Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 736645

Summary: <app-text/ghostscript-gpl-9.52 CVE-2020-15900:Ghostscript SAFER Sandbox Breakout
Product: Gentoo Linux Reporter: Reva Denis <denis7774>
Component: Current packagesAssignee: Gentoo Security <security>
Severity: major CC: ajak, jstein, printing
Priority: Normal Keywords: SECURITY
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---
Bug Depends on: 715760    
Bug Blocks:    

Description Reva Denis 2020-08-10 15:48:01 UTC
Insomnia Security found a buffer length calculation flaw in a non-standard Postscript operator in Ghostscript, which allows the creation of a 4GB "string" reference overlapping with other memory structures. This was introduced in Ghostscript 9.50 and is present in the latest official 9.52 release. By reading and writing through this string reference, heap content can be directly manipulated, resulting in arbitrary read/write of memory.

By reading and writing only data memory (i.e. no direct injection of shellcode), Insomnia Security found the sandbox can be reliably disabled, and dangerous Postscript functionality made available. This includes arbitrary file reading and writing, as well as OS command execution in environments with this enabled (Linux, some Windows environments). Exploitation using standard memory corruption techniques would also be viable.

Reproducible: Always

Steps to Reproduce:
Actual Results:  
# LC_ALL=C eix -v ghostscript
* app-text/ghostscript-gpl
     Available versions:  9.50
     IUSE (all versions): X cups dbus gtk static-libs tiff unicode L10N="de ja ko zh-CN zh-TW"
     Installed versions:  Version:   9.50
                          Date:      07:57:42 08/10/20
                          USE:       dbus unicode -X -cups -gtk -static-libs -tiff L10N="-de -ja -ko -zh-CN -zh-TW"
                          DEPEND:    app-text/libpaper media-libs/fontconfig >=media-libs/freetype-2.4.9:2/2= >=media-libs/jbig2dec-0.16:0/0.18= >=media-libs/lcms-2.6:2 >=media-libs/libpng-1.6.2:0/16= >=media-libs/openjpeg-2.1.0:2/7= >=sys-libs/zlib-1.2.7 virtual/jpeg:0 sys-apps/dbus net-dns/libidn:0/12=
                          RDEPEND:   ${DEPEND} app-text/poppler-data >=media-fonts/urw-fonts-2.4.9
                          BDEPEND:   virtual/pkgconfig >=app-portage/elt-patches-20170815 || ( >=sys-devel/automake-1.16.1:1.16 >=sys-devel/automake-1.15.1:1.15 ) >=sys-devel/autoconf-2.69 >=sys-devel/libtool-2.4
                          EAPI:      7
     Best versions/slot:  9.50
     Description:         Interpreter for the PostScript language and PDF
     License:             AGPL-3 CPL-1.0
Comment 1 Reva Denis 2020-08-10 15:49:30 UTC

In Russian language (where I found off information)
Comment 2 Reva Denis 2020-08-10 15:52:30 UTC
Some other resources with information about CVE:
Comment 3 John Helmert III gentoo-dev Security 2020-08-10 20:54:19 UTC
This appears to be a duplicate of bug 734322.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-11 02:22:10 UTC
(In reply to John Helmert III (ajak) from comment #3)
> This appears to be a duplicate of bug 734322.

Agreed. Thanks for the report though!

*** This bug has been marked as a duplicate of bug 734322 ***