Summary: | use-after-free vulnerability in igc_reloc_struct_ptr() from PDF file | ||
---|---|---|---|
Product: | Ghostscript | Reporter: | Todd <tcullum> |
Component: | Security (public) | Assignee: | Chris Liddell (chrisl) <chris.liddell> |
Status: | RESOLVED WORKSFORME | ||
Severity: | normal | CC: | akhaitov, carnil, cbuissar, dr, jsmeix, marc.deslauriers, till.kamppeter |
Priority: | P4 | ||
Version: | 9.25 | ||
Hardware: | PC | ||
OS: | Linux | ||
Customer: | Word Size: | --- |
Description
Todd
2020-08-28 19:59:55 UTC
Please re-test with the 9.53.0 Release Candidate: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/tag/ghostpdl-9.53.0rc2 If it is reproducible, then re-open this bug (change the "Status" to confirmed) We really don't appreciate someone submitting bugs for old versions -- it takes time, even if it just asking you to test with the latest available (in this case the 9.53.0 Release candidate). Wouldn't you rather have us spending time on things that are actually still problems. chris-liddell released Ghostscript/GhostPDL 9.25 on Sep 13, 2018 (In reply to Todd from comment #0) > When testing for BZ#701818 in ghostscript-9.25, I found a use-after-free > which looks unrelated to that bug. It occurs when the crafted PDF PoC file > is provided as input to ghostscript. > > Steps to reproduce: > > 1. Download https://bugs.ghostscript.com/attachment.cgi?id=18402 > 2. Compile ghostscript with AddressSanitizer > 3. run: > > gs -dBATCH -dNOPAUSE -dSAFER -dNOTRANSPARENCY -sOutputFile=tmp > -sDEVICE=xpswrite $PoC In order to reproduce the problem it is necessary to use the 9.25 released code, later releases do not exhibit the issue. The 9.25 release was the 13th September 2018. In bug 701818 we can see from the address sanitizer stack that this particular use-after-free isn't present. Now that report was against a SHA representing a commit between releases, in fact from 31st October 2019. So this tells us that the problem had already been fixed by this point. Using Git bisect I find that the relevant commit was this one: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ece5cbbd9979cd35737b00e68267762d72feb2ea This was not *intended* to fix this specific problem, but it clearly does. I would highly recommend using Git bisect in cases like this, its quick (on Linux) it only took me an hour or so to locate this commit, and will find cases like this where a problem was unwittingly fixed as a consequence of something else. Obviously its up to you whether you choose to take on that commit in order to resolve the use-after-free problem, from our point of view the problem has already been fixed in our current code base. I've changed the resolution to 'worksforme' as there was a problem here, but its already been resolved. Thanks for looking into it. My intention of course was mostly to inform about the bug for documentation purposes, knowing that this is not even close to the current version. Appreciate the reference to Git Bisect as this is a useful tool I can add to my toolbox, and the specific commit you referenced. Just to be comprehensive, I checked it with 9.53.0RC2 in my environment and it did not trigger a use-after-free. Instead, I got this output: ============================================= ~/Downloads/ghostpdl-9.53.0rc2/sanbin $ ./gs -dBATCH -dNOPAUSE -dSAFER -dNOTRANSPARENCY -sOutputFile=tmp -sDEVICE=xpswrite ~/Downloads/xps_finish_poc.pdf GPL Ghostscript RELEASE CANDIDATE 2 9.53.0 (2020-08-27) Copyright (C) 2020 Artifex Software, Inc. All rights reserved. This software is supplied under the GNU AGPLv3 and comes with NO WARRANTY: see the file COPYING for details. Processing pages 1 through 3. Page 1 **** Error: Error reading font stream, attempting to load the font using its name Output may be incorrect. Querying operating system for font files... Substituting font Times-Roman for EPKNCP+TimesNewRomanPSMT. Loading NimbusRoman-Regular font from %rom%Resource/Font/NimbusRoman-Regular... 4467604 2911804 4167968 2833129 4 done. Page 2 Substituting font Helvetica for Tahoma. Loading NimbusSans-Regular font from %rom%Resource/Font/NimbusSans-Regular... 4533716 3085400 4369968 2999819 4 done. Substituting font Helvetica for ArialMT. **** Error reading a content stream. The page may be incomplete. Output may be incorrect. **** Error reading a content stream. The page may be incomplete. Output may be incorrect. Page 3 Substituting font Helvetica for Tahoma. **** Error reading a content stream. The page may be incomplete. Output may be incorrect. **** This file had errors that were repaired or ignored. **** The file was produced by: **** >>>> Acrobat Distiller 9.5.2 (Windows) <<<< **** Please notify the author of the software that produced this **** file that it does not conform to Adobe's published PDF **** specification. **** The rendered output from this file may be incorrect. =================================== So ghostscript of course properly catches the problem in 9.53RC2 as you stated. Is it ok to make this public at this point? (In reply to Todd from comment #3) > Thanks for looking into it. My intention of course was mostly to inform > about the bug for documentation purposes, knowing that this is not even > close to the current version. Technically it is (I think) *just* still supported for customers (not quite 2 years yet). > Is it ok to make this public at this point? Well its been 'fixed', even if its incidentally, for 18 months so I can't see any reason why not. Might be nice to wait for Chris to give it his blessing, seeing as how he owns the bug, but he's on vacation today. Do you mind waiting until tomorrow for a response from him ? (In reply to Ken Sharp from comment #4) > Do you mind waiting until tomorrow for a response from him ? Absolutely can wait. Thanks. I don't see any issue making it public. |