From owner-freebsd-ports-bugs@FreeBSD.ORG Tue Mar 17 19:30:06 2009 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A15E1065670 for ; Tue, 17 Mar 2009 19:30:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 441248FC13 for ; Tue, 17 Mar 2009 19:30:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n2HJU6pV091156 for ; Tue, 17 Mar 2009 19:30:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n2HJU6ii091155; Tue, 17 Mar 2009 19:30:06 GMT (envelope-from gnats) Resent-Date: Tue, 17 Mar 2009 19:30:06 GMT Resent-Message-Id: <200903171930.n2HJU6ii091155@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Patrick Powell Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 91B7E1065673 for ; Tue, 17 Mar 2009 19:20:58 +0000 (UTC) (envelope-from papowell@astart.com) Received: from astart2.astart.com (astart2.astart.com [67.52.138.66]) by mx1.freebsd.org (Postfix) with ESMTP id 528B18FC0A for ; Tue, 17 Mar 2009 19:20:58 +0000 (UTC) (envelope-from papowell@astart.com) Received: from astart2.astart.com (localhost [127.0.0.1]) by astart2.astart.com (8.14.3/8.14.3) with ESMTP id n2HIv0Ri054511 for ; Tue, 17 Mar 2009 11:57:00 -0700 (PDT) (envelope-from papowell@astart2.astart.com) Received: (from papowell@localhost) by astart2.astart.com (8.14.3/8.14.3/Submit) id n2HIv0LP054510; Tue, 17 Mar 2009 11:57:00 -0700 (PDT) (envelope-from papowell) Message-Id: <200903171857.n2HIv0LP054510@astart2.astart.com> Date: Tue, 17 Mar 2009 11:57:00 -0700 (PDT) From: Patrick Powell To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/132756: Security Problem with GPL Ghostscript 8.2 and possibly others X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Patrick Powell List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Mar 2009 19:30:06 -0000 >Number: 132756 >Category: ports >Synopsis: Security Problem with GPL Ghostscript 8.2 and possibly others >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Mar 17 19:30:05 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Patrick Powell >Release: FreeBSD 7.1-RELEASE i386 >Organization: Astart Technologies/LPRng.com >Environment: System: FreeBSD astart2.astart.com 7.1-RELEASE FreeBSD 7.1-RELEASE #0: Thu Jan 1 14:37:25 UTC 2009 root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: The GPL Ghostscript Version 8.62 (GS) allows files in the same directory to be opened and read by PostScript files being processed by GS. When GS is used by the LPRng, CUPS, or legacy LPR printing system to process print files the current directory is set to the 'spool queue' directory. A carefully crafted PostScript print job could open, read, and print files submitted by other users. While GPL GhostScript has a '-dPARNOID' option that eliminates other security issues, it appears that this one has been missed. In previous versions of Ghostscript -dPARANOIDSAFER prevented this problem. However, the current version of GPL Ghostscript Version 8.62 (GS) allows files in the 'Search path' to be read. The current search path is: #> gs --help GPL Ghostscript 8.62 (2008-02-29) Copyright (C) 2008 Artifex Software, Inc. All rights reserved. Usage: gs [switches] [file1.ps file2.ps ...] Most frequently used switches: (you can use # in place of =) -dNOPAUSE no pause after page | -q `quiet', fewer messages -gx page size in pixels | -r pixels/inch resolution -sDEVICE= select device | -dBATCH exit after last file -sOutputFile= select output file: - for stdout, |command for pipe, embed %d or %ld for page # Input formats: PostScript PostScriptLevel1 PostScriptLevel2 PostScriptLevel3 PDF Default output device: x11alpha Available devices: alc1900 alc1900 alc2000 alc2000 alc4000 alc4000 alc4100 alc4100 alc8500 .... Search path: -> . : /install/root/.fonts : /usr/local/share/ghostscript/8.62/lib : /usr/local/share/ghostscript/8.62/Resource : /usr/local/share/ghostscript/fonts : /usr/local/share/fonts/default/ghostscript : /usr/local/share/fonts/default/Type1 : /usr/local/share/fonts/default/TrueType : /usr/lib/DPS/outline/base : /usr/openwin/lib/X11/fonts/Type1 : /usr/openwin/lib/X11/fonts/TrueType For more information, see /usr/local/share/ghostscript/8.62/doc/Use.htm. Please report bugs to bugs.ghostscript.com. -> shows that '.' is in the search path. >How-To-Repeat: Save the following to 'gs_security_check' and run the shell script: #!/bin/sh GS=gs tmpdir=/tmp cat <$tmpdir/gsQuit quit EOF cat <$tmpdir/gsTest ($tmpdir/gsQuit) (r) file quit EOF cat <$tmpdir/gsTestSameDir (gsQuit) (r) file quit EOF echo "checking GhostScript -dSAFER and -dPARANOIDSAFER option" if ! $GS -q -dBATCH -dNOPAUSE -dSAFER -dPARANOIDSAFER -sDEVICE=nullpage -sOutputFile=- $tmpdir/gsQuit ; then echo ERROR exit 1 fi if $GS -q -dBATCH -dNOPAUSE -dSAFER -dPARANOIDSAFER -sDEVICE=nullpage -sOutputFile=- $tmpdir/gsTest 1>/dev/null 2>/dev/null ; then cat </dev/null 2>/dev/null ; then cat <Fix: Modify GPL Ghostscript 8.62 (2008-02-29) so that the -dPARANOIDSAFER option removes the '.' path from the search path >Release-Note: >Audit-Trail: >Unformatted: