ArchLinux: 201904-5: ghostscript: sandbox escape

    Date24 Apr 2019
    CategoryArchLinux
    248
    Posted ByLinuxSecurity Advisories
    The package ghostscript before version 9.27-1 is vulnerable to sandbox escape.
    Arch Linux Security Advisory ASA-201904-5
    =========================================
    
    Severity: High
    Date    : 2019-04-11
    CVE-ID  : CVE-2019-3835 CVE-2019-3838
    Package : ghostscript
    Type    : sandbox escape
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-929
    
    Summary
    =======
    
    The package ghostscript before version 9.27-1 is vulnerable to sandbox
    escape.
    
    Resolution
    ==========
    
    Upgrade to 9.27-1.
    
    # pacman -Syu "ghostscript>=9.27-1"
    
    The problems have been fixed upstream in version 9.27.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    - CVE-2019-3835 (sandbox escape)
    
    It was found that the superexec operator was available in the internal
    dictionary.  A specially crafted PostScript file could use this flaw in
    order to, for example, have access to the file system outside of the
    constrains imposed by -dSAFER.
    
    - CVE-2019-3838 (sandbox escape)
    
    It was found that the forceput operator could be extracted from the
    DefineResource method using methods similar to the ones described in
    CVE-2019-6116. A specially crafted PostScript file could use this flaw
    in order to, for example, have access to the file system outside of the
    constrains imposed by -dSAFER.
    
    Impact
    ======
    
    A remote attacker is able to escape the sandbox via a specially crafted
    PostScript document.
    
    References
    ==========
    
    https://bugs.archlinux.org/task/62102
    http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917
    http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e6
    https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd95bb01
    https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e8f95a
    https://security.archlinux.org/CVE-2019-3835
    https://security.archlinux.org/CVE-2019-3838
    
    
    You are not authorised to post comments.

    LinuxSecurity Poll

    What is your favorite LinuxSecurity.com feature?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote
    17
    radio
    [{"id":"65","title":"Feature articles","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"66","title":"News","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"67","title":"HOWTOs","votes":"0","type":"x","order":"3","pct":0,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.