lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <AANLkTim6EFmr1z7sEUeTJzSp4TIpMekNP6-eCiWnfVq-@mail.gmail.com>
Date: Wed, 12 May 2010 00:37:55 -0400
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: Marsh Ray <marsh@...endedsubset.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Multiple memory corruption vulnerabilities in
	Ghostscript

On Tue, May 11, 2010 at 11:44 PM, Marsh Ray <marsh@...endedsubset.com> wrote:
>
> How are you supposed to trust a document before you read it?!
> Judge it by it's cover perhaps?
>

Unfortunately, there are few options for mitigation in a scenario like
this.  While I understand the importance of Ghostscript in many
setups, this situation comes down to a question of security versus
functionality.  In encouraging users to "avoid processing untrusted
PostScript files", I was referring to the act of opening PostScript
files from unknown or untrusted sources, as opposed to people you know
or websites you trust.

Perhaps the best thing to do would be to put pressure on the
Ghostscript developers to release a fix for these issues.  Despite the
fact that these issues were reported months ago, I have opened a new
entry in their Bugzilla tonight, which you can follow if you're
interested in their progress on a fix:

http://bugs.ghostscript.com/show_bug.cgi?id=691295

The disclosure of these bugs without a fix is unfortunate, but the
fact that two researchers discovered the same vulnerability
independently should suggest that it is the type of bug that may be
being exploited in the wild.

>> Ghostscript is an important part of most Linux systems out there. If
>> you remove Ghostscript, you remove the ability to print in most cases.
>>
>> The advice to avoid opening unknown PS files is good.
>
> Unless you're a printer.
>

This is absolutely true, which is why concerned administrators may
want to restrict the ability of users to print PostScript documents if
they're worried about these bugs.  The potential for exploitation in
this case seems real but somewhat low: either a trusted user would
need to print a maliciously crafted document without first viewing it,
or an untrusted user already has access to your printer, which might
suggest other problems.

>
> Last I checked (a long long time ago), PDF wasn't a Turing-complete
> programming language like Postscript, so it wouldn't allow recursion
> needed for this flaw. Maybe that's why they couldn't resist adding
> Javascript to it.
>
>> If such
>> an attack is possible with a PDF, the flaw is potentially much more
>> serious.
>
> Well, I need to read 'em both.
>
> - Marsh
>

You are correct that PDF lacks the recursion needed to exploit the
second flaw.  Plus, the PostScript interpreter is a separate component
of Ghostscript from PDF rendering, so there's no reason to assume that
a bug in PostScript would affect PDF or vice versa.  I've confirmed
that Ghostscript is not vulnerable to the PDF equivalent of the
described stack overflow.

-Dan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ