Re: CVE request: ghostscript and gv

[Ludwig Nussel <ludwig.nussel () suse de>]

Tomas Hoger wrote:
> On Sun, 30 May 2010 22:08:12 +0200 Bernhard R. Link wrote:
> > Gs's -P- not working (at least for gs_init.ps), is definitly a bug
> > that needs to be fixed.
>
> I believe we should try to clarify what CVE-2010-2055 got actually
> assigned to, as it seems to be used for more than one thing:
>
> - ghostscript uses CWD to search for initialization files
> - gv did not pass -P- to gs, leading to problems related to the default
>   mentioned above

That's the initial situation.It can be fixed in two ways:
a) set SEARCH_HERE_FIRST=0 as default for gs
b) keep SEARCH_HERE_FIRST=1 and require applications to pass -P-

However, ...

> - some ghostscript versions search CWD even when started with -P-

... as it turned out neither a) nor b) actually solve the problem:
http://bugs.ghostscript.com/show_bug.cgi?id=691350#c11

So fixing gs must be part of the solution always. That's
http://svn.ghostscript.com/viewvc?view=rev&revision=11352

Therefore up to three CVE numbers could be assigned
a) insecure default of gs
b) applications don't pass -P-
c) non working -P-/SEARCH_HERE_FIRST

Fixing a) means b) isn't needed but then it's just a compile time
default that may or may not be changed by distros.

Both a) and b) imply a fix for c) though. No idea if a separate CVE
is actually useful in that case.

We've decided for a), fix gs once and for all. Hopefully. :-)

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)