bug-gv
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-gv] Security issues


From: Bernhard R. Link
Subject: [bug-gv] Security issues
Date: Sat, 29 May 2010 15:14:30 +0200
User-agent: Mutt/1.5.18 (2008-05-17)

Let's see if I get all the issues correctly:

1) when processing ghostscript files or translated pdf files,
   no -P- is given, causing gs to look in the current directory
   first.

That is the most easy to fix. (See attached patch 002.patch)

This problem causing gs possibly executing postscript code one not
intended to do.

The biggest danger seems to be having a gs_init.ps in the current
directory, in which case even -DSAFER might not have an effect
(as I can see it, it has an effect in gs_init.ps, so if that is
replaced, no effect)

For Lenny the patch breaks pdf file opening, as that version of gv does
not add the DELAYSAFER option. (For that one only also needs the
differences 6907bf5..7f7ae12, see 003.patch)

2) No -P- when scanning a pdf file with pdf2dsc
There is no -P- option.

The -dSAFER seems to be no unrelated danger, as ghostscript's
pdf2dsc.ps is calling .setsafe unconditionally after having opened
the file
(at least in lenny the third line is
systemdict /.setsafe known { .setsafe } if
)

So the problem is again the postscript setup code (gs_init.ps) to be
replaced by a copy in the current directory unless -P- is given.
Adding a -P- needs to change this resource. I've not looked but I fear
the user having a .gv file might making changing the default hard,
so a proper fix for this is not that easy...

3) Scaning pdf2dsc using pdf2dsc.ps
Related to 2, there is an other issue: The scanning is done by
pdf2dsc.ps, which is specified on the command line. As far as I can
tell, gs looks for files specified as command line arguments in the
current directory first, even with -P-. So even with -P- this could
be exploited by adding a pdf2dsc.ps in the current directory (think
/tmp). I do not know how to fix this best. Perhaps shipping a postscript
file with gv (thus one has an absolute path) that reads and executes
the one from the system path?

4) Converting pdf files to postscript files is not called with -P-
either and not even with -dSAFER.

I'm not sure if the missing of -dSAFER is an issue unrelated to
ghoscript's brain-dead path traversal as that command gets a pdf
file so has not that many commands available, but fixing that at
the same time might be sensible.

Again the missing -P- means gs_init.ps in the same directory causes
harvoc. Again changing the default is easy but users might have config
files. Perhaps one should replace the first space with " -P- " in
this string if there is no -P in it. (so -P- and -P will cause the user
to get their setting, otherwise a safe value is generated).

5) issues with giving gs only a filename and not having made sure
the file is correct.

Have I missed anything?

        Bernhard R. Link

Attachment: 002.patch
Description: Text Data

Attachment: 003.patch
Description: Text Data


reply via email to

[Prev in Thread] Current Thread [Next in Thread]