Bug 697169 - .libfile does not honor -dSAFER
Summary: .libfile does not honor -dSAFER
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: PS Interpreter (show other bugs)
Version: master
Hardware: PC Linux
: P4 normal
Assignee: Chris Liddell (chrisl)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-28 23:25 UTC by Florian Weimer
Modified: 2019-07-22 07:13 UTC (History)
3 users (show)

See Also:
Customer:
Word Size: ---


Attachments
libfile.ps (141 bytes, text/plain)
2016-09-28 23:25 UTC, Florian Weimer
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Weimer 2016-09-28 23:25:01 UTC
Created attachment 12972 [details]
libfile.ps

Tavis Ormandy pointed out that .libfile can be used to access arbitrary files on the file system:

  http://www.openwall.com/lists/oss-security/2016/09/29/3

His reproducer does not work with current master (27e01aa77d0cf1668f60d87cf7417c90bf309d1b) because filenameforall was fixed as bug 694724 in commit ab109aaeb3ddba59518b036fb288402a65cf7ce8.  I'm attaching a simplified reproducer for .libfile itself.
Comment 1 Chris Liddell (chrisl) 2016-10-05 08:50:23 UTC
Fixed in:
http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=cf046d2
Comment 2 Ray Johnston 2017-02-13 20:31:29 UTC
The commit was pushed to the "origin" as
commit 8abd22010eb4db0fb1b10e430d5f5d83e015ef70
Author: Chris Liddell <chris.liddell@artifex.com>
Date:   Mon Oct 3 01:46:28 2016 +0100

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8abd22010eb4db0fb1b10e430d5f5d83e015ef70

(the "user/chrisl" link is no longer available.