Re: Multiple memory corruption vulnerabilities in Ghostscript

[Dan Rosenberg <dan.j.rosenberg () gmail com>]

On Tue, May 11, 2010 at 11:44 PM, Marsh Ray <marsh () extendedsubset com> wrote:
> How are you supposed to trust a document before you read it?!
> Judge it by it's cover perhaps?

Unfortunately, there are few options for mitigation in a scenario like
this.  While I understand the importance of Ghostscript in many
setups, this situation comes down to a question of security versus
functionality.  In encouraging users to "avoid processing untrusted
PostScript files", I was referring to the act of opening PostScript
files from unknown or untrusted sources, as opposed to people you know
or websites you trust.

Perhaps the best thing to do would be to put pressure on the
Ghostscript developers to release a fix for these issues.  Despite the
fact that these issues were reported months ago, I have opened a new
entry in their Bugzilla tonight, which you can follow if you're
interested in their progress on a fix:

http://bugs.ghostscript.com/show_bug.cgi?id=691295

The disclosure of these bugs without a fix is unfortunate, but the
fact that two researchers discovered the same vulnerability
independently should suggest that it is the type of bug that may be
being exploited in the wild.

> > Ghostscript is an important part of most Linux systems out there. If
> > you remove Ghostscript, you remove the ability to print in most cases.
> >
> > The advice to avoid opening unknown PS files is good.
>
> Unless you're a printer.

This is absolutely true, which is why concerned administrators may
want to restrict the ability of users to print PostScript documents if
they're worried about these bugs.  The potential for exploitation in
this case seems real but somewhat low: either a trusted user would
need to print a maliciously crafted document without first viewing it,
or an untrusted user already has access to your printer, which might
suggest other problems.

> Last I checked (a long long time ago), PDF wasn't a Turing-complete
> programming language like Postscript, so it wouldn't allow recursion
> needed for this flaw. Maybe that's why they couldn't resist adding
> Javascript to it.
>
> > If such
> > an attack is possible with a PDF, the flaw is potentially much more
> > serious.
>
> Well, I need to read 'em both.
>
> - Marsh

You are correct that PDF lacks the recursion needed to exploit the
second flaw.  Plus, the PostScript interpreter is a separate component
of Ghostscript from PDF rendering, so there's no reason to assume that
a bug in PostScript would affect PDF or vice versa.  I've confirmed
that Ghostscript is not vulnerable to the PDF equivalent of the
described stack overflow.

-Dan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/