oss-sec mailing list archives
CVE request: ghostscript and gv
From: Ludwig Nussel <ludwig.nussel () suse de>
Date: Fri, 28 May 2010 12:04:31 +0200
Hi, ghostscript executes initialization files relative to the current directory. Unfortunately the -dSAFER option has no effect on those files. So when viewing a file e.g. in /tmp a local attacker could have the victim execute arbitrary postscript programs. Upstream suggested to use -P- in addition to -dSAFER. That however would mean every program using gs to render postscript has to be checked. So fixing ghostscripts default behavior might be easier for distributions. http://bugs.ghostscript.com/show_bug.cgi?id=691339 http://www.securityfocus.com/archive/1/511433 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583316 https://bugzilla.novell.com/show_bug.cgi?id=608071 In the Debian bug report Paul also mentiones that gv creates a temporary file in an insecure way: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583316#10 cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Current thread:
- CVE request: ghostscript and gv Ludwig Nussel (May 28)
- Re: CVE request: ghostscript and gv Bernhard R. Link (May 29)
- Re: CVE request: ghostscript and gv Florian Weimer (May 30)
- Re: CVE request: ghostscript and gv Bernhard R. Link (May 30)
- Re: CVE request: ghostscript and gv Florian Weimer (May 30)
- Re: CVE request: ghostscript and gv Josh Bressers (Jun 01)
- Re: CVE request: ghostscript and gv Michael Gilbert (Jun 01)
- Re: CVE request: ghostscript and gv Josh Bressers (Jun 01)
- Re: CVE request: ghostscript and gv Michael Gilbert (Jun 01)
- Re: CVE request: ghostscript and gv Bernhard R. Link (May 29)