100245 2005-07-25 09:06 0000 app-text/pstotext: Arbitrary Postscript Code Execution by pstotext 2005-07-31 10:37:41 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://secunia.com/advisories/16183/ B2 [glsa] DerCorny P2 normal --- 1 folajimi@speakeasy.net security@gentoo.org folajimi@speakeasy.net 2005-07-25 09:06:39 0000 Max Vozeler has reported a vulnerability in pstotext, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to pstotext not using the "-dSAFER" option when calling GhostScript to extract plain-text from PostScript files. This potentially allows malicious postscript code to execute arbitrary commands on the system. The vulnerability has been reported in version 1.9. Other versions may also be affected. Reproducible: Always Steps to Reproduce: 1. 2. 3. Solution: Only use pstotext on trusted files. folajimi@speakeasy.net 2005-07-25 09:09:24 0000 http://secunia.com/advisories/16183/ dercorny@gentoo.org 2005-07-25 09:55:27 0000 Ok, there is no active maintainer so i CC'ed the ones from the changelog and maintainer-needed. If there is no volunteer to get this done, we might have to mask or remove this package. dercorny@gentoo.org 2005-07-26 07:57:54 0000 Created an attachment (id=64353) Debian patch for this issue This is a patch for this issue taken from the debian bug. Still nobody wants to do this? janjitse@a-eskwadraat.nl 2005-07-27 07:06:34 0000 Created an attachment (id=64443) Patch for package This patch updates the ebuild, so it cannot be easier. Still needs a ChangeLog entry and a GnuPG signature, but I'm not a developer, so I cannot do that. solar@gentoo.org 2005-07-27 09:41:18 0000 pstotext-1.8g-r1 is in the tree with the deb patch. KEYWORDS= ~amd64 ~x86 ~ppc ~sparc ~ppc64 dercorny@gentoo.org 2005-07-27 10:48:06 0000 Thanks a lot for the help bumping! Arches, please test pstotext-1.8g-r1 and mark stable, also thanks. geekypenguin@gmail.com 2005-07-27 10:56:18 0000 Stable on PPC corsair@gentoo.org 2005-07-27 13:10:27 0000 stable on ppc64 gustavoz@gentoo.org 2005-07-27 13:11:43 0000 sparc stable. solar@gentoo.org 2005-07-30 11:19:30 0000 Passes local regression testing. I processed 236 .ps files without error, and confirmed it now uses -dSAFER when calling gs. stable on x86. It appears to to not free a small chunk of memory before exiting and could probably use a wee bit of Makefile and gcc syntax loving at a later time. amd64 never appears to of had it marked stable. This would be a good time to go ahead and do it. koon@gentoo.org 2005-07-30 11:49:32 0000 About amd64 testing: sure it's a good time to mark stable, but it shouldn't block GLSA release. Ready for GLSA dercorny@gentoo.org 2005-07-31 10:37:41 0000 GLSA 200507-29. Thanks to everybody involved. 64353 2005-07-26 07:57 0000 Debian patch for this issue pstotext_dsafer-1.diff text/plain LS0tIHBzdG90ZXh0LTEuOS9tYWluLmN+CTIwMDUtMDYtMDIgMTU6NDI6MzMuNzU0MTc3MDk2ICsw MjAwCisrKyBwc3RvdGV4dC0xLjkvbWFpbi5jCTIwMDUtMDYtMDIgMTU6NDU6MjAuNDEyMDg0MDE2 ICswMjAwCkBAIC0yMzEsOSArMjMxLDkgQEAKICAgc3ByaW50ZigKICAgICBnc19jbWRsaW5lLAog I2lmZGVmIFZNUwotICAgICIlcyAtcjcyIFwiLWROT0RJU1BMQVlcIiBcIi1kRklYRURNRURJQVwi IFwiLWRERUxBWUJJTkRcIiBcIi1kV1JJVEVTWVNURU1ESUNUXCIgJXMgXCItZE5PUEFVU0VcIiAl cyAlcyAlcyIsCisgICAgIiVzIC1yNzIgXCItZE5PRElTUExBWVwiIFwiLWRGSVhFRE1FRElBXCIg XCItZERFTEFZQklORFwiIFwiLWRXUklURVNZU1RFTURJQ1RcIiAlcyBcIi1kTk9QQVVTRVwiIFwi LWRTQUZFUlwiICVzICVzICVzIiwKICNlbHNlCi0gICAgIiVzIC1yNzIgLWROT0RJU1BMQVkgLWRG SVhFRE1FRElBIC1kREVMQVlCSU5EIC1kV1JJVEVTWVNURU1ESUNUICVzIC1kTk9QQVVTRSAlcyAl cyAlcyIsCisgICAgIiVzIC1yNzIgLWROT0RJU1BMQVkgLWRGSVhFRE1FRElBIC1kREVMQVlCSU5E IC1kV1JJVEVTWVNURU1ESUNUICVzIC1kTk9QQVVTRSAtZFNBRkVSICVzICVzICVzIiwKICNlbmRp ZgogICAgIGdzX2NtZCwKICAgICAoZGVidWcgPyAiIiA6ICItcSIpLAo= 64443 2005-07-27 07:06 0000 Patch for package safer.patch text/plain ZGlmZiAtTnVyIC91c3IvcG9ydGFnZS9hcHAtdGV4dC9wc3RvdGV4dC9NYW5pZmVzdCAvdXNyL2xv Y2FsL3BvcnRhZ2UvYXBwLXRleHQvcHN0b3RleHQvTWFuaWZlc3QKLS0tIC91c3IvcG9ydGFnZS9h cHAtdGV4dC9wc3RvdGV4dC9NYW5pZmVzdAkyMDA1LTA3LTE2IDE4OjM1OjI2LjAwMDAwMDAwMCAr MDIwMAorKysgL3Vzci9sb2NhbC9wb3J0YWdlL2FwcC10ZXh0L3BzdG90ZXh0L01hbmlmZXN0CTIw MDUtMDctMjcgMTU6NTQ6MTkuMDAwMDAwMDAwICswMjAwCkBAIC0xLDEzICsxLDQgQEAKLS0tLS0t QkVHSU4gUEdQIFNJR05FRCBNRVNTQUdFLS0tLS0KLUhhc2g6IFNIQTEKLQorTUQ1IDI1MDliMWY2 YjdhNWJhYjhjZWZjYzYyNWM4MWIyZTc0IHBzdG90ZXh0LTEuOGcuZWJ1aWxkIDczOAogTUQ1IDZk YThjZjU2NzA1ZmQzNmZiN2FhNmI1NmMxYzlhZWMzIENoYW5nZUxvZyAxMDI3Ci1NRDUgODExNDIz ODMyMGFmNjZjYWExZTkwZDVjOGY2N2RjZTggcHN0b3RleHQtMS44Zy5lYnVpbGQgNjgxCiBNRDUg ODRhMDQ3ZTY1NDk0YzlmNDdlNGFmNzBkMzI3NjMyMGYgZmlsZXMvZGlnZXN0LXBzdG90ZXh0LTEu OGcgNTgKLS0tLS0tQkVHSU4gUEdQIFNJR05BVFVSRS0tLS0tCi1WZXJzaW9uOiBHbnVQRyB2MS40 LjEgKEdOVS9MaW51eCkKLQotaUQ4REJRRkMyVEtoY3NJSGp5RFZpR1FSQWtnZEFLREUzek1rcC9v Z3RLb3IxVXVSZTMzZFNOc0lXd0NlS0pUWgotSUlLSEo1RVdodzdhbTl1QUFMcFZ2UTg9Ci09eGZH LwotLS0tLS1FTkQgUEdQIFNJR05BVFVSRS0tLS0tCitNRDUgNzk1OTExMGJlMTlmNmI4MjhhNmMz OWE0M2I3OTM1NGYgZmlsZXMvcHN0b3RleHQtZHNhZmVyLnBhdGNoIDY2OApkaWZmIC1OdXIgL3Vz ci9wb3J0YWdlL2FwcC10ZXh0L3BzdG90ZXh0L2ZpbGVzL3BzdG90ZXh0LWRzYWZlci5wYXRjaCAv dXNyL2xvY2FsL3BvcnRhZ2UvYXBwLXRleHQvcHN0b3RleHQvZmlsZXMvcHN0b3RleHQtZHNhZmVy LnBhdGNoCi0tLSAvdXNyL3BvcnRhZ2UvYXBwLXRleHQvcHN0b3RleHQvZmlsZXMvcHN0b3RleHQt ZHNhZmVyLnBhdGNoCTE5NzAtMDEtMDEgMDE6MDA6MDAuMDAwMDAwMDAwICswMTAwCisrKyAvdXNy L2xvY2FsL3BvcnRhZ2UvYXBwLXRleHQvcHN0b3RleHQvZmlsZXMvcHN0b3RleHQtZHNhZmVyLnBh dGNoCTIwMDUtMDctMjcgMTU6NTE6MDguMDAwMDAwMDAwICswMjAwCkBAIC0wLDAgKzEsMTQgQEAK Ky0tLSBwc3RvdGV4dC0xLjkvbWFpbi5jfgkyMDA1LTA2LTAyIDE1OjQyOjMzLjc1NDE3NzA5NiAr MDIwMAorKysrIHBzdG90ZXh0LTEuOS9tYWluLmMJMjAwNS0wNi0wMiAxNTo0NToyMC40MTIwODQw MTYgKzAyMDAKK0BAIC0yMzEsOSArMjMxLDkgQEAKKyAgIHNwcmludGYoCisgICAgIGdzX2NtZGxp bmUsCisgI2lmZGVmIFZNUworLSAgICAiJXMgLXI3MiBcIi1kTk9ESVNQTEFZXCIgXCItZEZJWEVE TUVESUFcIiBcIi1kREVMQVlCSU5EXCIgXCItZFdSSVRFU1lTVEVNRElDVFwiICVzIFwiLWROT1BB VVNFXCIgJXMgJXMgJXMiLAorKyAgICAiJXMgLXI3MiBcIi1kTk9ESVNQTEFZXCIgXCItZEZJWEVE TUVESUFcIiBcIi1kREVMQVlCSU5EXCIgXCItZFdSSVRFU1lTVEVNRElDVFwiICVzIFwiLWROT1BB VVNFXCIgXCItZFNBRkVSXCIgJXMgJXMgJXMiLAorICNlbHNlCistICAgICIlcyAtcjcyIC1kTk9E SVNQTEFZIC1kRklYRURNRURJQSAtZERFTEFZQklORCAtZFdSSVRFU1lTVEVNRElDVCAlcyAtZE5P UEFVU0UgJXMgJXMgJXMiLAorKyAgICAiJXMgLXI3MiAtZE5PRElTUExBWSAtZEZJWEVETUVESUEg LWRERUxBWUJJTkQgLWRXUklURVNZU1RFTURJQ1QgJXMgLWROT1BBVVNFIC1kU0FGRVIgJXMgJXMg JXMiLAorICNlbmRpZgorICAgICBnc19jbWQsCisgICAgIChkZWJ1ZyA/ICIiIDogIi1xIiksCmRp ZmYgLU51ciAvdXNyL3BvcnRhZ2UvYXBwLXRleHQvcHN0b3RleHQvcHN0b3RleHQtMS44Zy5lYnVp bGQgL3Vzci9sb2NhbC9wb3J0YWdlL2FwcC10ZXh0L3BzdG90ZXh0L3BzdG90ZXh0LTEuOGcuZWJ1 aWxkCi0tLSAvdXNyL3BvcnRhZ2UvYXBwLXRleHQvcHN0b3RleHQvcHN0b3RleHQtMS44Zy5lYnVp bGQJMjAwNS0wNy0xNiAxODozNToyNi4wMDAwMDAwMDAgKzAyMDAKKysrIC91c3IvbG9jYWwvcG9y dGFnZS9hcHAtdGV4dC9wc3RvdGV4dC9wc3RvdGV4dC0xLjhnLmVidWlsZAkyMDA1LTA3LTI3IDE1 OjUzOjQ5LjAwMDAwMDAwMCArMDIwMApAQCAtMiw2ICsyLDcgQEAKICMgRGlzdHJpYnV0ZWQgdW5k ZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2MgogIyAkSGVh ZGVyOiAvdmFyL2N2c3Jvb3QvZ2VudG9vLXg4Ni9hcHAtdGV4dC9wc3RvdGV4dC9wc3RvdGV4dC0x LjhnLmVidWlsZCx2IDEuMTQgMjAwNS8wNy8xNiAxNjoxMzozOCBqb3NlanggRXhwICQKIAoraW5o ZXJpdCBldXRpbHMKIERFU0NSSVBUSU9OPSJleHRyYWN0IEFTQ0lJIHRleHQgZnJvbSBhIFBvc3RT Y3JpcHQgb3IgUERGIGZpbGUiCiBIT01FUEFHRT0iaHR0cDovL3Jlc2VhcmNoLmNvbXBhcS5jb20v U1JDL3ZpcnR1YWxwYXBlci9wc3RvdGV4dC5odG1sIgogU1JDX1VSST0iaHR0cDovL3Jlc2VhcmNo LmNvbXBhcS5jb20vU1JDL3ZpcnR1YWxwYXBlci9iaW5hcmllcy9wc3RvdGV4dC50YXIuWiIKQEAg LTE4LDYgKzE5LDcgQEAKIFM9JHtXT1JLRElSfS8ke1BOfQogCiBzcmNfY29tcGlsZSgpIHsKKwll cGF0Y2ggJHtGSUxFU0RJUn0vcHN0b3RleHQtZHNhZmVyLnBhdGNoCiAJZW1ha2UgfHwgZGllCiB9 CiAK