oss-sec mailing list archives
Re: CVE request: ghostscript and gv
From: Josh Bressers <bressers () redhat com>
Date: Tue, 1 Jun 2010 14:41:41 -0400 (EDT)
Please use CVE-2010-2055 for this. Thanks. -- JB ----- "Ludwig Nussel" <ludwig.nussel () suse de> wrote:
Hi, ghostscript executes initialization files relative to the current directory. Unfortunately the -dSAFER option has no effect on those files. So when viewing a file e.g. in /tmp a local attacker could have the victim execute arbitrary postscript programs. Upstream suggested to use -P- in addition to -dSAFER. That however would mean every program using gs to render postscript has to be checked. So fixing ghostscripts default behavior might be easier for distributions. http://bugs.ghostscript.com/show_bug.cgi?id=691339 http://www.securityfocus.com/archive/1/511433 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583316 https://bugzilla.novell.com/show_bug.cgi?id=608071 In the Debian bug report Paul also mentiones that gv creates a temporary file in an insecure way: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583316#10 cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Current thread:
- CVE request: ghostscript and gv Ludwig Nussel (May 28)
- Re: CVE request: ghostscript and gv Bernhard R. Link (May 29)
- Re: CVE request: ghostscript and gv Florian Weimer (May 30)
- Re: CVE request: ghostscript and gv Bernhard R. Link (May 30)
- Re: CVE request: ghostscript and gv Florian Weimer (May 30)
- Re: CVE request: ghostscript and gv Josh Bressers (Jun 01)
- Re: CVE request: ghostscript and gv Michael Gilbert (Jun 01)
- Re: CVE request: ghostscript and gv Josh Bressers (Jun 01)
- Re: CVE request: ghostscript and gv Michael Gilbert (Jun 01)
- Re: CVE request: ghostscript and gv Bernhard R. Link (May 29)