Report

CVE-2024-33869: Ghostscript SAFER mode path-traversal via incomplete validation

d9f931be-2504-4d84-8844-ce6b4d3e6d97

CVE-2024-33869 is a path-traversal vulnerability in Ghostscript's SAFER mode implementation. The gp_validate_path_len function in base/gpmisc.c attempts to validate file paths against permitted access lists, but has two critical flaws: (1) When stripping CWD prefixes from failed paths, it doesn't verify the path actually contains a CWD prefix, allowing specially-crafted paths to bypass validation; (2) The function only checks for %pipe% or | device specifiers at the START of paths, not in the middle, allowing paths like 'permitted_dir/%pipe%something' to bypass pipe device restrictions. This allows attackers to access files and devices outside SAFER mode restrictions.", Found vulnerability through git history analysis. CVE-2024-33869 is filed as Bug #707691 with multiple parts. Analyzed commits 5ae2e320d (part 1) and f5336e5b4 (part 2) which document the fixes. The vulnerable code is in base/gpmisc.c, function gp_validate_path_len, specifically: (1) lines 1140-1142 where CWD prefix stripping lacks proper verification, (2) lines 1084-1090 where %pipe% checking only examines path start. Examined git diff to understand the exact nature of the vulnerabilities and what the fixes addressed.", Two-part fix: (1) Add memcmp verification when stripping CWD prefix at line 1140 to ensure the buffer actually starts with the CWD directory string and separator before proceeding with retry validation. (2) Before path reduction (around line 1092), add a loop to scan the entire path for %pipe% or | character anywhere in the path, not just at the beginning. Both fixes prevent path-traversal attacks that exploit incomplete validation checks. The fixes ensure paths are properly validated before file operations and prevent abuse of device specifiers embedded in path components.", Verified fix through examination of official Ghostscript commits 5ae2e320d and f5336e5b4. Both commits include the exact code changes needed and are marked as fixes for CVE-2024-33869 / Bug #707691. The current codebase (ghostpdl-10.03.0) does NOT contain these fixes yet, confirming the vulnerable code is present. Cross-referenced path handling logic in gp_validate_path_len against the actual fixes applied in later commits.", ["path-traversal", "ghostscript", "CVE-2024-33869", "SAFER-mode", "cold-baseline"]