2002271 – (CVE-2021-3781) CVE-2021-3781 ghostscript: sandbox escape using '%pipe%'

Bug 2002271 (CVE-2021-3781) - CVE-2021-3781 ghostscript: sandbox escape using '%pipe%'

Summary: CVE-2021-3781 ghostscript: sandbox escape using '%pipe%'

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2021-3781
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2002800 (view as bug list)
Depends On:	2002625 2003085
Blocks:	2002161 2002605
TreeView+	depends on / blocked

Reported:	2021-09-08 11:46 UTC by Cedric Buissart
Modified:	2023-07-11 11:28 UTC (History)
CC List:	9 users (show)
Fixed In Version:	ghostpdl 9.55.0
Doc Type:	If docs needed, set a value
Doc Text:	A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed:	2021-10-29 07:25:03 UTC
Embargoed:

Attachments	(Terms of Use)

Description Cedric Buissart 2021-09-08 11:46:13 UTC

The file access protection built into Ghostscript proved insufficient for the "%pipe%" PostScript device, when combined with Ghostscript's requirement to be able to create and control temporary files in the conventional temporary file directories (for example, "/tmp" or "/temp). This exploit is restricted to Unix-like systems (i.e., it doesn't affect Windows). The most severe claimed results are only feasible if the exploit is run as a "high privilege" user (root/superuser level) -- a practice we would discourage under any circumstances. 

Resolution: The solution involves including the device specifier string ("%pipe%") in the permissions checking, meaning the entire file name string is validated, rather than (as before) only the sub-string following the device specifier. 

This flaw allows to trivially escape the sandbox (enabled with the `-dSAFER` option). A specially crafted document could use this flaw to execute command on the system, in the context of the ghostscript interpreter.

This flaw affects only version from 9.50 onward.

Upstream bug :
https://bugs.ghostscript.com/show_bug.cgi?id=704342

Comment 5 Cedric Buissart 2021-09-10 10:57:45 UTC

Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 2003085]

Comment 6 Cedric Buissart 2021-09-10 14:28:34 UTC

*** Bug 2002800 has been marked as a duplicate of this bug. ***

Comment 7 Cedric Buissart 2021-09-10 14:34:02 UTC

Upstream fix :
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a9bd3dec9fde03327a4a2c69dad1036bf9632e20

Note You need to log in before you can comment on or make changes to this bug.