736645 – <app-text/ghostscript-gpl-9.52 CVE-2020-15900:Ghostscript SAFER Sandbox Breakout

Bug 736645 - <app-text/ghostscript-gpl-9.52 CVE-2020-15900:Ghostscript SAFER Sandbox Breakout

Summary: <app-text/ghostscript-gpl-9.52 CVE-2020-15900:Ghostscript SAFER Sandbox Breakout

Status:	RESOLVED DUPLICATE of bug 734322

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:	SECURITY

Depends on:	715760
Blocks:
	Show dependency tree

Reported:	2020-08-10 15:48 UTC by Reva Denis
Modified:	2020-08-11 02:22 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Reva Denis 2020-08-10 15:48:01 UTC

From:https://insomniasec.com/blog/ghostscript-cve-2020-15900
Summary
Insomnia Security found a buffer length calculation flaw in a non-standard Postscript operator in Ghostscript, which allows the creation of a 4GB "string" reference overlapping with other memory structures. This was introduced in Ghostscript 9.50 and is present in the latest official 9.52 release. By reading and writing through this string reference, heap content can be directly manipulated, resulting in arbitrary read/write of memory.

By reading and writing only data memory (i.e. no direct injection of shellcode), Insomnia Security found the sandbox can be reliably disabled, and dangerous Postscript functionality made available. This includes arbitrary file reading and writing, as well as OS command execution in environments with this enabled (Linux, some Windows environments). Exploitation using standard memory corruption techniques would also be viable.



Reproducible: Always

Steps to Reproduce:
See https://insomniasec.com/blog/ghostscript-cve-2020-15900
Actual Results:  
# LC_ALL=C eix -v ghostscript
* app-text/ghostscript-gpl
     Available versions:  9.50
     IUSE (all versions): X cups dbus gtk static-libs tiff unicode L10N="de ja ko zh-CN zh-TW"
     Installed versions:  Version:   9.50
                          Date:      07:57:42 08/10/20
                          USE:       dbus unicode -X -cups -gtk -static-libs -tiff L10N="-de -ja -ko -zh-CN -zh-TW"
                          DEPEND:    app-text/libpaper media-libs/fontconfig >=media-libs/freetype-2.4.9:2/2= >=media-libs/jbig2dec-0.16:0/0.18= >=media-libs/lcms-2.6:2 >=media-libs/libpng-1.6.2:0/16= >=media-libs/openjpeg-2.1.0:2/7= >=sys-libs/zlib-1.2.7 virtual/jpeg:0 sys-apps/dbus net-dns/libidn:0/12=
                          RDEPEND:   ${DEPEND} app-text/poppler-data >=media-fonts/urw-fonts-2.4.9
                          BDEPEND:   virtual/pkgconfig >=app-portage/elt-patches-20170815 || ( >=sys-devel/automake-1.16.1:1.16 >=sys-devel/automake-1.15.1:1.15 ) >=sys-devel/autoconf-2.69 >=sys-devel/libtool-2.4
                          SRC_URI:   
                          EAPI:      7
     Best versions/slot:  9.50
     Homepage:            https://ghostscript.com/
     Description:         Interpreter for the PostScript language and PDF
     License:             AGPL-3 CPL-1.0

Comment 1 Reva Denis 2020-08-10 15:49:30 UTC

CVE:
https://security-tracker.debian.org/tracker/CVE-2020-15900


Additional:
In Russian language (where I found off information)
https://www.opennet.ru/opennews/art.shtml?num=53480

Comment 2 Reva Denis 2020-08-10 15:52:30 UTC

Some other resources with information about CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-15900
https://nvd.nist.gov/vuln/detail/CVE-2020-15900

Comment 3 John Helmert III archtester

2020-08-10 20:54:19 UTC

This appears to be a duplicate of bug 734322.

Comment 4 Sam James archtester

2020-08-11 02:22:10 UTC

(In reply to John Helmert III (ajak) from comment #3)
> This appears to be a duplicate of bug 734322.

Agreed. Thanks for the report though!

*** This bug has been marked as a duplicate of bug 734322 ***