CVE-2019-10216: Ghostscript -dSAFER sandbox bypass vulnerabilities alert

Ghostscript Vulnerability

Artifex officially submitted a fix for the merged Bug 701394 on the master branch of Ghostscript. Designed to fix CVE-2019-10216 vulnerability. The vulnerability can bypass the Ghostscript security sandbox directly, allowing an attacker to read arbitrary files or command execution. Ghostscript is widely used, and image processing applications such as ImageMagick, python-matplotlib, and libmagick.

Ghostscript Vulnerability

Vulnerability description

It was found that the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges and access files outside of restricted areas.

Affected version

Ghostscript is the underlying application for image processing format conversion. The vulnerability caused all upstream applications that reference GhostScript to be affected.

  • imagemagick
  • libmagick
  • graphicsmagick
  • gimp
  • python-matplotlib
  • texlive-core
  • texmacs
  • latex2html
  • latex2rtf

Solution

Linux distro such as Debian/Redhat released an updated to fix this vulnerability.
If you can’t update, try to disable the use of gs to parse the ps file first. Using ImageMagick, it is recommended to modify the policy file (default location: /etc/ImageMagick/policy.xml) and add the following <policy> to <policymap> (ie disable PS, EPS, PDF, XPS coders, PCD):

<policymap> <policy domain=“coder” rights=“none” pattern=“PS” /> <policy domain=“coder” rights=“none” pattern=“EPS” /> <policy domain=“coder” rights=“none” pattern=“PDF” /> <policy domain=“coder” rights=“none” pattern=“XPS” /> <policy domain=“coder” rights=“none” pattern=“PCD” /> </policymap>

However, the policy is very loose, and there may be some unmentioned formats that are bypassed.