Date: Tue, 17 Mar 2009 11:57:00 -0700 (PDT) From: Patrick Powell <papowell@astart.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/132756: Security Problem with GPL Ghostscript 8.2 and possibly others Message-ID: <200903171857.n2HIv0LP054510@astart2.astart.com> Resent-Message-ID: <200903171930.n2HJU6ii091155@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 132756
>Category: ports
>Synopsis: Security Problem with GPL Ghostscript 8.2 and possibly others
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Mar 17 19:30:05 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Patrick Powell
>Release: FreeBSD 7.1-RELEASE i386
>Organization:
Astart Technologies/LPRng.com
>Environment:
System: FreeBSD astart2.astart.com 7.1-RELEASE FreeBSD 7.1-RELEASE #0: Thu Jan 1 14:37:25 UTC 2009 root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
The GPL Ghostscript Version 8.62 (GS) allows files in the same directory to be
opened and read by PostScript files being processed by GS.
When GS is used by the LPRng, CUPS, or legacy LPR printing system to process
print files the current directory is set to the 'spool queue' directory.
A carefully crafted PostScript print job could open, read, and print files
submitted by other users.
While GPL GhostScript has a '-dPARNOID' option that eliminates other security
issues, it appears that this one has been missed. In previous versions of
Ghostscript -dPARANOIDSAFER prevented this problem. However, the current version
of GPL Ghostscript Version 8.62 (GS) allows files in the 'Search path' to be
read. The current search path is:
#> gs --help
GPL Ghostscript 8.62 (2008-02-29)
Copyright (C) 2008 Artifex Software, Inc. All rights reserved.
Usage: gs [switches] [file1.ps file2.ps ...]
Most frequently used switches: (you can use # in place of =)
-dNOPAUSE no pause after page | -q `quiet', fewer messages
-g<width>x<height> page size in pixels | -r<res> pixels/inch resolution
-sDEVICE=<devname> select device | -dBATCH exit after last file
-sOutputFile=<file> select output file: - for stdout, |command for pipe,
embed %d or %ld for page #
Input formats: PostScript PostScriptLevel1 PostScriptLevel2 PostScriptLevel3 PDF
Default output device: x11alpha
Available devices:
alc1900 alc1900 alc2000 alc2000 alc4000 alc4000 alc4100 alc4100 alc8500
....
Search path:
-> . : /install/root/.fonts : /usr/local/share/ghostscript/8.62/lib :
/usr/local/share/ghostscript/8.62/Resource :
/usr/local/share/ghostscript/fonts :
/usr/local/share/fonts/default/ghostscript :
/usr/local/share/fonts/default/Type1 :
/usr/local/share/fonts/default/TrueType : /usr/lib/DPS/outline/base :
/usr/openwin/lib/X11/fonts/Type1 : /usr/openwin/lib/X11/fonts/TrueType
For more information, see /usr/local/share/ghostscript/8.62/doc/Use.htm.
Please report bugs to bugs.ghostscript.com.
-> shows that '.' is in the search path.
>How-To-Repeat:
Save the following to 'gs_security_check' and run the shell script:
#!/bin/sh
GS=gs
tmpdir=/tmp
cat <<EOF >$tmpdir/gsQuit
quit
EOF
cat <<EOF >$tmpdir/gsTest
($tmpdir/gsQuit) (r) file quit
EOF
cat <<EOF >$tmpdir/gsTestSameDir
(gsQuit) (r) file quit
EOF
echo "checking GhostScript -dSAFER and -dPARANOIDSAFER option"
if ! $GS -q -dBATCH -dNOPAUSE -dSAFER -dPARANOIDSAFER -sDEVICE=nullpage -sOutputFile=- $tmpdir/gsQuit ; then
echo ERROR
exit 1
fi
if $GS -q -dBATCH -dNOPAUSE -dSAFER -dPARANOIDSAFER -sDEVICE=nullpage -sOutputFile=- $tmpdir/gsTest 1>/dev/null 2>/dev/null ; then
cat <<EOF
WARNING: '($GS) -dSAFER -dPARANOIDSAFER ' allows files to be read
Please read README.GhostScriptSecurityProblem
and fix your distribution of GhostScript
EOF
exit 1
fi
cd $tmpdir
if $GS -q -dBATCH -dNOPAUSE -dSAFER -dPARANOIDSAFER -sDEVICE=nullpage -sOutputFile=- gsTestSameDir 1>/dev/null 2>/dev/null ; then
cat <<EOF;
WARNING: '($GS) -dSAFER -dPARANOIDSAFER ' allows files
in same directory to be read.
Please read README.GhostScriptSecurityProblem
and fix your distribution of GhostScript
EOF
exit 1
fi
If
test_i386: {69} # ./gs_security_check
checking GhostScript -dSAFER and -dPARANOIDSAFER option
WARNING: '(gs) -dSAFER -dPARANOIDSAFER ' allows files
in same directory to be read.
Please read README.GhostScriptSecurityProblem
and fix your distribution of GhostScript
>Fix:
Modify GPL Ghostscript 8.62 (2008-02-29) so that the -dPARANOIDSAFER
option removes the '.' path from the search path
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200903171857.n2HIv0LP054510>