Given the huge amount of attention given to xpdf (and derivatives), it is surprising that not as much attention has been given to Ghostscript. Most Linux desktops will render both PDF and PS files directly from the web.
The attack surface of Ghostscript is huge. Not only is it a Turing Complete language[*], but it has a rich set of runtime operators and APIs. Many of these operators and APIs stray into areas of functionality that might be integer overflow prone: decompressors, image parsers, graphics rending, canvas handing, etc.
I've placed technical details of a buffer overflow at:
http://scary.beasts.org/security/CESA-2008-001.html
[*] Client-side execution of such languages has never gone particularly well from a security perspective. Think Java applets, or Javascript.
This is fixed by Ghostscript svn revision 8520 and will be in the revision 8.62 release coming out today (Feb 29, 2008).
ReplyDeleteThe attempted exploit will now throw a 'rangecheck' PS error prior to attemting to fill the buffer from the Range array.
Does this really work on x86_64?
ReplyDeletehttps://www.blogger.com/comment.g?blogID=3024470480937744884&postID=5773161762939326584&page=1&token=1277534808038_AIe9_BG2MrGedp7xZXemkOgNHuvXwPo6GjjhpLK_-aHys2Lg6AypcrD0azA_EZrb_cW71d167tmkk9NzmvbWj4sOOebYn9Mn7cuwuN2QhZBGp3xoBKWcsIcjh8S7FM0Yi5TkjnPzYJcNbwKqJvx7OoEagZGZS5GEBHuq_6GSQ9amCqDXECjoOHv1LOXl4gG2LEWs3m-dYriglJIrTLKMnlV02VkHUVEMN23kmLjeBJ0PMS9q8pazXomY0FZEkoXH3dcHfteVKbrn
ReplyDelete