oss-security - CVE request: ghostscript and gv

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-Id: <201005281204.31958.ludwig.nussel@suse.de>
Date: Fri, 28 May 2010 12:04:31 +0200
From: Ludwig Nussel <ludwig.nussel@...e.de>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: CVE request: ghostscript and gv

Hi,

ghostscript executes initialization files relative to the current
directory. Unfortunately the -dSAFER option has no effect on those
files. So when viewing a file e.g. in /tmp a local attacker could
have the victim execute arbitrary postscript programs.
Upstream suggested to use -P- in addition to -dSAFER. That however
would mean every program using gs to render postscript has to be
checked. So fixing ghostscripts default behavior might be easier for
distributions.
http://bugs.ghostscript.com/show_bug.cgi?id=691339
http://www.securityfocus.com/archive/1/511433
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583316
https://bugzilla.novell.com/show_bug.cgi?id=608071

In the Debian bug report Paul also mentiones that gv creates a
temporary file in an insecure way:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583316#10

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.