Created attachment 16873 [details]
script that gets hold of forceput from DefineResource
I believe we discussed it over e-mail, but I would like to keep track on the fixing of some missing protections for some additional vectors, using similar techniques as the ones described in CVE-2019-6116.
At least DefineResource is still vulnerable :
# ./bin/gs -dSAFER -sDEVICE=ppmraw -f attack-DefineResource.ps
GPL Ghostscript GIT PRERELEASE 9.27 (2018-11-20)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
(ERROR HANDLER: undefined)
GOT SOMETHING BAD! : .forceput
== Exploit known, executing
-- Trying to get the first line from /etc/passwd
This was tested against current master (8d0253fdeb73bdb021f665e7c5478d6e1f41898e)
I have a more comprehensive change which I was planning that would have fixed this, but it *might* be too risky to go into the next release, so we'll go with the fix you originally suggested for now.
(Sorry for late reply. Somehow, I didn't receive a mail regarding the update.)
I tried the fix, it actually doesn't change : still vulnerable.
Yes, I see - I must have tested with the wrong executable....
There's an extra level of proc that needs protected:
On the notification e-mails, we've been having intermittent problems with bugzilla throwing strange errors trying to send mails (hopefully, it works this time!).
This is CVE-2019-3838
Would there be any preference for disclosure ?
(In reply to Cedric from comment #4)
> Looks good!
> This is CVE-2019-3838
> Would there be any preference for disclosure ?
I would prefer it to stay private for a couple of weeks. If you could add a comment to CVE pointing to the two commits, that would be great, too.
(In reply to Chris Liddell (chrisl) from comment #5)
> I would prefer it to stay private for a couple of weeks. If you could add a
> comment to CVE pointing to the two commits, that would be great, too.
During the request for the CVE creation, I forwarded links to both commits, Also the Red Hat bugzilla will contain [when it gets public] a comment with both of them. I think that should cover it.
Regarding the embargo: 2 weeks looks good. I'd like to coordinate with BZ 700585 as well, so that we can release both fix at the same time.
[btw: feel free to also delete the attached PoC before publishing]