100398 2005-07-26 13:02 0000 media-libs/netpbm Arbitrary Postscript Code Execution Vulnerability 2005-08-15 22:02:46 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED B2 [glsa] P2 normal --- 1 folajimi@speakeasy.net security@gentoo.org graphics@gentoo.org folajimi@speakeasy.net 2005-07-26 13:02:14 0000 Max Vozeler has reported a vulnerability in netpbm, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to pstopnm not using the "-dSAFER" option when calling GhostScript to convert a PostScript file into a PBM, PGM, or PNM file. This allows a malicious PostScript file to execute arbitrary commands on a vulnerable system. The vulnerability has been reported in version 10.0. Other versions may also be affected. Reproducible: Always Steps to Reproduce: 1. 2. 3. Solution: Only use pstopnm on trusted files. http://secunia.com/advisories/16184/ jaervosz@gentoo.org 2005-07-26 13:11:47 0000 graphics please advise. sekretarz@gentoo.org 2005-07-27 01:46:29 0000 Created an attachment (id=64419) Fix by debian Patch proposed by Debian koon@gentoo.org 2005-07-29 03:12:44 0000 graphics herd, please apply Debian patch sekretarz@gentoo.org 2005-07-30 13:55:57 0000 Bumped to 10.28 and patched ebuild is in portage. This release fixes also insecure temp file in ppmtompeg. jaervosz@gentoo.org 2005-07-31 01:07:41 0000 Arches please test and mark stable. killerfox@gentoo.org 2005-07-31 03:03:37 0000 Stable on hppa corsair@gentoo.org 2005-07-31 05:16:08 0000 stable on ppc64 ferdy@gentoo.org 2005-07-31 06:08:29 0000 Stable on alpha Cheers, Ferdy dertobi123@gentoo.org 2005-07-31 09:51:39 0000 ppc stable herbs@gentoo.org 2005-08-01 03:18:02 0000 Stable on amd64. gustavoz@gentoo.org 2005-08-01 07:46:14 0000 sparc stable koon@gentoo.org 2005-08-02 02:06:33 0000 10.28 still misses hppa... x86/maintainer: please also text and mark x86 stable sekretarz@gentoo.org 2005-08-02 04:50:50 0000 x86 done killerfox@gentoo.org 2005-08-02 09:09:26 0000 Stable on hppa again. koon@gentoo.org 2005-08-03 00:41:28 0000 We must decide if we issue a GLSA on this one. The problem here is that we consider as unexpected behavior the fact that pstotext or pstopnm execute blindly the PS (potentially honoring the pipe commands to execute arbitrary stuff). A behavior that we consider "as documented" when it's for Ghostscript itself. My position is that a vast majority of users won't know that pstotext and pstopnm will execute Ghostscript in a way potentially allowing code execution, so the GLSAs are justified. That said, they probably don't know that regular PS files fed to Ghostscript also will. I would prefer -dSAFER enabled by default in Ghostscript (which should come in a next version). Let's say GS is a sufficiently low-level tool that its users know what they are doing, hence it's not really considered a vulnerability ? taviso@gentoo.org 2005-08-03 00:51:10 0000 I would normally vote no, but following the pstopnm issue we should probably glsa this one as well, so YES. kloeri@gentoo.org 2005-08-04 14:43:21 0000 Stable on ia64. jaervosz@gentoo.org 2005-08-05 01:10:13 0000 Yeah pstotext sets a (bad?) precedent so I tend to vote Yes. koon@gentoo.org 2005-08-05 01:12:38 0000 OK let's go then koon@gentoo.org 2005-08-05 04:02:00 0000 GLSA 200508-04 arm and mips should mark stable to benefit from GLSA ka0ttic@gentoo.org 2005-08-05 11:06:38 0000 Stable on mips. 64419 2005-07-27 01:46 0000 Fix by debian pstopnm_dsafer.diff text/plain LS0tIG5ldHBibS1mcmVlLTEwLjAvcG5tL3BzdG9wbm0uY34JMjAwNS0wNi0wMiAxNjoyMDowMy4y MDU2OTQxNzYgKzAyMDAKKysrIG5ldHBibS1mcmVlLTEwLjAvcG5tL3BzdG9wbm0uYwkyMDA1LTA2 LTAyIDE2OjI0OjI0Ljk3ODI2Mjg1NiArMDIwMApAQCAtNTY4LDExICs1NjgsMTEgQEAKICAgICAg ICAgcG1fbWVzc2FnZSgiZXhlY2luZyAnJXMnIHdpdGggYXJncyAnJXMnIChhcmcgMCksICIKICAg ICAgICAgICAgICAgICAgICAiJyVzJywgJyVzJywgJyVzJywgJyVzJywgJyVzJywgJyVzJywgJyVz JyIsCiAgICAgICAgICAgICAgICAgICAgZ2hvc3RzY3JpcHRQcm9nLCBhcmcwLAotICAgICAgICAg ICAgICAgICAgIGRldmljZW9wdCwgb3V0ZmlsZW9wdCwgZ29wdCwgcm9wdCwgIi1xIiwgIi1kTk9Q QVVTRSIsICItIik7CisgICAgICAgICAgICAgICAgICAgZGV2aWNlb3B0LCBvdXRmaWxlb3B0LCBn b3B0LCByb3B0LCAiLXEiLCAiLWROT1BBVVNFIiwgIi1kU0FGRVIiLCAgIi0iKTsKICAgICB9CiAK ICAgICBleGVjbChnaG9zdHNjcmlwdFByb2csIGFyZzAsIGRldmljZW9wdCwgb3V0ZmlsZW9wdCwg Z29wdCwgcm9wdCwgIi1xIiwKLSAgICAgICAgICAiLWROT1BBVVNFIiwgIi0iLCBOVUxMKTsKKyAg ICAgICAgICAiLWROT1BBVVNFIiwgIi1kU0FGRVIiLCAiLSIsIE5VTEwpOwogICAgIAogICAgIHBt X2Vycm9yKCJleGVjbCgpIG9mIEdob3N0c2NyaXB0ICgnJXMnKSBmYWlsZWQsIGVycm5vPSVkICgl cykiLAogICAgICAgICAgICAgIGdob3N0c2NyaXB0UHJvZywgZXJybm8sIHN0cmVycm9yKGVycm5v KSk7Cg==