Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

World's favourite open-source PDF interpreter needs patching (again)

Still afraid of no ghost? You didn't read the script

Google Project Zero bug-hunter Tavis Ormandy took a "random look at the new release" of Ghostscript, and found a partly addressed vulnerability present in all versions up to 9.26.

Ormandy made his latest discovery on 11 December, while reviewing a bug fix sent to him by devs at Artifex, which maintain Ghostscript and came up with the patch. With fresh updates now available to correct a blunder in that earlier bug fix, Ormandy went public in describing the issue.

The tl;dr of it is that Ghostscript coding demands very careful handling of pseudo-operators, or the code can leak enough about itself through error messages that an attacker can take control.

Ghostscript is a Postscript and Adobe PDF interpreter that lets *nix users view PDFs. However, web servers also inherit Ghostscript vulnerabilities, because toolkits like ImageMagick use it to wrangle PDFs and other images users are viewing.

What he found relates to what happens to subroutines buried inside pseudo-operators – and here, El Reg needs to take a deep breath.

To protect subroutines so end-users can't look inside them (looking for "operators they shouldn't be allowed to use," he explained), they needed to be marked as executeonly.

So far, so good, but Ormandy goes on to explain that the subroutine's contents also need to be protected from exposing their contents to error-handlers, using the odef command, which turns them into pseudo-operators. It gets kind of recursive after that, because the pseudo-operator isn't a complete protection. As he wrote in the title, "subroutines within pseudo-operators must themselves be pseudo-operators".

If the programmer forgets that (or didn't know it in the first place: "nobody ever said writing postscript was easy, lol," he quipped), operators can still end up being pushed onto the operand stack, and if there's some kind of stack overflow error in the code, that is exposed to the error handlers and potentially viewable and exploitable from the outside.

While the bugs are tricky to exploit, Ormandy offered a proof of concept that "gives me a high degree of control over the routine" that works with "Evince, ImageMagick, Nautilus" as well as the Gimp editor and other libraries.

After much back-and-forth, fresh patches were emitted by Ghostscript, which Ormandy linked to at the bottom of his post.

However, he's still wary of the whole thing, writing that "untrusted postscript needs to be deprecated ASAP", something that echoed his August 2018 call for GhostScript to be dumped. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like