1859492 – (CVE-2020-15900) CVE-2020-15900 ghostscript: Memory Corruption in Ghostscript 9.52 (SAFER Sandbox Breakout)

Bug 1859492 (CVE-2020-15900) - CVE-2020-15900 ghostscript: Memory Corruption in Ghostscript 9.52 (SAFER Sandbox Breakout)

Summary: CVE-2020-15900 ghostscript: Memory Corruption in Ghostscript 9.52 (SAFER Sand...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-15900
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1862005
Blocks:	1859490
TreeView+	depends on / blocked

Reported:	2020-07-22 09:39 UTC by Cedric Buissart
Modified:	2021-02-16 19:38 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ghostpdl 9.53
Doc Type:	If docs needed, set a value
Doc Text:	Ghostscript's rsearch procedure was vulnerable to an integer underflow, leading to a miscalculation of the size of a buffer, which then can be used to access arbitrary memory. As a result, a specially crafted postscript file could use this flaw to disable the sandbox, which allows arbitrary reads and writes on the file system and execute commands.
Clone Of:
Environment:
Last Closed:	2020-07-30 07:27:44 UTC
Embargoed:

Attachments	(Terms of Use)

Description Cedric Buissart 2020-07-22 09:39:20 UTC

The vulnerability occurs in the "rsearch" Postscript function, as
implemented in:

https://github.com/ArtifexSoftware/ghostpdl/blob/master/psi/zstring.c#L109


When conducting a reverse search for an empty string in an empty string
as follows:

```
    %!PS
    () dup rsearch
```

The length of the pre-match result is decremented from zero, resulting in
a string reference of length 2**32-1. This may subsequently be used to read
and write up to 4GB of memory.

Comment 1 Cedric Buissart 2020-07-22 09:49:01 UTC

The vulnerability affects ghostcript versions >= 9.50, and has been introduced by upstream commit 7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff

Comment 2 Cedric Buissart 2020-07-22 10:53:25 UTC

Acknowledgments:

Name: Chris Liddell (Artifex)
Upstream: Timothy Goddard (Insomnia Security)

Comment 3 Cedric Buissart 2020-07-25 09:24:19 UTC

Upstream fix : 
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b

Comment 5 Cedric Buissart 2020-07-30 06:51:45 UTC

Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 1862005]

Comment 6 Product Security DevOps Team 2020-07-30 07:27:44 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-15900

Note You need to log in before you can comment on or make changes to this bug.