CVE-2023-38559 - Buffer Overflow Vulnerability in Ghostscript's devn_pcx_write_rle() Function Allows Local Attackers to Cause Denial of Service

A dangerous buffer overflow vulnerability, tagged as CVE-2023-38559, has been discovered in the Ghostscript open-source suite. Ghostscript is a popular package that permits users to view, render, and convert PDF and PostScript files. The vulnerability exists in the 'base/gdevdevn.c:1973' file, specifically in the 'devn_pcx_write_rle()' function. Local attackers can exploit this flaw by creating malicious PDF files and outputting them using the DEVN device with Ghostscript, causing a denial of service.

Exploit Details

The 'devn_pcx_write_rle()' function, located in the 'base/gdevdevn.c:1973' file, handles the handling of RLE (Run Length Encoding) compressed data. The vulnerability arises from improper handling of input data, leading to a buffer overflow in the Ghostscript process. This condition allows a local attacker to execute arbitrary code and ultimately cause a denial of service.

The affected code in the 'base/gdevdevn.c' file is as follows

static int
devn_pcx_write_rle(gx_device_printer * pdev, const byte * src, byte * dest, int row_bytes, int plane_bytes)
{
    [...]

    while (count < row_bytes) { 
        byte data = src[count++];
        if (*src_old != data || count == row_bytes) {
            if (repeat > 1) {
                *dest++ = xC | (repeat - 1);
                *dest++ = *src_old;
                repeat = 1;
                src_old = src + count - 1;
            } else {
                if ((*src_old & xC) == xC) {
                    *dest++ = xC;
                }
                *dest++ = *src_old;
                repeat = ;
                src_old = src + count;
            }
        } else {
            repeat++;
        }
    }

    [...]
}

The 'repeat' value is not properly bounded, leading to a buffer overflow when dealing with crafted input data. This issue is particularly concerning because it may be exploited by local attackers crafting malicious PDF files. An attacker can output the malformed file with Ghostscript for a DEVN device, causing the software to crash and resulting in a denial of service for users.

Original References

1. Vulnerability details in the NVD: CVE-2023-38559
2. Ghostscript source code repository: Ghostscript GitHub

Mitigation

Currently, there is no official patch available for CVE-2023-38559. However, users are strongly advised to restrict the processing of untrusted PDF files in applications using Ghostscript. Alternatively, administrators can consider using alternative software to process PDF files until a patch is available. It is also advisable to keep your software up to date and regularly monitor the Ghostscript website for updates on this issue.

Conclusion

The discovery of CVE-2023-38559 highlights the importance of secure coding practices for the developers of widely-used software like Ghostscript. The vulnerability allows local attackers to exploit buffer overflow issues in the 'devn_pcx_write_rle()' function to cause a denial of service. Users and administrators must be cautious when processing untrusted PDF files with Ghostscript and adopt alternative PDF processing mechanisms until a patch becomes available.

Timeline

Published on: 08/01/2023 17:15:00 UTC
Last modified on: 08/16/2023 03:15:00 UTC