Bug 697169

Summary: .libfile does not honor -dSAFER
Product: Ghostscript Reporter: Florian Weimer <fw>
Component: PS InterpreterAssignee: Chris Liddell (chrisl) <chris.liddell>
Status: RESOLVED FIXED QA Contact: Bug traffic <tech>
Severity: normal    
Priority: P4 CC: chris.liddell, omarandemad, taviso
Version: master   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: libfile.ps

Description Florian Weimer 2016-09-28 23:25:01 UTC
Created attachment 12972 [details]
libfile.ps

Tavis Ormandy pointed out that .libfile can be used to access arbitrary files on the file system:

  http://www.openwall.com/lists/oss-security/2016/09/29/3

His reproducer does not work with current master (27e01aa77d0cf1668f60d87cf7417c90bf309d1b) because filenameforall was fixed as bug 694724 in commit ab109aaeb3ddba59518b036fb288402a65cf7ce8.  I'm attaching a simplified reproducer for .libfile itself.
Comment 1 Chris Liddell (chrisl) 2016-10-05 08:50:23 UTC
Fixed in:
http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=cf046d2
Comment 2 Ray Johnston 2017-02-13 20:31:29 UTC
The commit was pushed to the "origin" as
commit 8abd22010eb4db0fb1b10e430d5f5d83e015ef70
Author: Chris Liddell <chris.liddell@artifex.com>
Date:   Mon Oct 3 01:46:28 2016 +0100

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8abd22010eb4db0fb1b10e430d5f5d83e015ef70

(the "user/chrisl" link is no longer available.