| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AANLkTim6EFmr1z7sEUeTJzSp4TIpMekNP6-eCiWnfVq-@mail.gmail.com> Date: Wed, 12 May 2010 00:37:55 -0400 From: Dan Rosenberg <dan.j.rosenberg@...il.com> To: Marsh Ray <marsh@...endedsubset.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Multiple memory corruption vulnerabilities in Ghostscript On Tue, May 11, 2010 at 11:44 PM, Marsh Ray <marsh@...endedsubset.com> wrote: > > How are you supposed to trust a document before you read it?! > Judge it by it's cover perhaps? > Unfortunately, there are few options for mitigation in a scenario like this. While I understand the importance of Ghostscript in many setups, this situation comes down to a question of security versus functionality. In encouraging users to "avoid processing untrusted PostScript files", I was referring to the act of opening PostScript files from unknown or untrusted sources, as opposed to people you know or websites you trust. Perhaps the best thing to do would be to put pressure on the Ghostscript developers to release a fix for these issues. Despite the fact that these issues were reported months ago, I have opened a new entry in their Bugzilla tonight, which you can follow if you're interested in their progress on a fix: http://bugs.ghostscript.com/show_bug.cgi?id=691295 The disclosure of these bugs without a fix is unfortunate, but the fact that two researchers discovered the same vulnerability independently should suggest that it is the type of bug that may be being exploited in the wild. >> Ghostscript is an important part of most Linux systems out there. If >> you remove Ghostscript, you remove the ability to print in most cases. >> >> The advice to avoid opening unknown PS files is good. > > Unless you're a printer. > This is absolutely true, which is why concerned administrators may want to restrict the ability of users to print PostScript documents if they're worried about these bugs. The potential for exploitation in this case seems real but somewhat low: either a trusted user would need to print a maliciously crafted document without first viewing it, or an untrusted user already has access to your printer, which might suggest other problems. > > Last I checked (a long long time ago), PDF wasn't a Turing-complete > programming language like Postscript, so it wouldn't allow recursion > needed for this flaw. Maybe that's why they couldn't resist adding > Javascript to it. > >> If such >> an attack is possible with a PDF, the flaw is potentially much more >> serious. > > Well, I need to read 'em both. > > - Marsh > You are correct that PDF lacks the recursion needed to exploit the second flaw. Plus, the PostScript interpreter is a separate component of Ghostscript from PDF rendering, so there's no reason to assume that a bug in PostScript would affect PDF or vice versa. I've confirmed that Ghostscript is not vulnerable to the PDF equivalent of the described stack overflow. -Dan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists