699657 – .tempfile SAFER restrictions seem to be broken

Bug 699657 - .tempfile SAFER restrictions seem to be broken

Summary: .tempfile SAFER restrictions seem to be broken

Status:	NOTIFIED FIXED

Alias:	None

Product:	Ghostscript
Classification:	Unclassified
Component:	Security (public) (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P2 major
Assignee:	Chris Liddell (chrisl)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-08-21 17:59 UTC by Tavis Ormandy
Modified:	2019-05-08 13:34 UTC (History)
CC List:	6 users (show)

See Also:
Customer:	501,641
Word Size:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tavis Ormandy 2018-08-21 17:59:21 UTC

.tempfile permissions don't seem to work, I don't know when they broke. You're not supposed to be able to open files outside of the patterns in the  PermitFileReading array, but that doesn't seem to work for me e.g.:

$ strace -fefile gs -sDEVICE=ppmraw -dSAFER
...
GS>(/proc/self/cwd/hello) (w) .tempfile
open("/proc/self/cwd/hello26E8LQ", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
GS<2>dup
GS<3>(hello) writestring
GS<2>closefile

This means you can create a file in any directory (I don't think you can prevent the random suffix).

Comment 1 Chris Liddell (chrisl) 2018-08-23 11:43:05 UTC

Fixed in:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0d3901189f