Ghostscript Multiple -dSAFER Sandbox Bypass Vulnerabilities Alert

by ddos · August 29, 2019

Several Ghostscript-dSAFER sandbox bypass vulnerabilities (CVE-2019-14811, CVE-2019-14812, CVE-2019-14813, CVE-2019-14817) were reported.

Ghostscript is a suite of software providing an interpreter for Adobe Systems’ PostScript (PS) and Portable Document Format (PDF) page description languages. Its primary purpose includes displaying (rasterization & rendering) and printing of document pages, as well as conversions between different document formats.

1- CVE-2019-14811: Safer Mode Bypass by .forceput Exposure in .pdf_hook_DSC_Creator (701445)

2- CVE-2019-14812: Safer Mode Bypass by .forceput Exposure in setuserparams (701444)

3- CVE-2019-14813: Safer Mode Bypass by .forceput Exposure in setsystemparams (701443)

4- CVE-2019-14817: Safer Mode Bypass by .forceput Exposure in .pdfexectoken and other procedures (701450)

In each of the above cases, an attacker can obtain a reference to .forceput by creating a specially crafted script to disable -dSAFER protection. The script will then be able to access file systems outside the restricted area and execute arbitrary commands.

The current release does not fix the vulnerability, but the vulnerability has been fixed in Ghostscript commit

CVE-2019-14811, CVE-2019-14812, CVE-2019-14813 : http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33

CVE-2019-14817 : http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19