From: Chris Liddell Date: Tue, 21 Aug 2018 19:17:51 +0000 (+0100) Subject: Bug 699658: Fix handling of pre-SAFER opened files. Bug 699658: Fix handling of pre-SAFER opened files. Temp files opened for writing before SAFER is engaged are not subject to the SAFER restrictions - that is handled by recording in a dictionary, and checking that as part of the permissions checks. By adding a custom error handler for invalidaccess, that allowed the filename to be added to the dictionary (despite the attempted open throwing the error) thus meaning subsequent accesses were erroneously permitted. https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=a054156d425b4dbdaaa9fda4b5f1182b27598c2b --- diff -up a/Resource/Init/gs_init.ps.cve-2018-16539 b/Resource/Init/gs_init.ps --- a/Resource/Init/gs_init.ps.cve-2018-16539 2018-11-14 16:34:23.268867657 +0100 +++ b/Resource/Init/gs_init.ps 2018-11-14 16:36:38.765552576 +0100 @@ -2015,6 +2015,19 @@ readonly def concatstrings concatstrings .generate_dir_list_templates } if ] + /PermitFileWriting [ + currentuserparams /PermitFileWriting get aload pop + (TMPDIR) getenv not + { + (TEMP) getenv not + { + (TMP) getenv not + { + (/temp) (/tmp) + } if + } if + } if + ] /LockFilePermissions //true >> setuserparams } @@ -2062,7 +2075,9 @@ readonly def % the file can be deleted later, even if SAFER is set. /.tempfile { .tempfile % filename file - //SAFETY /tempfiles get 2 .argindex //true .forceput + //SAFETY /safe get not { % only add the filename if we're not yet safe + //SAFETY /tempfiles get 2 .argindex //true .forceput + } if } .bind executeonly odef % If we are running in SAFER mode, lock things down