Bug 1859492 (CVE-2020-15900) - CVE-2020-15900 ghostscript: Memory Corruption in Ghostscript 9.52 (SAFER Sandbox Breakout)
Summary: CVE-2020-15900 ghostscript: Memory Corruption in Ghostscript 9.52 (SAFER Sand...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-15900
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1862005
Blocks: 1859490
TreeView+ depends on / blocked
 
Reported: 2020-07-22 09:39 UTC by Cedric Buissart
Modified: 2021-02-16 19:38 UTC (History)
6 users (show)

Fixed In Version: ghostpdl 9.53
Doc Type: If docs needed, set a value
Doc Text:
Ghostscript's rsearch procedure was vulnerable to an integer underflow, leading to a miscalculation of the size of a buffer, which then can be used to access arbitrary memory. As a result, a specially crafted postscript file could use this flaw to disable the sandbox, which allows arbitrary reads and writes on the file system and execute commands.
Clone Of:
Environment:
Last Closed: 2020-07-30 07:27:44 UTC
Embargoed:


Attachments (Terms of Use)

Description Cedric Buissart 2020-07-22 09:39:20 UTC
The vulnerability occurs in the "rsearch" Postscript function, as
implemented in:

https://github.com/ArtifexSoftware/ghostpdl/blob/master/psi/zstring.c#L109


When conducting a reverse search for an empty string in an empty string
as follows:

```
    %!PS
    () dup rsearch
```

The length of the pre-match result is decremented from zero, resulting in
a string reference of length 2**32-1. This may subsequently be used to read
and write up to 4GB of memory.

Comment 1 Cedric Buissart 2020-07-22 09:49:01 UTC
The vulnerability affects ghostcript versions >= 9.50, and has been introduced by upstream commit 7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff

Comment 2 Cedric Buissart 2020-07-22 10:53:25 UTC
Acknowledgments:

Name: Chris Liddell (Artifex)
Upstream: Timothy Goddard (Insomnia Security)

Comment 5 Cedric Buissart 2020-07-30 06:51:45 UTC
Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 1862005]

Comment 6 Product Security DevOps Team 2020-07-30 07:27:44 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-15900


Note You need to log in before you can comment on or make changes to this bug.