Bug 700576

Summary: forceput in DefineResource still accessible after CVE-2019-6116
Product: Ghostscript Reporter: Cedric <cbuissar>
Component: Security (public)Assignee: Chris Liddell (chrisl) <chris.liddell>
Status: RESOLVED FIXED    
Severity: normal CC: carnil, dr, jsmeix, mosvald, omarandemad, till.kamppeter
Priority: P4    
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: script that gets hold of forceput from DefineResource

Description Cedric 2019-02-07 16:37:34 UTC
Created attachment 16873 [details]
script that gets hold of forceput from DefineResource

Hi,

I believe we discussed it over e-mail, but I would like to keep track on the fixing of some missing protections for some additional vectors, using similar techniques as the ones described in CVE-2019-6116. 
At least DefineResource is still vulnerable :

# ./bin/gs -dSAFER -sDEVICE=ppmraw -f attack-DefineResource.ps
GPL Ghostscript GIT PRERELEASE 9.27 (2018-11-20)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
(PoC: start)
(ERROR HANDLER: undefined)
(HANDLE: typecheck)
GOT SOMETHING BAD! : .forceput
 == Exploit known, executing
 -- Trying to get the first line from /etc/passwd
(root:x:0:0:root:/root:/bin/bash)


This was tested against current master (8d0253fdeb73bdb021f665e7c5478d6e1f41898e)

Thanks!

Cedric
Comment 1 Chris Liddell (chrisl) 2019-02-20 15:12:47 UTC
Fixed in:

https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd95bb01

I have a more comprehensive change which I was planning that would have fixed this, but it *might* be too risky to go into the next release, so we'll go with the fix you originally suggested for now.
Comment 2 Cedric 2019-02-22 10:03:22 UTC
Hi Chris,

(Sorry for late reply. Somehow, I didn't receive a mail regarding the update.)

I tried the fix, it actually doesn't change : still vulnerable.
Comment 3 Chris Liddell (chrisl) 2019-02-22 12:32:06 UTC
Yes, I see - I must have tested with the wrong executable....

There's an extra level of proc that needs protected:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e8f95a


On the notification e-mails, we've been having intermittent problems with bugzilla throwing strange errors trying to send mails (hopefully, it works this time!).
Comment 4 Cedric 2019-02-22 14:56:52 UTC
Looks good!

This is CVE-2019-3838

Would there be any preference for disclosure ?
Comment 5 Chris Liddell (chrisl) 2019-02-22 15:11:54 UTC
(In reply to Cedric from comment #4)
> Looks good!
> 
> This is CVE-2019-3838
> 
> Would there be any preference for disclosure ?

I would prefer it to stay private for a couple of weeks. If you could add a comment to CVE pointing to the two commits, that would be great, too.
Comment 6 Cedric 2019-02-22 15:44:38 UTC
(In reply to Chris Liddell (chrisl) from comment #5)
> I would prefer it to stay private for a couple of weeks. If you could add a
> comment to CVE pointing to the two commits, that would be great, too.

During the request for the CVE creation, I forwarded links to both commits, Also the Red Hat bugzilla will contain [when it gets public] a comment with both of them. I think that should cover it.

Regarding the embargo: 2 weeks looks good. I'd like to coordinate with BZ 700585 as well, so that we can release both fix at the same time.

[btw: feel free to also delete the attached PoC before publishing]