Bug 697808 - %pipe% security issue
Summary: %pipe% security issue
Status: RESOLVED DUPLICATE of bug 697799
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: General (show other bugs)
Version: master
Hardware: PC Linux
: P1 normal
Assignee: Default assignee
QA Contact: Bug traffic
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-26 17:06 UTC by seth.arnold
Modified: 2021-09-10 16:34 UTC (History)
6 users (show)

See Also:
Customer:
Word Size: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 seth.arnold 2017-04-26 18:34:07 UTC
MITRE has assigned CVE-2017-8291 to the shell injection. If the segmentation violation that is seen when executing this sample represents a second security issue, please let me know and I'll be happy to fill in the forms for another CVE.

Thanks
Comment 2 Tavis Ormandy 2017-04-26 20:47:35 UTC
I think the shell commands are a red herring, the type confusion in .rsdparams is the real issue (missing operand type check), which is used to disable SAFER.

It's a clever exploit. I don't know how I missed the .rsdparams bug when I was searching for missing type checks.

A more minimal testcase would be just 16#0x41414141 .rsdparams.

(see bug 697190 for an older example)
Comment 3 Tavis Ormandy 2017-04-26 20:48:18 UTC
(without the 0x, sorry)
Comment 4 Tavis Ormandy 2017-04-26 21:13:37 UTC
Oh, and .eqproc also needs to be fixed. Fun.
Comment 5 Chris Liddell (chrisl) 2017-04-27 01:24:03 UTC

*** This bug has been marked as a duplicate of bug 697799 ***
Comment 6 Casenet 2021-09-07 01:55:38 UTC
Will there be a release cut soon with this patch? Would be great to have available via package managers. via https://casenet.us/
Comment 7 Ray Johnston 2021-09-07 02:34:57 UTC
Artifex releases Ghostscript on (roughly) 6 month intervals. We will be
preparing a release candidate in the next week or two, and going through our
thorough review also during the time the release candidate is available for
review by distros (and anyone else that gets our gs-devel email announcing it).

Unless we encounter unexpected difficulties, the release should be finalized
before the end of September.