Summary: | media-libs/netpbm Arbitrary Postscript Code Execution Vulnerability | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Jimi A. <folajimi> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | graphics+disabled | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | B2 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Jimi A.
2005-07-26 13:02:14 UTC
graphics please advise. Created attachment 64419 [details, diff]
Fix by debian
Patch proposed by Debian
graphics herd, please apply Debian patch Bumped to 10.28 and patched ebuild is in portage. This release fixes also insecure temp file in ppmtompeg. Arches please test and mark stable. Stable on hppa stable on ppc64 Stable on alpha Cheers, Ferdy ppc stable Stable on amd64. sparc stable 10.28 still misses hppa... x86/maintainer: please also text and mark x86 stable x86 done Stable on hppa again. We must decide if we issue a GLSA on this one. The problem here is that we consider as unexpected behavior the fact that pstotext or pstopnm execute blindly the PS (potentially honoring the pipe commands to execute arbitrary stuff). A behavior that we consider "as documented" when it's for Ghostscript itself. My position is that a vast majority of users won't know that pstotext and pstopnm will execute Ghostscript in a way potentially allowing code execution, so the GLSAs are justified. That said, they probably don't know that regular PS files fed to Ghostscript also will. I would prefer -dSAFER enabled by default in Ghostscript (which should come in a next version). Let's say GS is a sufficiently low-level tool that its users know what they are doing, hence it's not really considered a vulnerability ? I would normally vote no, but following the pstopnm issue we should probably glsa this one as well, so YES. Stable on ia64. Yeah pstotext sets a (bad?) precedent so I tend to vote Yes. OK let's go then GLSA 200508-04 arm and mips should mark stable to benefit from GLSA Stable on mips. |