Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 736645 - <app-text/ghostscript-gpl-9.52 CVE-2020-15900:Ghostscript SAFER Sandbox Breakout
Summary: <app-text/ghostscript-gpl-9.52 CVE-2020-15900:Ghostscript SAFER Sandbox Breakout
Status: RESOLVED DUPLICATE of bug 734322
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Keywords: SECURITY
Depends on: 715760
  Show dependency tree
Reported: 2020-08-10 15:48 UTC by Reva Denis
Modified: 2020-08-11 02:22 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Reva Denis 2020-08-10 15:48:01 UTC
Insomnia Security found a buffer length calculation flaw in a non-standard Postscript operator in Ghostscript, which allows the creation of a 4GB "string" reference overlapping with other memory structures. This was introduced in Ghostscript 9.50 and is present in the latest official 9.52 release. By reading and writing through this string reference, heap content can be directly manipulated, resulting in arbitrary read/write of memory.

By reading and writing only data memory (i.e. no direct injection of shellcode), Insomnia Security found the sandbox can be reliably disabled, and dangerous Postscript functionality made available. This includes arbitrary file reading and writing, as well as OS command execution in environments with this enabled (Linux, some Windows environments). Exploitation using standard memory corruption techniques would also be viable.

Reproducible: Always

Steps to Reproduce:
Actual Results:  
# LC_ALL=C eix -v ghostscript
* app-text/ghostscript-gpl
     Available versions:  9.50
     IUSE (all versions): X cups dbus gtk static-libs tiff unicode L10N="de ja ko zh-CN zh-TW"
     Installed versions:  Version:   9.50
                          Date:      07:57:42 08/10/20
                          USE:       dbus unicode -X -cups -gtk -static-libs -tiff L10N="-de -ja -ko -zh-CN -zh-TW"
                          DEPEND:    app-text/libpaper media-libs/fontconfig >=media-libs/freetype-2.4.9:2/2= >=media-libs/jbig2dec-0.16:0/0.18= >=media-libs/lcms-2.6:2 >=media-libs/libpng-1.6.2:0/16= >=media-libs/openjpeg-2.1.0:2/7= >=sys-libs/zlib-1.2.7 virtual/jpeg:0 sys-apps/dbus net-dns/libidn:0/12=
                          RDEPEND:   ${DEPEND} app-text/poppler-data >=media-fonts/urw-fonts-2.4.9
                          BDEPEND:   virtual/pkgconfig >=app-portage/elt-patches-20170815 || ( >=sys-devel/automake-1.16.1:1.16 >=sys-devel/automake-1.15.1:1.15 ) >=sys-devel/autoconf-2.69 >=sys-devel/libtool-2.4
                          EAPI:      7
     Best versions/slot:  9.50
     Description:         Interpreter for the PostScript language and PDF
     License:             AGPL-3 CPL-1.0
Comment 1 Reva Denis 2020-08-10 15:49:30 UTC

In Russian language (where I found off information)
Comment 2 Reva Denis 2020-08-10 15:52:30 UTC
Some other resources with information about CVE:
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-10 20:54:19 UTC
This appears to be a duplicate of bug 734322.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-11 02:22:10 UTC
(In reply to John Helmert III (ajak) from comment #3)
> This appears to be a duplicate of bug 734322.

Agreed. Thanks for the report though!

*** This bug has been marked as a duplicate of bug 734322 ***