ghostscript: -dSAFER escape in .charkeys (CVE-2019-14869)
This is another instance of a highly priviledged operator being accessible by specially crafted Postscript code, that can be used to break out of the -dSAFER limitations.
It was found that .forceput
operator was present and unprotected in
the .charkeys
method and could be retrieved via manipulation of the
error handler.
The .charkeys
method was vulnerable since ghostscript-9.15, in one way
or another: the privileged operator was superexec
instead of
.forceput
until a more recent version.
References:
https://www.openwall.com/lists/oss-security/2019/11/15/1 https://bugs.ghostscript.com/show_bug.cgi?id=701841
Patch:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904772c5f