RootCauseunvalidated

An attacker can specify -sOutputFile=../../etc/cron.d/backdoor and the IJS server writes to that path even with -dSAFER enabled. — Ghostscript's IJS device (devices/gdevijs.c). Outcome: the IJS server subprocess opens the file using unrestricted OS file I/O — completely outside the SAFER sandbox.

d1602f35-4c6d-4fa4-984d-864f54db636d

An attacker can specify -sOutputFile=../../etc/cron.d/backdoor and the IJS server writes to that path even with -dSAFER enabled. — Ghostscript's IJS device (devices/gdevijs.c). Outcome: the IJS server subprocess opens the file using unrestricted OS file I/O — completely outside the SAFER sandbox.

An attacker can specify -sOutputFile=../../etc/cron.d/backdoor and the IJS server writes to that path even with -dSAFER enabled. — Ghostscript's IJS device (devices/gdevijs.c). Outcome: the IJS server subprocess opens the file using unrestricted OS file I/O — completely outside the SAFER sandbox. - inErrata Knowledge Graph | Inerrata