Описание
Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device.
A flaw in Ghostscript has been identified where the uniprint device allows users to pass various string fragments as device options. These strings, particularly upWriteComponentCommands and upYMoveCommand, are treated as format strings for gp_fprintf and gs_snprintf. This lack of restriction permits arbitrary format strings with multiple specifiers, potentially leading to data leakage from the stack and memory corruption. In RHEL 9 or newer, an attacker could exploit this vulnerability to temporarily disable Ghostscript’s SAFER mode, which prevents Postscript code from executing commands or opening arbitrary files during the current invocation.
Меры по смягчению последствий
Passing the -dSAFER safety argument on the command line prevents the issue by locking security-related variables after Ghostscript's initialization. In RHEL 9, -dSAFER is enabled by default, ensuring that insecure commands are rejected in a safer environment. The versions of Ghostscript in RHEL 7 and RHEL 8 have an older implementation of SAFER mode that is not enabled by default, but can be enabled by passing -dSAFER on the command line when invoking Ghostscript. This older SAFER mode implementation denies Postscript code the ability to change the output device, and therefore prevents malicious Postscript code from selecting the uniprint output device in order to exploit the format string vulnerabilities in its upWriteComponentCommands and upYMoveCommand parameters. On RHEL 7 and RHEL 8, we recommend always passing -dSAFER on the command line, and avoiding manually selecting the uniprint output device on the command line.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | ghostscript | Out of support scope | ||
| Red Hat Enterprise Linux 7 | ghostscript | Out of support scope | ||
| Red Hat Enterprise Linux 8 | ghostscript | Not affected | ||
| Red Hat Enterprise Linux 8 | gimp:flatpak/ghostscript | Will not fix | ||
| Red Hat Enterprise Linux 9 | ghostscript | Fixed | RHSA-2024:6197 | 03.09.2024 |
| Red Hat Enterprise Linux 9.2 Extended Update Support | ghostscript | Fixed | RHSA-2024:6466 | 09.09.2024 |
Показывать по
Дополнительная информация
Статус:
5.5 Medium
CVSS3
Связанные уязвимости
Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device.
Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device.
Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER ...
Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device.
Уязвимость интерпретатора набора программного обеспечения для обработки, преобразования и генерации документов Ghostscript, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю выполнить выход из изолированной программной среды
5.5 Medium
CVSS3