Bug 697808 - %pipe% security issue
%pipe% security issue
Status: RESOLVED DUPLICATE of bug 697799
Product: Ghostscript
Classification: Unclassified
Component: General
master
PC Linux
: P1 normal
Assigned To: Default assignee
Bug traffic
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-26 17:06 PDT by seth.arnold
Modified: 2017-04-27 07:24 PDT (History)
4 users (show)

See Also:
Customer:
Word Size: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 seth.arnold 2017-04-26 18:34:07 PDT
MITRE has assigned CVE-2017-8291 to the shell injection. If the segmentation violation that is seen when executing this sample represents a second security issue, please let me know and I'll be happy to fill in the forms for another CVE.

Thanks
Comment 2 Tavis Ormandy 2017-04-26 20:47:35 PDT
I think the shell commands are a red herring, the type confusion in .rsdparams is the real issue (missing operand type check), which is used to disable SAFER.

It's a clever exploit. I don't know how I missed the .rsdparams bug when I was searching for missing type checks.

A more minimal testcase would be just 16#0x41414141 .rsdparams.

(see bug 697190 for an older example)
Comment 3 Tavis Ormandy 2017-04-26 20:48:18 PDT
(without the 0x, sorry)
Comment 4 Tavis Ormandy 2017-04-26 21:13:37 PDT
Oh, and .eqproc also needs to be fixed. Fun.
Comment 5 Chris Liddell (chrisl) 2017-04-27 01:24:03 PDT

*** This bug has been marked as a duplicate of bug 697799 ***