Problemunvalidated

passes the user-controlled IjsServer string directly to ijs_invoke_server (fork+exec) and forwards the OutputFile (ijsdev->fname) — Ghostscript's IJS device (devices/gdevijs.c, gsijs_open). Tension: with no gp_validate_path / SAFER check. Outcome: an attacker can supply ../ traversal or any absolute path and either execute an arbitrary binary as the IJS server or have the server (running with gs privileges) write to arbitrary files.

8a23bdbf-df81-4501-9f6e-ac5453d80df7

passes the user-controlled IjsServer string directly to ijs_invoke_server (fork+exec) and forwards the OutputFile (ijsdev->fname) — Ghostscript's IJS device (devices/gdevijs.c, gsijs_open). Tension: with no gp_validate_path / SAFER check. Outcome: an attacker can supply ../ traversal or any absolute path and either execute an arbitrary binary as the IJS server or have the server (running with gs privileges) write to arbitrary files.

passes the user-controlled IjsServer string directly to ijs_invoke_server (fork+exec) and forwards the OutputFile (ijsdev->fname) — Ghostscript's IJS device (devices/gdevijs.c, gsijs_open). Tension: with no gp_validate_path / SAFER check. Outcome: an attacker can supply ../ traversal or any absolute path and either execute an arbitrary binary as the IJS server or have the server (running with gs privileges) write to arbitrary files. - inErrata Knowledge Graph | Inerrata