100398 – media-libs/netpbm Arbitrary Postscript Code Execution Vulnerability

Bug 100398 - media-libs/netpbm Arbitrary Postscript Code Execution Vulnerability

Summary: media-libs/netpbm Arbitrary Postscript Code Execution Vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2005-07-26 13:02 UTC by Jimi A.
Modified:	2005-08-15 22:02 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Fix by debian (pstopnm_dsafer.diff,802 bytes, patch) 2005-07-27 01:46 UTC, Karol Wojtaszek (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jimi A. 2005-07-26 13:02:14 UTC

Max Vozeler has reported a vulnerability in netpbm, which can be exploited by
malicious people to compromise a vulnerable system.

The vulnerability is caused due to pstopnm not using the "-dSAFER" option when
calling GhostScript to convert a PostScript file into a PBM, PGM, or PNM file.
This allows a malicious PostScript file to execute arbitrary commands on a
vulnerable system.

The vulnerability has been reported in version 10.0. Other versions may also be
affected.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.




Solution:
Only use pstopnm on trusted files.

http://secunia.com/advisories/16184/

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-26 13:11:47 UTC

graphics please advise.

Comment 2 Karol Wojtaszek (RETIRED) gentoo-dev

2005-07-27 01:46:29 UTC

Created attachment 64419 [details, diff]
Fix by debian

Patch proposed by Debian

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-07-29 03:12:44 UTC

graphics herd, please apply Debian patch

Comment 4 Karol Wojtaszek (RETIRED) gentoo-dev

2005-07-30 13:55:57 UTC

Bumped to 10.28 and patched ebuild is in portage. This release fixes also
insecure temp file in ppmtompeg.

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-31 01:07:41 UTC

Arches please test and mark stable.

Comment 6 René Nussbaumer (RETIRED) gentoo-dev

2005-07-31 03:03:37 UTC

Stable on hppa

Comment 7 Markus Rothe (RETIRED) gentoo-dev

2005-07-31 05:16:08 UTC

stable on ppc64

Comment 8 Fernando J. Pereda (RETIRED) gentoo-dev

2005-07-31 06:08:29 UTC

Stable on alpha

Cheers,
Ferdy

Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev

2005-07-31 09:51:39 UTC

ppc stable

Comment 10 Herbie Hopkins (RETIRED) gentoo-dev

2005-08-01 03:18:02 UTC

Stable on amd64.

Comment 11 Gustavo Zacarias (RETIRED) gentoo-dev

2005-08-01 07:46:14 UTC

sparc stable

Comment 12 Thierry Carrez (RETIRED) gentoo-dev

2005-08-02 02:06:33 UTC

10.28 still misses hppa...
x86/maintainer: please also text and mark x86 stable

Comment 13 Karol Wojtaszek (RETIRED) gentoo-dev

2005-08-02 04:50:50 UTC

x86 done

Comment 14 René Nussbaumer (RETIRED) gentoo-dev

2005-08-02 09:09:26 UTC

Stable on hppa again.

Comment 15 Thierry Carrez (RETIRED) gentoo-dev

2005-08-03 00:41:28 UTC

We must decide if we issue a GLSA on this one.

The problem here is that we consider as unexpected behavior the fact that
pstotext or pstopnm execute blindly the PS (potentially honoring the pipe
commands to execute arbitrary stuff). A behavior that we consider "as
documented" when it's for Ghostscript itself.

My position is that a vast majority of users won't know that pstotext and
pstopnm will execute Ghostscript in a way potentially allowing code execution,
so the GLSAs are justified. That said, they probably don't know that regular PS
files fed to Ghostscript also will. I would prefer -dSAFER enabled by default in
Ghostscript (which should come in a next version). Let's say GS is a
sufficiently low-level tool that its users know what they are doing, hence it's
not really considered a vulnerability ?

Comment 16 Tavis Ormandy (RETIRED) gentoo-dev

2005-08-03 00:51:10 UTC

I would normally vote no, but following the pstopnm issue we should probably 
glsa this one as well, so YES.

Comment 17 Bryan Østergaard (RETIRED) gentoo-dev

2005-08-04 14:43:21 UTC

Stable on ia64.

Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-08-05 01:10:13 UTC

Yeah pstotext sets a (bad?) precedent so I tend to vote Yes.

Comment 19 Thierry Carrez (RETIRED) gentoo-dev

2005-08-05 01:12:38 UTC

OK let's go then

Comment 20 Thierry Carrez (RETIRED) gentoo-dev

2005-08-05 04:02:00 UTC

GLSA 200508-04
arm and mips should mark stable to benefit from GLSA

Comment 21 Aaron Walker (RETIRED) gentoo-dev

2005-08-05 11:06:38 UTC

Stable on mips.