Google Project Zero bug-hunter Tavis Ormandy took a "random look at the new release" of Ghostscript, and found a partly addressed vulnerability present in all versions up to 9.26.
Ormandy made his latest discovery on 11 December, while reviewing a bug fix sent to him by devs at Artifex, which maintain Ghostscript and came up with the patch. With fresh updates now available to correct a blunder in that earlier bug fix, Ormandy went public in describing the issue.
The tl;dr of it is that Ghostscript coding demands very careful handling of pseudo-operators, or the code can leak enough about itself through error messages that an attacker can take control.
Ghostscript is a Postscript and Adobe PDF interpreter that lets *nix users view PDFs. However, web servers also inherit Ghostscript vulnerabilities, because toolkits like ImageMagick use it to wrangle PDFs and other images users are viewing.
What he found relates to what happens to subroutines buried inside pseudo-operators – and here, El Reg needs to take a deep breath.
To protect subroutines so end-users can't look inside them (looking for "operators they shouldn't be allowed to use," he explained), they needed to be marked as executeonly.
So far, so good, but Ormandy goes on to explain that the subroutine's contents also need to be protected from exposing their contents to error-handlers, using the odef command, which turns them into pseudo-operators. It gets kind of recursive after that, because the pseudo-operator isn't a complete protection. As he wrote in the title, "subroutines within pseudo-operators must themselves be pseudo-operators".
If the programmer forgets that (or didn't know it in the first place: "nobody ever said writing postscript was easy, lol," he quipped), operators can still end up being pushed onto the operand stack, and if there's some kind of stack overflow error in the code, that is exposed to the error handlers and potentially viewable and exploitable from the outside.
While the bugs are tricky to exploit, Ormandy offered a proof of concept that "gives me a high degree of control over the routine" that works with "Evince, ImageMagick, Nautilus" as well as the Gimp editor and other libraries.
After much back-and-forth, fresh patches were emitted by Ghostscript, which Ormandy linked to at the bottom of his post.
However, he's still wary of the whole thing, writing that "untrusted postscript needs to be deprecated ASAP", something that echoed his August 2018 call for GhostScript to be dumped. ®