Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Thursday August 23 2018, @09:39AM   Printer-friendly
from the smoke-gets-in-your-computer dept.

Threatpost:

Researchers have uncovered vulnerabilities in the widely deployed Ghostscript package that allows bad actors to remotely take control of vulnerable systems. There's no current patch available for the multiple flaws discovered.

Ghostscript is a suite of tools used by hundreds of software suites and coding libraries, which allows desktop software and web servers to handle Adobe Systems' PostScript and PDF page description languages.

Multiple bypass vulnerabilities, disclosed Tuesday, exist in the suite's optional -dSAFER feature, which is ironically supposed to prevent unsafe PostScript operations. By causing Ghostscript (or a program leveraging Ghostscript) to parse a specially-crafted malicious file, a remote, unauthenticated attacker may be able to execute arbitrary commands with the privileges of the Ghostscript code.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Thursday August 23 2018, @10:44AM (2 children)

    by Anonymous Coward on Thursday August 23 2018, @10:44AM (#725135)

    If a mail server runs something like Spam Assassin, which may use libgs to read certain file types for malicious code, will it run the embedded commands that are used to take advantage of these vulnerabilities? In other words, can sending an infected attachment to someone infect the mail server?

  • (Score: 1, Informative) by Anonymous Coward on Thursday August 23 2018, @11:15AM

    by Anonymous Coward on Thursday August 23 2018, @11:15AM (#725143)

    I think maybe you mean clamav my man.

  • (Score: 0) by Anonymous Coward on Thursday August 23 2018, @07:41PM

    by Anonymous Coward on Thursday August 23 2018, @07:41PM (#725373)

    If you are running a Linux or Unix server and have either SpamAssassin or ClamAV setup correctly, then they have read-only access to their configs and definitions and cannot make outgoing network connections. The only have write access to their sockets used for IPC. Best-case scenario for infection in a situation like that would be chaining an attack, such that the ClamAV scanner executes arbitrary code. That code would either have to have a kernel privilege escalation attack to allow the process to break out or cause the replies on the socket to the caller to contain an exploit that causes that to execute arbitrary code, which would allow a horizontal privilege escalation. HOWEVER, ClamAV and SpamAssassin and most other milters wouldn't be parsing the PDF/PS file and running the code directly, but rather doing some sort of signature analysis.