** Changed in: ghostscript (Ubuntu)
Assignee: (unassigned) => Skymathrix (asstaroid)
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to ghostscript in Ubuntu.
https://bugs.launchpad.net/bugs/546009
Title:
Multiple memory corruption vulnerabilities in Ghostscript
Status in GS-GPL:
Fix Released
Status in ghostscript package in Ubuntu:
Fix Released
Bug description:
Binary package hint: ghostscript
I have discovered multiple memory corruption vulnerabilities in
Ghostscript, which can be triggered when using Ghostscript to view
maliciously crafted PostScript files.
1. The Ghostscript interpreter fails to properly handle some cases of
infinite recursion. By creating a .ps file with a sequence such as:
/A{pop 0 A 0} bind def
/product A 0
The interpreter's internal stack will be overflowed with recursive
calls. Rather than gracefully handling this situation, the
interpreter continues execution by jumping to an (usually invalid)
address near (or past) the tail end of the stack. Without further
manipulation, this would simply result in a segfault, but it turns out
that by altering the number of variable definitions that occur before
the call to the infinitely recursive procedure, the user can actually
exert control over the address that is jumped to. Combined with the
fact that the attacker has an easy way to introduce shellcode (via the
.ps file), this can definitely result in arbitrary code execution. I
have not developed a fully functional exploit for this case, but the
attached reproducer ("infinite.ps") will trigger a segfault in the
same location on all of the versions of Ghostscript I have tested,
including 8.61, 8.62, 8.64, and 8.70. If you wish to more
convincingly verify that this is exploitable, place varying amounts of
"/A{ 0 } bind def" strings at the beginning of the file, and observe
how the EIP at crash time is altered. Unfortunately, the Ghostscript
code is rather complex, so I am unable to determine the root cause of
this vulnerability in the source.
2. Ghostscript fails to properly parse very long identifiers, leading
to memory corruption and potentially arbitrary code execution. The
resulting behavior depends on the version of Ghostscript. I have
found that 8.61 (Hardy) is not vulnerable. However, 8.64 (Jaunty) is
vulnerable and exploitable. I haven't been able to pin down the exact
cause for the overflow, but the exploitable memory access occurs in
gc_objects_clear_marks(), in psi/igc.c, when *(pre + 1) is called as a
function. 8.70 (Karmic) is also vulnerable to an overflow when
parsing very long identifiers, but this time, rather than an invalid
(exploitable) function pointer call, the issue is a classic stack
overflow. The overflow occurs due to a bad memcpy() call in
dynamic_save(), called in scan_token() in psi/iscan.c at line 1061.
Successful exploitation is mitigated by SSP - it catches the overflow
and terminates - so on Karmic this should only result in denial of
service.
The attached reproducer ("overflow.ps") will trigger overflows in both
8.64 and 8.70 due to the different reasons described above.
To manage notifications about this bug go to:
https://bugs.launchpad.net/gs-gpl/+bug/546009/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
