Page MenuHomePhabricator

ghostscript dSafer bypass
Closed, ResolvedPublic

Description refers to a new vulnerability in ghostscript which allows bypass of -DSafer. Apparently this was used for the recent Hipchat compromise. There's no upstream fix yet.

We have one extension running on the cluster which also shells out to Ghostscript, extensions/PdfHandler/extension.json which sets "PdfProcessor" to gs. I don't know anything about that extension myself, just noticed it when looking around.

I suggest we wrap this extension with firejail, both to neuter the immediate vulnerability and as hardening going forward. We already have a wrapper installed on all application servers which launches ghostscript with a strict firejail confinement (the same we also use for imagemagick): /usr/local/bin/mediawiki-firejail-ghostscript, so I assume all that would be needed would be to deploy a change which switched PdfProcessor to /usr/local/bin/mediawiki-firejail-ghostscript

Event Timeline

Thanks for the heads up @MoritzMuehlenhoff. While we're at it, I think it makes sense to set both pertinent PdfHandler config items to be firejailed:

  • PdfPostProcessor - /usr/local/bin/mediawiki-firejail-convert ($wgImageMagickConvertCommand)
  • PdfProcessor - /usr/local/bin/mediawiki-firejail-ghostscript

Indeed, I totally missed PdfPostProcessor, /usr/local/bin/mediawiki-firejail-convert is a very similar wrapper around /usr/bin/convert

Because copying files through multiple hosts to my laptop in a hotel in zambia is more effort than I can be bothered with at this moment in time... ;)

From 3d063e2bc5034e1d6e21373e01ad8c00f0f5de70 Mon Sep 17 00:00:00 2001
From: Reedy <>
Date: Thu, 27 Apr 2017 20:16:52 +0100
Subject: [PATCH] Run Pdf Processors in firejails

Bug: T164000
Change-Id: I3e66f699a9bfe4eeb26e17fac4a114e6ae610b22
 wmf-config/CommonSettings.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/wmf-config/CommonSettings.php b/wmf-config/CommonSettings.php
index 839e219a..4241f047 100644
--- a/wmf-config/CommonSettings.php
+++ b/wmf-config/CommonSettings.php
@@ -1842,6 +1842,8 @@ $wgAbuseFilterEmergencyDisableAge = $wmgAbuseFilterEmergencyDisableAge;
 if ( $wmgUsePdfHandler ) {
 	wfLoadExtension( 'PdfHandler' );
+	$wgPdfProcessor = '/usr/local/bin/mediawiki-firejail-ghostscript';
+	$wgPdfPostProcessor = '/usr/local/bin/mediawiki-firejail-convert';
 wfLoadExtension( 'WikiEditor' );
2.11.0 merged and deployed

[20:24:10] <logmsgbot> !log reedy@naos Synchronized wmf-config/CommonSettings.php: Run pdf processors in firejails T164000 (duration: 01m 20s)

Can this be resolved and opened to the public now?

The vulnerability itself is public, seems fine.

Reedy claimed this task.
Reedy added a project: WMF-General-or-Unknown.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".

Change 352572 had a related patch set uploaded (by Reedy; owner: Reedy):
[operations/mediawiki-config@master] Re-instate "Run Pdf Processors in firejails"

Change 352572 merged by jenkins-bot:
[operations/mediawiki-config@master] Re-instate "Run Pdf Processors in firejails"

Mentioned in SAL (#wikimedia-operations) [2017-06-05T21:01:55Z] <reedy@tin> Synchronized wmf-config/CommonSettings.php: Run Pdf Processors in firejails T164145 T164000 (duration: 00m 40s)