CVE-2019-10216: Ghostscript -dSAFER sandbox bypass vulnerabilities alert

by ddos · August 13, 2019

Artifex officially submitted a fix for the merged Bug 701394 on the master branch of Ghostscript. Designed to fix CVE-2019-10216 vulnerability. The vulnerability can bypass the Ghostscript security sandbox directly, allowing an attacker to read arbitrary files or command execution. Ghostscript is widely used, and image processing applications such as ImageMagick, python-matplotlib, and libmagick.

Vulnerability description

It was found that the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges and access files outside of restricted areas.

Affected version

Ghostscript is the underlying application for image processing format conversion. The vulnerability caused all upstream applications that reference GhostScript to be affected.

imagemagick
libmagick

graphicsmagick
gimp
python-matplotlib

texlive-core
texmacs
latex2html

latex2rtf

Solution

Linux distro such as Debian/Redhat released an updated to fix this vulnerability.

If you can’t update, try to disable the use of gs to parse the ps file first. Using ImageMagick, it is recommended to modify the policy file (default location: /etc/ImageMagick/policy.xml) and add the following <policy> to <policymap> (ie disable PS, EPS, PDF, XPS coders, PCD):

<policymap> <policy domain=“coder” rights=“none” pattern=“PS” /> <policy domain=“coder” rights=“none” pattern=“EPS” /> <policy domain=“coder” rights=“none” pattern=“PDF” /> <policy domain=“coder” rights=“none” pattern=“XPS” /> <policy domain=“coder” rights=“none” pattern=“PCD” /> </policymap>

However, the policy is very loose, and there may be some unmentioned formats that are bypassed.

CVE-2019-10216: Ghostscript -dSAFER sandbox bypass vulnerabilities alert

Search

Brilliantly

Content & Links