First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 100398
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Jimi A. <folajimi@speakeasy.net>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
pstopnm_dsafer.diff Fix by debian patch Karol Wojtaszek (RETIRED) 2005-07-27 01:46 0000 802 bytes Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 100398 depends on: Show dependency tree
Show dependency graph
Bug 100398 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-07-26 13:02 0000 
Max Vozeler has reported a vulnerability in netpbm, which can be exploited by
malicious people to compromise a vulnerable system.

The vulnerability is caused due to pstopnm not using the "-dSAFER" option when
calling GhostScript to convert a PostScript file into a PBM, PGM, or PNM file.
This allows a malicious PostScript file to execute arbitrary commands on a
vulnerable system.

The vulnerability has been reported in version 10.0. Other versions may also be
affected.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.




Solution:
Only use pstopnm on trusted files.

http://secunia.com/advisories/16184/

------- Comment #1 From Sune Kloppenborg Jeppesen 2005-07-26 13:11:47 0000 ------- 
graphics please advise.

------- Comment #2 From Karol Wojtaszek (RETIRED) 2005-07-27 01:46:29 0000 ------- 
Created an attachment (id=64419) [edit]
Fix by debian

Patch proposed by Debian

------- Comment #3 From Thierry Carrez (RETIRED) 2005-07-29 03:12:44 0000 ------- 
graphics herd, please apply Debian patch

------- Comment #4 From Karol Wojtaszek (RETIRED) 2005-07-30 13:55:57 0000 ------- 
Bumped to 10.28 and patched ebuild is in portage. This release fixes also
insecure temp file in ppmtompeg.

------- Comment #5 From Sune Kloppenborg Jeppesen 2005-07-31 01:07:41 0000 ------- 
Arches please test and mark stable.

------- Comment #6 From René Nussbaumer 2005-07-31 03:03:37 0000 ------- 
Stable on hppa

------- Comment #7 From Markus Rothe 2005-07-31 05:16:08 0000 ------- 
stable on ppc64

------- Comment #8 From Fernando J. Pereda 2005-07-31 06:08:29 0000 ------- 
Stable on alpha

Cheers,
Ferdy

------- Comment #9 From Tobias Scherbaum 2005-07-31 09:51:39 0000 ------- 
ppc stable

------- Comment #10 From Herbie Hopkins (RETIRED) 2005-08-01 03:18:02 0000 ------- 
Stable on amd64.

------- Comment #11 From Gustavo Zacarias (RETIRED) 2005-08-01 07:46:14 0000 ------- 
sparc stable

------- Comment #12 From Thierry Carrez (RETIRED) 2005-08-02 02:06:33 0000 ------- 
10.28 still misses hppa...
x86/maintainer: please also text and mark x86 stable

------- Comment #13 From Karol Wojtaszek (RETIRED) 2005-08-02 04:50:50 0000 ------- 
x86 done

------- Comment #14 From René Nussbaumer 2005-08-02 09:09:26 0000 ------- 
Stable on hppa again.

------- Comment #15 From Thierry Carrez (RETIRED) 2005-08-03 00:41:28 0000 ------- 
We must decide if we issue a GLSA on this one.

The problem here is that we consider as unexpected behavior the fact that
pstotext or pstopnm execute blindly the PS (potentially honoring the pipe
commands to execute arbitrary stuff). A behavior that we consider "as
documented" when it's for Ghostscript itself.

My position is that a vast majority of users won't know that pstotext and
pstopnm will execute Ghostscript in a way potentially allowing code execution,
so the GLSAs are justified. That said, they probably don't know that regular PS
files fed to Ghostscript also will. I would prefer -dSAFER enabled by default in
Ghostscript (which should come in a next version). Let's say GS is a
sufficiently low-level tool that its users know what they are doing, hence it's
not really considered a vulnerability ?

------- Comment #16 From Tavis Ormandy (RETIRED) 2005-08-03 00:51:10 0000 ------- 
I would normally vote no, but following the pstopnm issue we should probably 
glsa this one as well, so YES.

------- Comment #17 From Bryan Østergaard (RETIRED) 2005-08-04 14:43:21 0000 ------- 
Stable on ia64.

------- Comment #18 From Sune Kloppenborg Jeppesen 2005-08-05 01:10:13 0000 ------- 
Yeah pstotext sets a (bad?) precedent so I tend to vote Yes.

------- Comment #19 From Thierry Carrez (RETIRED) 2005-08-05 01:12:38 0000 ------- 
OK let's go then

------- Comment #20 From Thierry Carrez (RETIRED) 2005-08-05 04:02:00 0000 ------- 
GLSA 200508-04
arm and mips should mark stable to benefit from GLSA

------- Comment #21 From Aaron Walker (RETIRED) 2005-08-05 11:06:38 0000 ------- 
Stable on mips.
First Last Prev Next    No search results available      Search page      Enter new bug