oss-sec mailing list archives

CVE request: ghostscript and gv

From: Ludwig Nussel <ludwig.nussel () suse de>
Date: Fri, 28 May 2010 12:04:31 +0200

Hi,

ghostscript executes initialization files relative to the current
directory. Unfortunately the -dSAFER option has no effect on those
files. So when viewing a file e.g. in /tmp a local attacker could
have the victim execute arbitrary postscript programs.
Upstream suggested to use -P- in addition to -dSAFER. That however
would mean every program using gs to render postscript has to be
checked. So fixing ghostscripts default behavior might be easier for
distributions.
http://bugs.ghostscript.com/show_bug.cgi?id=691339
http://www.securityfocus.com/archive/1/511433
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583316
https://bugzilla.novell.com/show_bug.cgi?id=608071

In the Debian bug report Paul also mentiones that gv creates a
temporary file in an insecure way:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583316#10

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Current thread:

CVE request: ghostscript and gv Ludwig Nussel (May 28)
- Re: CVE request: ghostscript and gv Bernhard R. Link (May 29)
  - Re: CVE request: ghostscript and gv Florian Weimer (May 30)
    - Re: CVE request: ghostscript and gv Bernhard R. Link (May 30)
- Re: CVE request: ghostscript and gv Josh Bressers (Jun 01)
  - Re: CVE request: ghostscript and gv Michael Gilbert (Jun 01)
    - Re: CVE request: ghostscript and gv Josh Bressers (Jun 01)