oss-sec mailing list archives
Re: CVE request: ghostscript and gv
From: Michael Gilbert <michael.s.gilbert () gmail com>
Date: Tue, 1 Jun 2010 14:55:56 -0400
On Tue, 1 Jun 2010 14:41:41 -0400 (EDT), Josh Bressers wrote:
Please use CVE-2010-2055 for this.
[...]
In the Debian bug report Paul also mentiones that gv creates a temporary file in an insecure way: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583316#10
should the insecure temp file get its own id since it is rather
different than the original problem?
| I slightly wonder about the writing of the tmp file
| open("/tmp/gv_random_some.pdf.tmp", O_WRONLY|O_CREAT|O_TRUNC, 0666)
| from within gs (no O_EXCL so would follow a symlink allowing clobber).
mike
Current thread:
- CVE request: ghostscript and gv Ludwig Nussel (May 28)
- Re: CVE request: ghostscript and gv Bernhard R. Link (May 29)
- Re: CVE request: ghostscript and gv Florian Weimer (May 30)
- Re: CVE request: ghostscript and gv Bernhard R. Link (May 30)
- Re: CVE request: ghostscript and gv Florian Weimer (May 30)
- Re: CVE request: ghostscript and gv Josh Bressers (Jun 01)
- Re: CVE request: ghostscript and gv Michael Gilbert (Jun 01)
- Re: CVE request: ghostscript and gv Josh Bressers (Jun 01)
- Re: CVE request: ghostscript and gv Michael Gilbert (Jun 01)
- Re: CVE request: ghostscript and gv Bernhard R. Link (May 29)