Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 128645 - app-text/ghostscript-afpl-8.15 ps2epsi: insecure temp files
Summary: app-text/ghostscript-afpl-8.15 ps2epsi: insecure temp files
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa] DerCorny
Keywords:
Depends on:
Blocks:
 
Reported: 2006-04-03 08:51 UTC by Martin von Gagern
Modified: 2006-04-14 13:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Martin von Gagern 2006-04-03 08:51:41 UTC 
ps2epsi from the AFPL version of GhostScript uses /tmp/ps2epsi$$ as a temporary file, without further checks. This file is later an argument to gs, although with -dSAFER specified.

A malicious user could try to guess a future PID or watch for this command being started and try to be faster. It could create an appropriate file in advance, which would then be processed with the privileges of the user calling ps2epsi. 

At the very least he could introduce his own contents instead or additionally to the document provided by the user. I don't know if -dSAFER is safe enough to prevent worse attacks.

As a solution, mktemp should be used instead.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-04-03 09:02:38 UTC 
printing please verify and provide fixed ebuilds if needed, thank you.
Comment 2 Stefan Schweizer (RETIRED) gentoo-dev 2006-04-03 14:41:58 UTC 
Ebuild fixed in -r4
Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev 2006-04-05 12:05:41 UTC 
ppc stable
Comment 4 Simon Stelling (RETIRED) gentoo-dev 2006-04-07 06:26:05 UTC 
amd64 stable
Comment 5 Mark Loeser (RETIRED) gentoo-dev 2006-04-08 13:50:52 UTC 
x86 done
Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-12 09:07:10 UTC 
time to vote

Is it possible to force the victim to execute some code thought a .ps ?
If not, i tend to vote no.

By the way, severity should be lowered to "minor".
Comment 7 Stefan Cornelius (RETIRED) gentoo-dev 2006-04-12 09:15:30 UTC 
mhhh, I tend to say no here
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2006-04-12 09:18:35 UTC 
Yes, it's a rather lame one. Voting no.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2006-04-14 13:29:19 UTC 
Closing, feel free to reopen if you disagree.