Summary: | buffer overflow in errprintf | ||
---|---|---|---|
Product: | Ghostscript | Reporter: | David Srbecky <dsrbecky> |
Component: | PS Interpreter | Assignee: | Alex Cherepanov <alex> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | htl10, jackie.rosen |
Priority: | P4 | Keywords: | bountiable |
Version: | 8.70 | ||
Hardware: | PC | ||
OS: | Linux | ||
Customer: | Word Size: | --- | |
Attachments: |
MS-Publisher-Imagesetter-Portability.ps
MS-Publisher-Imagesetter-Speed.ps patch |
Description
David Srbecky
2009-10-18 14:18:55 UTC
Please attach an example PostScript file. Created attachment 5505 [details]
MS-Publisher-Imagesetter-Portability.ps
Windows test page produced by MS Publisher Imagesetter. Optimize for
portability.
Created attachment 5506 [details]
MS-Publisher-Imagesetter-Speed.ps
Windows test page produced by MS Publisher Imagesetter. Optimize for speed.
Both files work correctly with GS (X11 device) on Fedora with the current HEAD. This is not a surprise, the stack trace shows: D [18/Oct/2009:22:44:37 +0200] [Job 41] cups_put_params(0x96e116c, 0xbfcba828) D [18/Oct/2009:22:44:37 +0200] [Job 41] *** buffer overflow detected ***: /usr/bin/gs terminated D [18/Oct/2009:22:44:37 +0200] [Job 41] ======= Backtrace: ========= D [18/Oct/2009:22:44:37 +0200] [Job 41] /lib/libc.so.6(__fortify_fail+0x40)[0xcd1ec0] D [18/Oct/2009:22:44:37 +0200] [Job 41] /lib/libc.so.6[0xcd0010] D [18/Oct/2009:22:44:37 +0200] [Job 41] /lib/libc.so.6[0xccf748] D [18/Oct/2009:22:44:37 +0200] [Job 41] /lib/libc.so.6(_IO_default_xsputn+0xbe)[0xc464ce] D [18/Oct/2009:22:44:37 +0200] [Job 41] /lib/libc.so.6(_IO_vfprintf+0x38da)[0xc1b56a] D [18/Oct/2009:22:44:37 +0200] [Job 41] /lib/libc.so.6(__vsprintf_chk+0xa7)[0xccf7f7] D [18/Oct/2009:22:44:37 +0200] [Job 41] /usr/lib/libgs.so.8(errprintf+0x54)[0x6549e4] D [18/Oct/2009:22:44:37 +0200] [Job 41] /usr/lib/libgs.so.8(cups_put_params+0xb94)[0x6283e4] D [18/Oct/2009:22:44:37 +0200] [Job 41] Which indicates that cups_put_params, presumably part of CUPS (a CUPS device?), was executed, and that caused both the call to errprintf and the resulting stack overflow. Since I didn't use CUPS, I didn't get an error.... Trying with the CUPS device, but without invoking CUPS itself (I don't have a working CUPS setup) did not produce an error on Fedora. I cannot reproduce either. Fedora 11 x86_64 with either 8.70 or HEAD (r10180). I tried: bin/gs -sDEVICE=cups -o /dev/null MS-Publisher-Imagesetter-Speed.ps Perhaps we need the job options. Can you give us a command line that fails? I also tried 'lpr MS-Publisher-Imagesetter-Speed.ps' and the job printed without error. That was to a postscript printer though, so it may not have invoked ghostscript. I also tried printing through cups (Fedora 11 x86_64) with the pxlmono driver, still no reproduction. We'll need more information before we can address this. I think that the current implementation of errprintf() and outprintf() is a security hole. It's quite easy to smash the stack using a long message. First, we can use vsnprintf() to truncate long messages. Second, it's possible to write a subroutine that either - estimates the print size and allocates a buffer - or writes the long messages in parts. if you do 'debuginfo-install ghostscript' and manage to reproduce the bug, the stack trace would show the line numbers, etc, I think; or one could do objdump /usr/lib/libgs.so.8 to turn those addresses into line numbers. Also, one of cups's other log should have the command-line used to invoke gs. Am on fedora 11 x86_64 and can't reproduce this either. make bountiable and assign to alex. "Comment #25 From Vincent Danen 2009-11-27 10:18:34 EDT ------- This issue does not affect Red Hat Enterprise Linux due it using the older versions of ghostscript. The incorrect debug logging code in gdevcups.c is not present in ghostscript 8.15 and earlier; it was introduced in version 8.64. Likewise, in order to exploit this the MediaType string needs to be larger than the 1024-byte buffer in errprintf, but in older versions of ghostscript, gdevcups does not write out the MediaType string in its debug logging at all. There are also no other calls to errprint or outprintf that use the %s specifier with user-supplied strings." Can someone confirm that 8.15 is not vulnerable? > This issue does not affect Red Hat Enterprise Linux due it using the older versions of ghostscript. > The incorrect debug logging code in gdevcups.c is not present in ghostscript > 8.15 and earlier; ... > Can someone confirm that 8.15 is not vulnerable? That's a non-question - gdevcups.c was not in *GPL* ghostscript 8.15, because it was only merged in around 8.5x ; however, before the 8.5x merge, most linux distribution (including RHEL) were shipping ESP ghostscript, which *did* have gdevcups.c . Whether the gdevcups.c shipped by RHEL in ESP ghostscript is a question you need to ask Redhat personnel and/or examine what they actually ship (grab the src rpm). Created attachment 5827 [details]
patch
Use safer function vsnprintf() instead of vsprintf() for error reporting.
Truncate long messages, issue a warning, and continue.
The patch has been committed as a rev. 10568.
Regression testing shows no differences.
|