Created attachment 15708 [details] PostScript document text conforming DSC level 2.0, type EPS triggering regression Hi A user did report downstream in Debian with the attached 'second.eps' a regression after applying the commit fb713b3818b52d8a6cf62c951eba2e1795ff9624 to adress (CVE-2018-17183): Initially found by for instance issuing gv second.eps, but it is demostrable with a shortened call to gs as follows: $ ./bin/gs -q -dSAFER -sDEVICE=nullpage -sOutputFile=/dev/null -dNOPAUSE ~/second.eps -c quit Error: /nocurrentpoint in --currentpoint-- Operand stack: Execution stack: %interp_exit .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- --nostringval-- false 1 %stopped_push 2015 1 3 %oparray_pop 2014 1 3 %oparray_pop --nostringval-- 1998 1 3 %oparray_pop 1884 1 3 %oparray_pop --nostringval-- %errorexec_pop .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- Dictionary stack: --dict:966/1684(ro)(G)-- --dict:0/20(G)-- --dict:82/200(L)-- --dict:12/20(L)-- Current allocation mode is local Last OS error: No such file or directory Current file position is 774 GPL Ghostscript GIT PRERELEASE 9.25: Unrecoverable error, exit code 1 The issue is found as well in master (as per 9565f4ca4aab712f411420fa4c8cae79a2cf88ed) The bisect log shows the following information, raising that the regression is introduced in # good: [5deee306126e09f95e40e69fe04a7d26c842fb56] Update date and product string for 9.20 release git bisect good 5deee306126e09f95e40e69fe04a7d26c842fb56 # bad: [9565f4ca4aab712f411420fa4c8cae79a2cf88ed] Bug 699813 "filenameforall calls bad iodev with insufficent scratch" git bisect bad 9565f4ca4aab712f411420fa4c8cae79a2cf88ed # bad: [070358777b534c600c522da8541690022102b7a6] Dates, product string, changelog, etc for 9.25 release git bisect bad 070358777b534c600c522da8541690022102b7a6 # good: [32f1afe5c1e0b862e3bde05dc7b860a5f65cfbea] Update dates, product string etc for release git bisect good 32f1afe5c1e0b862e3bde05dc7b860a5f65cfbea # bad: [070358777b534c600c522da8541690022102b7a6] Dates, product string, changelog, etc for 9.25 release git bisect bad 070358777b534c600c522da8541690022102b7a6 # good: [520bb0ea7519aa3e79db78aaf0589dae02103764] Bug #699654 (again) and Bug #699677 Improve operator removal for SAFER git bisect good 520bb0ea7519aa3e79db78aaf0589dae02103764 # good: [bc1d2d9742c960f1d4905f43810be072c5d92390] Bug 691725: Tweak gssetgs*.bat files. git bisect good bc1d2d9742c960f1d4905f43810be072c5d92390 # bad: [65a9046ded8e9edd5d33bc812a9e94ae29607a1e] Bug #699707 "Security review bug - continuation procedures" git bisect bad 65a9046ded8e9edd5d33bc812a9e94ae29607a1e # good: [0d8c7d563745bfd89051a203267fcbf2492ecfcc] Bug 699720: Change available buffer space to int from uint git bisect good 0d8c7d563745bfd89051a203267fcbf2492ecfcc # bad: [13418541a5ae19b15f51cbb87faf344902f5af98] Bug 699722 (2): add wildcards to the permissions paths. git bisect bad 13418541a5ae19b15f51cbb87faf344902f5af98 # bad: [c8c01f8c4164bc10281d9e8f87cf96314d93104b] Bug 699722: Add the ICCProfilesDir to the PermitReading list git bisect bad c8c01f8c4164bc10281d9e8f87cf96314d93104b # bad: [fb713b3818b52d8a6cf62c951eba2e1795ff9624] Bug 699708 (part 1): 'Hide' non-replaceable error handlers for SAFER git bisect bad fb713b3818b52d8a6cf62c951eba2e1795ff9624 # first bad commit: [fb713b3818b52d8a6cf62c951eba2e1795ff9624] Bug 699708 (part 1): 'Hide' non-replaceable error handlers for SAFER Regards, Salvatore
By coincidence this had already turned up in our local testing and I was going to look into it. I can see what the problem is, and it is one we had anticipated as a result of this change. I'll consult with the other developers but I suspect the answer is 'sorry, that's how it works now, don't use -dSAFER' Essentially the use of SAFER breaks Ghostscript's conformance with the language specification. It has to, the PostScript language is a complete programming language, and so permits things like unrestricted access to the file system. We recently increased the scope of SAFER in order to prevent malicious code from being able to disable SAFER. This means that we are a little less in compliance with the language than we were before (which is one reason we've been reluctant to do this), but it does further secure the use of Ghostscript. We anticipate adding some granularity to the way that SAFER works, partly as the result of a request by Johannes Meixner at SuSE. When that gets implemented it will be possible to reduce the safety of SAFER and permit this particular feature of the language (replaceable error handlers). Obviously this will reduce the security. I'm leaving this open for now, and assigning to Chris as he's planning to implement it.
I forgot to say thanks for your efforts in bisecting the commit, that really helped isolate the problem and saved me a tedious task, much appreciated!
Fixed in: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=1778db6bc10 This makes the "hiding" of the error handlers an explicit option that is not tied to SAFER.