandy (Google Project Zero)

Comment 8 Cedric Buissart 2019-01-23 20:02:27 UTC
Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 1668888]

Comment 11 errata-xmlrpc 2019-01-31 18:19:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0229 https://access.redhat.com/errata/RHSA-2019:0229

Comment 13 Cedric Buissart 2019-02-01 14:01:00 UTC

Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 18 Red Hat Bugzilla 2023-09-18 00:15:18 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.