Bug 699657

Summary: .tempfile SAFER restrictions seem to be broken
Product: Ghostscript Reporter: Tavis Ormandy <taviso>
Component: Security (public)Assignee: Chris Liddell (chrisl) <chris.liddell>
Status: NOTIFIED FIXED QA Contact: gs-security
Severity: major    
Priority: P2 CC: cbuissar, dkaspar, dr, jsmeix, scorneli, till.kamppeter
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: 501,641 Word Size: ---

Description Tavis Ormandy 2018-08-21 17:59:21 UTC
.tempfile permissions don't seem to work, I don't know when they broke. You're not supposed to be able to open files outside of the patterns in the  PermitFileReading array, but that doesn't seem to work for me e.g.:

$ strace -fefile gs -sDEVICE=ppmraw -dSAFER
...
GS>(/proc/self/cwd/hello) (w) .tempfile
open("/proc/self/cwd/hello26E8LQ", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
GS<2>dup
GS<3>(hello) writestring
GS<2>closefile

This means you can create a file in any directory (I don't think you can prevent the random suffix).
Comment 1 Chris Liddell (chrisl) 2018-08-23 11:43:05 UTC
Fixed in:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d3901189f