CVE-2018-19475: Ghostscript shell command execution in SAFER mode
https://lgtm.com/blog/ghostscript_CVE-2018-19475 [lgtm.com]
2019-01-17 05:12
In this post I’ll explain how I discovered a sandbox bypass in Ghostscript that allows arbitrary shell command execution when an untrusted PostScript or PDF file is viewed or processed.
The restore operator available in PostScript actually first calls z2restore, then uses userparams to restore the original settings, including the LockFilePermissions. This all sounds very familiar. If I can now find a way to trigger an error after z2restore is called, but before .setuserparams, then the device will be left with LockFilePermissions set to false.
So what could go wrong there? PostScript is a stack-based language and objects are pushed onto an “operand stack”.
Everything needs to exec everything.
source: grugq