Bug 697808

Summary: %pipe% security issue
Product: Ghostscript Reporter: seth.arnold
Component: GeneralAssignee: Default assignee <ghostpdl-bugs>
Status: RESOLVED DUPLICATE QA Contact: Bug traffic <gs-bugs>
Severity: normal    
Priority: P1 CC: chris.liddell, dkaspar, simons, taviso
Version: master   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---

Comment 1 seth.arnold 2017-04-26 18:34:07 PDT
MITRE has assigned CVE-2017-8291 to the shell injection. If the segmentation violation that is seen when executing this sample represents a second security issue, please let me know and I'll be happy to fill in the forms for another CVE.

Thanks
Comment 2 Tavis Ormandy 2017-04-26 20:47:35 PDT
I think the shell commands are a red herring, the type confusion in .rsdparams is the real issue (missing operand type check), which is used to disable SAFER.

It's a clever exploit. I don't know how I missed the .rsdparams bug when I was searching for missing type checks.

A more minimal testcase would be just 16#0x41414141 .rsdparams.

(see bug 697190 for an older example)
Comment 3 Tavis Ormandy 2017-04-26 20:48:18 PDT
(without the 0x, sorry)
Comment 4 Tavis Ormandy 2017-04-26 21:13:37 PDT
Oh, and .eqproc also needs to be fixed. Fun.
Comment 5 Chris Liddell (chrisl) 2017-04-27 01:24:03 PDT

*** This bug has been marked as a duplicate of bug 697799 ***