[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2018-10194 Ghostscript 9.18 stack-based buffer overflow
From: VĂtor_Silva <vitorhg20080 () gmail ! com>
Date: 2018-04-19 22:22:28
Message-ID: 8250f648-c517-fa70-36db-214d87671a4c () gmail ! com
[Download RAW message or body]
Hello,
I think I found a possible RCE on ghostscript 9.23. I can reproduce on
9.18 (but not in 9.23) and the vendor confirmed the vulnerability and
applied a fix for 9.23.
[Suggested description]
The set_text_distance function in devices/vector/gdevpdts.c in the
pdfwrite component in Artifex Ghostscript through 9.22 does not prevent
overflows in text-positioning calculation, which allows remote attackers
to cause a denial of service (application crash) or possibly have
unspecified other impact via a crafted PDF document.
------------------------------------------
[Additional Information]
This seems to be affected only on ghostscript 9.18 or less. My
analysis seems this is a bad validation on input at
pdf_set_text_matrix at gdevpdts.c causing pprintg1 function at
spprint.c to write outbounds of the stack.
I can provide with a file use case. Even this seems not to trigger on
newer versions, this package is still available on a lot of systems
(such as ubuntu or debian) as the latest version available.
$ gs -o tested.pdf -sDEVICE=pdfwrite -dPDFSETTINGS=/prepress
-dHaveTrueTypes=true -dEmbedAllFonts=true \
-dSubsetFonts=false -c ".setpdfwrite <</NeverEmbed [ ]>>
setdistillerparams" -f fuzzed-case1.ps
GPL Ghostscript 9.18 (2015-10-05)
Copyright (C) 2015 Artifex Software, Inc. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Loading NimbusRomNo9L-Reg font from
/usr/share/ghostscript/9.18/Resource/Font/NimbusRomNo9L-Reg... 4743540
3133830 2015200 710957 1 done.
Loading NimbusRomNo9L-Med font from
/usr/share/ghostscript/9.18/Resource/Font/NimbusRomNo9L-Med... 4820876
3332725 2035392 735152 1 done.
Loading NimbusMono-Regular font from
/usr/share/ghostscript/9.18/Resource/Font/NimbusMono-Regular... 4900004
3527153 2055584 752136 1 done.
Loading NimbusMono-Bold font from
/usr/share/ghostscript/9.18/Resource/Font/NimbusMono-Bold... 5118700
3762771 2095968 786137 1 done.
Loading NimbusRomNo9L-RegIta font from
/usr/share/ghostscript/9.18/Resource/Font/NimbusRomNo9L-RegIta...
5357220 4001795 2156544 851571 1 done.
Loading NimbusSanL-Reg font from
/usr/share/ghostscript/9.18/Resource/Font/NimbusSanL-Reg... 5556092
4193319 2358464 1039445 1 done.
*** stack smashing detected ***: gs terminated
Aborted (core dumped)
------------------------------------------
[Vulnerability Type]
Buffer Overflow
------------------------------------------
[Vendor of Product]
ghostscript
------------------------------------------
[Affected Product Code Base]
ghostscript - 9.18
------------------------------------------
[Affected Component]
pprintg1 of ghostscript
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Impact Denial of Service]
true
------------------------------------------
[Attack Vectors]
crafted postscript can crash and/or execute code via buffer overflow
------------------------------------------
[Reference]
https://bugs.ghostscript.com/show_bug.cgi?id=699255
["pEpkey.asc" (application/pgp-keys)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic