Bug 688149

Summary: Problems, including one security-related, with handling dictionaries
Product: Ghostscript Reporter: SaGS <sags5495>
Component: PS InterpreterAssignee: Stefan Kemper <stefan.kemper>
Status: NOTIFIED FIXED    
Severity: normal    
Priority: P3    
Version: master   
Hardware: PC   
OS: All   
Customer: Word Size: ---
Attachments: Sample file: Bug688149.pdf.
Suggested patch.

Description SaGS 2005-06-21 11:23:32 UTC 
A problem exists in the way the PostScript interpreter handles 
dictionaries, with various effects as follows:

(A) Regular PostScript page description programs may be affected, but it
    is unlikeky for them to be.

(B) The Ghostscript PDF interpreter does not seem to be affected, even if 
    lib\pdf_base.ps does create PostScript objects that are subject to 
    this bug.

(C) lib\pdfwrite.ps and tools based on it, like pdfinflt.ps, are affected. 
    The symptom is an "Error: /undefined in --get--", with the output 
    truncated somewhere inside the first stream's dictionary; the last 
    token written is "/File". The bug appears with encrypted PDFs; it has 
    nothing to do with encryption, but implementation details of a proc in 
    pdf_base.ps prevent it from being triggered with the unencrypted ones.

    Note:
        The same symptom, but with a completely different cause, appears 
        in bug #688152 "'Undefined in get' and extra trailer keys with 
        pdfwrite.ps and PDF1.5+".

(D) Last but not the least, this is a vulnerability that can be exploited 
    to delete any file, even in safe mode.
    - the name of the file to be deleted must be known in advance or 
      obtained by other means;
    - I *think* it cannot be exploited to read/ modify/ create files 
      without having the appropriate permissions (PermitFileXxx).
Comment 1 SaGS 2005-06-21 11:29:11 UTC 
Created attachment 1457 [details]
Sample file: Bug688149.pdf.

File to reproduce the problem. Specially created to isolate this 
particular bug; for other files, another error usually masks this one.

PDF user/owner passwords: "user", respectively "owner" (without quotes).

Command line (Windows):

    gswin32c -dNOPAUSE -sPDFPassword=owner		\
	-- toolbin\pdfinflt.ps Bug688149.pdf out.pdf
Comment 2 SaGS 2005-06-21 11:29:55 UTC 
Created attachment 1458 [details]
Suggested patch.

The patch fixes only the problem mentioned in this report. The command 
shown in comment #1 above will succeed, but the output PDF will still be 
invalid because encrypted PDFs are not processed properly (bugs unrelated 
to this one).
Comment 3 Ray Johnston 2006-05-16 21:58:15 UTC 
Patch committed. 
 
Thanks to mat Gh Savulescu for for the bug report, the patch and excellent 
analysis of the problem.