Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 100398

Summary: media-libs/netpbm Arbitrary Postscript Code Execution Vulnerability
Product: Gentoo Security Reporter: Jimi A. <folajimi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: graphics+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
Fix by debian none

Description Jimi A. 2005-07-26 13:02:14 UTC
Max Vozeler has reported a vulnerability in netpbm, which can be exploited by
malicious people to compromise a vulnerable system.

The vulnerability is caused due to pstopnm not using the "-dSAFER" option when
calling GhostScript to convert a PostScript file into a PBM, PGM, or PNM file.
This allows a malicious PostScript file to execute arbitrary commands on a
vulnerable system.

The vulnerability has been reported in version 10.0. Other versions may also be
affected.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.




Solution:
Only use pstopnm on trusted files.

http://secunia.com/advisories/16184/
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-07-26 13:11:47 UTC
graphics please advise. 
Comment 2 Karol Wojtaszek (RETIRED) gentoo-dev 2005-07-27 01:46:29 UTC
Created attachment 64419 [details, diff]
Fix by debian

Patch proposed by Debian
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-07-29 03:12:44 UTC
graphics herd, please apply Debian patch
Comment 4 Karol Wojtaszek (RETIRED) gentoo-dev 2005-07-30 13:55:57 UTC
Bumped to 10.28 and patched ebuild is in portage. This release fixes also
insecure temp file in ppmtompeg.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-07-31 01:07:41 UTC
Arches please test and mark stable. 
Comment 6 René Nussbaumer (RETIRED) gentoo-dev 2005-07-31 03:03:37 UTC
Stable on hppa
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2005-07-31 05:16:08 UTC
stable on ppc64
Comment 8 Fernando J. Pereda (RETIRED) gentoo-dev 2005-07-31 06:08:29 UTC
Stable on alpha

Cheers,
Ferdy
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2005-07-31 09:51:39 UTC
ppc stable
Comment 10 Herbie Hopkins (RETIRED) gentoo-dev 2005-08-01 03:18:02 UTC
Stable on amd64.
Comment 11 Gustavo Zacarias (RETIRED) gentoo-dev 2005-08-01 07:46:14 UTC
sparc stable
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-08-02 02:06:33 UTC
10.28 still misses hppa...
x86/maintainer: please also text and mark x86 stable
Comment 13 Karol Wojtaszek (RETIRED) gentoo-dev 2005-08-02 04:50:50 UTC
x86 done
Comment 14 René Nussbaumer (RETIRED) gentoo-dev 2005-08-02 09:09:26 UTC
Stable on hppa again.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-08-03 00:41:28 UTC
We must decide if we issue a GLSA on this one.

The problem here is that we consider as unexpected behavior the fact that
pstotext or pstopnm execute blindly the PS (potentially honoring the pipe
commands to execute arbitrary stuff). A behavior that we consider "as
documented" when it's for Ghostscript itself.

My position is that a vast majority of users won't know that pstotext and
pstopnm will execute Ghostscript in a way potentially allowing code execution,
so the GLSAs are justified. That said, they probably don't know that regular PS
files fed to Ghostscript also will. I would prefer -dSAFER enabled by default in
Ghostscript (which should come in a next version). Let's say GS is a
sufficiently low-level tool that its users know what they are doing, hence it's
not really considered a vulnerability ?
Comment 16 Tavis Ormandy (RETIRED) gentoo-dev 2005-08-03 00:51:10 UTC
I would normally vote no, but following the pstopnm issue we should probably 
glsa this one as well, so YES.
Comment 17 Bryan Østergaard (RETIRED) gentoo-dev 2005-08-04 14:43:21 UTC
Stable on ia64.
Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-05 01:10:13 UTC
Yeah pstotext sets a (bad?) precedent so I tend to vote Yes. 
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2005-08-05 01:12:38 UTC
OK let's go then
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2005-08-05 04:02:00 UTC
GLSA 200508-04
arm and mips should mark stable to benefit from GLSA
Comment 21 Aaron Walker (RETIRED) gentoo-dev 2005-08-05 11:06:38 UTC
Stable on mips.