Bug 697169 - .libfile does not honor -dSAFER
Summary: .libfile does not honor -dSAFER
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: PS Interpreter (show other bugs)
Version: master
Hardware: PC Linux
: P4 normal
Assignee: Chris Liddell (chrisl)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-28 23:25 UTC by Florian Weimer
Modified: 2019-07-22 07:13 UTC (History)
3 users (show)

See Also:
Customer:
Word Size: ---

Attachments
libfile.ps (141 bytes, text/plain)
2016-09-28 23:25 UTC, Florian Weimer 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Weimer 2016-09-28 23:25:01 UTC 
Created attachment 12972 [details]
libfile.ps

Tavis Ormandy pointed out that .libfile can be used to access arbitrary files on the file system:

  http://www.openwall.com/lists/oss-security/2016/09/29/3

His reproducer does not work with current master (27e01aa77d0cf1668f60d87cf7417c90bf309d1b) because filenameforall was fixed as bug 694724 in commit ab109aaeb3ddba59518b036fb288402a65cf7ce8.  I'm attaching a simplified reproducer for .libfile itself.
Comment 1 Chris Liddell (chrisl) 2016-10-05 08:50:23 UTC 
Fixed in:
http://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=cf046d2
Comment 2 Ray Johnston 2017-02-13 20:31:29 UTC 
The commit was pushed to the "origin" as
commit 8abd22010eb4db0fb1b10e430d5f5d83e015ef70
Author: Chris Liddell <chris.liddell@artifex.com>
Date:   Mon Oct 3 01:46:28 2016 +0100

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8abd22010eb4db0fb1b10e430d5f5d83e015ef70

(the "user/chrisl" link is no longer available.