ghostscript: -dSAFER escape via .buildfont1 (CVE-2019-10216)
The .buildfont1 does not sufficiently protect its environment. A specially crafted PostScript script can override the typecheck error handler to retrieve a reference to .forceput. This can be used to disable -dSAFER and, for example, access files outside of the restricted area.
References:
- https://www.openwall.com/lists/oss-security/2019/08/12/4
- https://bugs.ghostscript.com/show_bug.cgi?id=701394
- https://security-tracker.debian.org/tracker/CVE-2019-10216
Patch:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19
Affected branches:
-
master -
3.10-stable -
3.9-stable -
3.8-stable -
3.7-stable