[v3.0] ghostscript: Crash file for the ps2pdf command (CVE-2015-3228)
The crash can be triggered with the following command on older versions of Ghostscript:
$ ps2pdf test.ps
Segmentation fault
The affected versions are still shipped by various distributions.
ps2pdf is a shell script that calls the gs binary in the following way:
$ /usr/bin/gs P dSAFER -dCompatibilityLevel=1.4 -q -P dNOPAUSE -dBATCH
-sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile=test.pdf -P -dSAFER
-dCompatibilityLevel=1.4 -c .setpdfwrite -f test.ps
Segmentation fault
I attached gdb and valgrind sessions showing the crash on RHEL 6.6 and RHEL 7.1.1503.
The versions of the affected packages on RHEL are:
RHEL6.6
ghostscript-8.70-19.el6.x86_64
ghostscript-debuginfo-8.70-19.el6.x86_64
ghostscript-fonts-5.50-23.2.el6.noarch
RHEL7.1.1503
ghostscript-9.07-18.el7.x86_64
ghostscript-debuginfo-9.07-18.el7.x86_64
ghostscript-fonts-5.50-32.el7.noarch
The problem does not occur with current source revision.
The following commit fixes the segfault, but the problem is not
mentioned in
the commit log:
ecc7a199e9307475c37fea0c44d24b85df814ead
The offending file seems to be gs/Resource/Init/gs_ttf.ps
If one replaces this file with the one from the specified commit (or
from
the current master) on RHEL 7.1.1503 or RHEL 6.6, the segfault does
not
occur anymore.
Since the influence of this commit on the problem is not yet fully
understood,
the problem might still be present in current version of gs.
Reference:
http://bugs.ghostscript.com/show\_bug.cgi?id=696041
(from redmine: issue id 4470, created on 2015-07-24, closed on 2015-08-05)
- Relations:
- parent #4468 (closed)
- Changesets:
- Revision 6c275fa9 by Natanael Copa on 2015-08-04T14:35:15Z:
main/ghostscript: security fix for CVE-2015-3228
fixes #4470