'Ghostscript problem'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       best-of-security
Subject:    Ghostscript problem
From:       Julian Assange <proff () suburbia ! net>
Date:       1995-08-23 16:46:43
[Download RAW message or body]

Forwarded message:
>From owner-linux-alert@tarsier.cv.nrao.edu Wed Aug 23 23:36:21 1995
Message-Id: <m0skz0i-00005AC@monad.swb.de>
From: okir@monad.swb.de (Olaf Kirch)
Subject: Ghostscript problem
To: linux-alert@tarsier.cv.nrao.edu
Date: Tue, 22 Aug 1995 21:29:19 +0200 (MET DST)
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Content-Length: 2047      
Sender: owner-linux-alert@tarsier.cv.nrao.edu
Precedence: special-delivery
Reply-To: linux-security@tarsier.cv.nrao.edu

-----BEGIN PGP SIGNED MESSAGE-----


Hi all,

There's another problem with ghostscript that makes you vulnerable to
attacks via postscript code. Ghostscript has a file type that lets you
execute arbitrary commands through the shell. While the -dSAFER option
to gs protects you from ordinary file write/rename/removal attacks, it
does not check for this special file type. The hole is present in all
GNU versions up to 2.6.2 and Aladdin versions earlier than 3.22.

Below's a fix to gs_init.ps that fixes this.

Please also make sure that all programs that use ghostscript set the -dSAFER
option. ghostview 1.5 does by default, but version 1.4 does not.  I'd
suggest you also check your ps printer filter if you print postscript
files using gs, and xdvi if you use a version that uses ghostscript to
display postscript \special's.  I checked only xdvi-20, and it's safe.

Olaf

PS: Patch follows. PGP will garble initial `-' characters in the
patch; make sure to replace `- -' with `-' before applying it.
- ------------------------------------------------------------------
- --- gs_init.ps.orig	Sun Aug 20 23:22:01 1995
+++ gs_init.ps	Sun Aug 20 23:22:46 1995
@@ -302,7 +302,8 @@
 % If we want a "safer" system, disable some obvious ways to cause havoc.
 SAFER not { (%END SAFER) .skipeof } if
 /file
- - { dup (r) eq
+ { exch dup /..fname exch def exch
+   dup (r) eq ..fname (%pipe%*) .stringmatch not and
     { file }
     { /invalidfileaccess signalerror }
    ifelse
- ------------------------------------------------------------------
- -- 
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
             For my PGP public key, finger okir@brewhq.swb.de.

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAgUBMDowAOFnVHXv40etAQH3swP8CrvRFW2+wXgqJqQTdCVIgUGk/QasREgP
PPwaYKy/oD0ak2HFXXdvkUoMbGlhDqlVbDY7cm0M7wuTAxpejtPxspDlacvQSuO7
XA50N9++2P5npmFWa6IBupz4X69nPlnAVBjk/qF4PbpMKdrgIWx23CqecccBrmeC
kezpwwcp32Y=
=dhSU
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread] 
