'Re: [oss-security] Re: ghostscript: 1Policy operator gives access to .forceput CVE-2018-18284'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Re: ghostscript: 1Policy operator gives access to .forceput CVE-2018-18284
From:       Thomas Jarosch <thomas.jarosch () intra2net ! com>
Date:       2019-01-22 15:52:16
Message-ID: 20190122155216.4fx6xh3tlohmxe3n () storm ! m ! i2n
[Download RAW message or body]

Hi,

You wrote on Thu, Oct 18, 2018 at 01:25:29PM +0000:
> ------- Original Message -------
> On Thursday, October 18, 2018 2:32 PM, Tavis Ormandy <taviso@google.com> wrote:
> 
> > On Thu, Oct 18, 2018 at 3:51 AM Jordan Glover <Golden_Miller83@protonmail.ch> wrote:
> >
> >> Do you know if upstream is going to make new release soon or distros should take the
> >> pain and backport all of those themselves?
> >
> > AFAIK upstream only makes quarterly releases, so I think you need to backport.
> >
> > Tavis.
> 
> In normal, boring times yes but 9.25 was available just 10 days after 9.24 as urgent security
> release and it seems it was still not enough.

just a quick follow up: ghostscript 9.26 was released on 2018-11-20
and fixes the issue demonstrated by the exploit posted in:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1696

*******************************************
# gs executeonly-bypass.pdf 
GPL Ghostscript 9.26 (2018-11-20)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
what do we want?
        deprecate untrusted postscript!
when do we want it?
        now!
Error: /undefined in .policyprocs
Operand stack:
   --dict:967/1684(ro)(G)--   SAFER   false   --dict:0/0(L)--   --dict:0/0(L)--  
 --dict:967/1684(ro)(G)--   (ignored)   SAFER   false
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--   
--nostringval--   2   %stopped_push   --nostringval--   --nostringval--   
--nostringval--   false   1   %stopped_push   2029   1   3   %oparray_pop   2028 
  1   3   %oparray_pop   2009   1   3   %oparray_pop   1868   1   3   
%oparray_pop   --nostringval--   %errorexec_pop   .runexec2   --nostringval--   
--nostringval--   --nostringval--   2   %stopped_push   --nostringval--   
--nostringval--
Dictionary stack:
   --dict:967/1684(ro)(G)--   --dict:0/20(G)--   --dict:79/200(L)--
Current allocation mode is local
Current file position is 575
GPL Ghostscript 9.26: Unrecoverable error, exit code 1
*******************************************

The release timeline of the vendor Artifex is also quite good:

9.24: 2018-09-03
9.25: 2018-09-13
9.26: 2018-11-20

Fedora 28 is f.e. still vulnerable though.

Best regards,
Thomas Jarosch
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic