Bug 697808

Summary: %pipe% security issue
Product: Ghostscript Reporter: seth.arnold
Component: GeneralAssignee: Default assignee <ghostpdl-bugs>
Status: RESOLVED DUPLICATE    
Severity: normal CC: casenet.us, chris.liddell, sam, simons, taviso
Priority: P1    
Version: master   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---

Comment 1 seth.arnold 2017-04-26 18:34:07 UTC 
MITRE has assigned CVE-2017-8291 to the shell injection. If the segmentation violation that is seen when executing this sample represents a second security issue, please let me know and I'll be happy to fill in the forms for another CVE.

Thanks
Comment 2 Tavis Ormandy 2017-04-26 20:47:35 UTC 
I think the shell commands are a red herring, the type confusion in .rsdparams is the real issue (missing operand type check), which is used to disable SAFER.

It's a clever exploit. I don't know how I missed the .rsdparams bug when I was searching for missing type checks.

A more minimal testcase would be just 16#0x41414141 .rsdparams.

(see bug 697190 for an older example)
Comment 3 Tavis Ormandy 2017-04-26 20:48:18 UTC 
(without the 0x, sorry)
Comment 4 Tavis Ormandy 2017-04-26 21:13:37 UTC 
Oh, and .eqproc also needs to be fixed. Fun.
Comment 5 Chris Liddell (chrisl) 2017-04-27 01:24:03 UTC 

*** This bug has been marked as a duplicate of bug 697799 ***
Comment 6 Casenet 2021-09-07 01:55:38 UTC 
Will there be a release cut soon with this patch? Would be great to have available via package managers. via https://casenet.us/
Comment 7 Ray Johnston 2021-09-07 02:34:57 UTC 
Artifex releases Ghostscript on (roughly) 6 month intervals. We will be
preparing a release candidate in the next week or two, and going through our
thorough review also during the time the release candidate is available for
review by distros (and anyone else that gets our gs-devel email announcing it).

Unless we encounter unexpected difficulties, the release should be finalized
before the end of September.