Wednesday, February 27, 2008

Buffer overflow in Ghostscript

Given the huge amount of attention given to xpdf (and derivatives), it is surprising that not as much attention has been given to Ghostscript. Most Linux desktops will render both PDF and PS files directly from the web.

The attack surface of Ghostscript is huge. Not only is it a Turing Complete language[*], but it has a rich set of runtime operators and APIs. Many of these operators and APIs stray into areas of functionality that might be integer overflow prone: decompressors, image parsers, graphics rending, canvas handing, etc.

I've placed technical details of a buffer overflow at:
http://scary.beasts.org/security/CESA-2008-001.html

[*] Client-side execution of such languages has never gone particularly well from a security perspective. Think Java applets, or Javascript.

3 comments:

Anonymous said...

This is fixed by Ghostscript svn revision 8520 and will be in the revision 8.62 release coming out today (Feb 29, 2008).

The attempted exploit will now throw a 'rangecheck' PS error prior to attemting to fill the buffer from the Range array.

Anonymous said...

Does this really work on x86_64?

Sonam Sen said...

https://www.blogger.com/comment.g?blogID=3024470480937744884&postID=5773161762939326584&page=1&token=1277534808038_AIe9_BG2MrGedp7xZXemkOgNHuvXwPo6GjjhpLK_-aHys2Lg6AypcrD0azA_EZrb_cW71d167tmkk9NzmvbWj4sOOebYn9Mn7cuwuN2QhZBGp3xoBKWcsIcjh8S7FM0Yi5TkjnPzYJcNbwKqJvx7OoEagZGZS5GEBHuq_6GSQ9amCqDXECjoOHv1LOXl4gG2LEWs3m-dYriglJIrTLKMnlV02VkHUVEMN23kmLjeBJ0PMS9q8pazXomY0FZEkoXH3dcHfteVKbrn