Bug 100245 - app-text/pstotext: Arbitrary Postscript Code Execution by pstotext
Bug#: 100245 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: All Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: folajimi@speakeasy.net
Component: Vulnerabilities
URL:  http://secunia.com/advisories/16183/
Summary: app-text/pstotext: Arbitrary Postscript Code Execution by pstotext
Keywords:  
Status Whiteboard: B2 [glsa] DerCorny
Opened: 2005-07-25 09:06 0000
Description:   Opened: 2005-07-25 09:06 0000 
Max Vozeler has reported a vulnerability in pstotext, which can be exploited by
malicious people to compromise a vulnerable system.

The vulnerability is caused due to pstotext not using the "-dSAFER" option when
calling GhostScript to extract plain-text from PostScript files. This
potentially allows malicious postscript code to execute arbitrary commands on
the system.

The vulnerability has been reported in version 1.9. Other versions may also be
affected.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.




Solution:
Only use pstotext on trusted files.

------- Comment #1 From Jimi A. 2005-07-25 09:09:24 0000 ------- 
http://secunia.com/advisories/16183/

------- Comment #2 From Stefan Cornelius (RETIRED) 2005-07-25 09:55:27 0000 ------- 
Ok, there is no active maintainer so i CC'ed the ones from the changelog and
maintainer-needed. If there is no volunteer to get this done, we might have to
mask or remove this package.

------- Comment #3 From Stefan Cornelius (RETIRED) 2005-07-26 07:57:54 0000 ------- 
Created an attachment (id=64353) [details]
Debian patch for this issue

This is a patch for this issue taken from the debian bug. Still nobody wants to
do this?

------- Comment #4 From Jan Jitse Venselaar 2005-07-27 07:06:34 0000 ------- 
Created an attachment (id=64443) [details]
Patch for package

This patch updates the ebuild, so it cannot be easier. Still needs a ChangeLog
entry and a GnuPG signature, but I'm not a developer, so I cannot do that.

------- Comment #5 From solar 2005-07-27 09:41:18 0000 ------- 
pstotext-1.8g-r1 is in the tree with the deb patch. 
KEYWORDS= ~amd64 ~x86 ~ppc ~sparc ~ppc64

------- Comment #6 From Stefan Cornelius (RETIRED) 2005-07-27 10:48:06 0000 ------- 
Thanks a lot for the help bumping!
Arches, please test pstotext-1.8g-r1 and mark stable, also thanks.

------- Comment #7 From Jory A. Pratt 2005-07-27 10:56:18 0000 ------- 
Stable on PPC

------- Comment #8 From Markus Rothe 2005-07-27 13:10:27 0000 ------- 
stable on ppc64

------- Comment #9 From Gustavo Zacarias (RETIRED) 2005-07-27 13:11:43 0000 ------- 
sparc stable.

------- Comment #10 From solar 2005-07-30 11:19:30 0000 ------- 
Passes local regression testing.
I processed 236 .ps files without error, and confirmed it now uses -dSAFER when
calling gs.

stable on x86.

It appears to to not free a small chunk of memory before exiting and could 
probably use a wee bit of Makefile and gcc syntax loving at a later time.

amd64 never appears to of had it marked stable. This would be a good time to go
ahead and do it.

------- Comment #11 From Thierry Carrez (RETIRED) 2005-07-30 11:49:32 0000 ------- 
About amd64 testing: sure it's a good time to mark stable, but it shouldn't
block GLSA release.

Ready for GLSA

------- Comment #12 From Stefan Cornelius (RETIRED) 2005-07-31 10:37:41 0000 ------- 
GLSA 200507-29. Thanks to everybody involved.