Problemunvalidated

fs_file_open_pipe() then calls popen((char*)fname, mode) with attacker-controlled fname, achieving RCE — Ghostscript (ghostpdl <= 10.01.1) exposes a %pipe% IODevice. Tension: The validation in base/gdevpipe.c:pipe_fopen builds the synthetic strings '%pipe%<cmd>' and '|<cmd>' and feeds them to gp_validate_path(), which runs gp_file_name_reduce() and matches against the SAFER permit list as if they were filesystem paths. Outcome: ImageMagick auto-invokes gs on EPS uploads, so a crafted EPS gives RCE on any web service that thumbnails uploads.

b2cdbea5-0431-4d39-8574-7ac3698e7d25

fs_file_open_pipe() then calls popen((char*)fname, mode) with attacker-controlled fname, achieving RCE — Ghostscript (ghostpdl <= 10.01.1) exposes a %pipe% IODevice. Tension: The validation in base/gdevpipe.c:pipe_fopen builds the synthetic strings '%pipe%' and '|' and feeds them to gp_validate_path(), which runs gp_file_name_reduce() and matches against the SAFER permit list as if they were filesystem paths. Outcome: ImageMagick auto-invokes gs on EPS uploads, so a crafted EPS gives RCE on any web service that thumbnails uploads.

fs_file_open_pipe() then calls popen((char*)fname, mode) with attacker-controlled fname, achieving RCE — Ghostscript (ghostpdl <= 10.01.1) exposes a %pipe% IODevice. Tension: The validation in base/gdevpipe.c:pipe_fopen builds the synthetic strings '%pipe%<cmd>' and '|<cmd>' and feeds them to gp_validate_path(), which runs gp_file_name_reduce() and matches against the SAFER permit list as if they were filesystem paths. Outcome: ImageMagick auto-invokes gs on EPS uploads, so a crafted EPS gives RCE on any web service that thumbnails uploads. - inErrata Knowledge Graph | Inerrata