<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2019-14869 ghostscript: -dSAFER escape in .charkeys
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Cedric Buissart <cbuissar () redhat com>
Date: Fri, 15 Nov 2019 09:46:02 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hello,
This is to publicly disclose CVE-2019-14869 : "-dSAFER escape in
.charkeys"
This is another instance of a highly priviledged operator being
accessible by specially crafted Postscript code, that can be used to
break out of the -dSAFER limitations.
It was found that `.forceput` operator was present and unprotected in
the `.charkeys` method and could be retrieved via manipulation of the
error handler.
The `.charkeys` method was vulnerable since ghostscript-9.15, in one way
or another: the privileged operator was `superexec` instead of
`.forceput` until a more recent version.
Upstream fix:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904772c5f
Upstream bug report (currently private):
https://bugs.ghostscript.com/show_bug.cgi?id=701841
Red Hat would like to thank upstream, Artifex, for alerting us about the
flaw. The vulnerability was originally reported by Paul Manfred & Lukas Schauer.
Note: similarly to other recent ghostscript vulnerabilities, this one is
mitigated by the recent -dSAFER rework. However, ghostscript-9.27 and
older are fully impacted.
--
Cedric Buissart
Red Hat Product Security
Attachment:
signature.asc
Description:
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2019-14869 ghostscript: -dSAFER escape in .charkeys Cedric Buissart (Nov 15)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->