Bug 697808 - %pipe% security issue
Summary: %pipe% security issue
Status: RESOLVED DUPLICATE of bug 697799
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: General (show other bugs)
Version: master
Hardware: PC Linux
: P1 normal
Assignee: Default assignee
QA Contact: Bug traffic
Depends on:
Reported: 2017-04-26 17:06 UTC by seth.arnold
Modified: 2017-04-27 07:24 UTC (History)
4 users (show)

See Also:
Word Size: ---


Note You need to log in before you can comment on or make changes to this bug.
Comment 1 seth.arnold 2017-04-26 18:34:07 UTC
MITRE has assigned CVE-2017-8291 to the shell injection. If the segmentation violation that is seen when executing this sample represents a second security issue, please let me know and I'll be happy to fill in the forms for another CVE.

Comment 2 Tavis Ormandy 2017-04-26 20:47:35 UTC
I think the shell commands are a red herring, the type confusion in .rsdparams is the real issue (missing operand type check), which is used to disable SAFER.

It's a clever exploit. I don't know how I missed the .rsdparams bug when I was searching for missing type checks.

A more minimal testcase would be just 16#0x41414141 .rsdparams.

(see bug 697190 for an older example)
Comment 3 Tavis Ormandy 2017-04-26 20:48:18 UTC
(without the 0x, sorry)
Comment 4 Tavis Ormandy 2017-04-26 21:13:37 UTC
Oh, and .eqproc also needs to be fixed. Fun.
Comment 5 Chris Liddell (chrisl) 2017-04-27 01:24:03 UTC

*** This bug has been marked as a duplicate of bug 697799 ***