Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 66357

Summary: app-text/ghostscript: Insecure tempfile handling
Product: Gentoo Security Reporter: Luke Macken (RETIRED) <lewk>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: printing
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.securityfocus.com/advisories/7263
Whiteboard: A3 [glsa] lewk
Package list:
Runtime testing required: ---
Attachments:
Description Flags
ghostscript-7.07.1-tempfile.patch
none
gs7.05.6-tempfile.patch none

Description Luke Macken (RETIRED) gentoo-dev 2004-10-04 15:08:48 UTC
Problem description:

  Trustix Security Engineers identified that all these packages had one or
  more script(s) that handled temporary files in an insecure manner.  While
  it is not believed that any of these holes could lead to privilege
  escalation, it would be possible to trick the scripts to overwrite data
  writable by the user that invokes the script.

  These problems can only be exploited by local users, and they would have to
  wait for someone else, preferably root, to run the vulnerable scripts.
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-10-04 15:09:36 UTC
Created attachment 41096 [details, diff]
ghostscript-7.07.1-tempfile.patch

Trustix patch to fix insecure tempfile handling.
Comment 2 Luke Macken (RETIRED) gentoo-dev 2004-10-04 15:10:11 UTC
printing herd,

please verify and apply patch if necessary.
Comment 3 Heinrich Wendel (RETIRED) gentoo-dev 2004-10-07 08:10:10 UTC
added ghostscript-7.07.1-r7 to portage, but there is still ghostscript-7.05.6 which is required for ppc, see bug #49227, it may be vulnerable as well, but the patch does not apply there
Comment 4 Luke Macken (RETIRED) gentoo-dev 2004-10-07 08:18:09 UTC
archs, please mark ghostscript-7.07.1-r7 stable.
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2004-10-07 10:19:50 UTC
sparc tasty.
Comment 6 Jeremy Huddleston (RETIRED) gentoo-dev 2004-10-07 14:54:31 UTC
stable amd64
Comment 7 Bryan Ƙstergaard (RETIRED) gentoo-dev 2004-10-07 15:44:11 UTC
Stable on alpha.
Comment 8 Guy Martin (RETIRED) gentoo-dev 2004-10-07 16:47:50 UTC
hppa happy
Comment 9 Olivier Crete (RETIRED) gentoo-dev 2004-10-07 17:33:03 UTC
x86 is there
Comment 10 SpanKY gentoo-dev 2004-10-07 18:47:45 UTC
ia64 stable
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-10-08 00:57:06 UTC
We'll need a patch that would apply to a ppc-compatible version of ghostscript (7.05.06) to fix it for ppc as well. Back to ebuild status to solve the ppc case.
Comment 12 Luke Macken (RETIRED) gentoo-dev 2004-10-08 20:18:17 UTC
Created attachment 41402 [details, diff]
gs7.05.6-tempfile.patch

Patch to fix tempfile vulnerabilities in 7.05.6 (ppc)
Comment 13 Tom Gall (RETIRED) gentoo-dev 2004-10-09 19:59:34 UTC
stable on ppc64, thanks!

(The comments about ppc leave me somewhat stunned...  if the 7.07.1-r7 version works just fine with ppc64, so should ppc, least so I owuld think unless there is some bug I just haven't hit yet waiting out there in the weeds for some poor unsuspecting ppc64 user)
Comment 14 Luke Macken (RETIRED) gentoo-dev 2004-10-09 22:43:08 UTC
printing herd,

please apply tempfile patch to 7.05.6 for ppc.
Comment 15 Hardave Riar (RETIRED) gentoo-dev 2004-10-16 21:45:40 UTC
Stable on mips
Comment 16 Luke Macken (RETIRED) gentoo-dev 2004-10-17 20:52:05 UTC
Ready to draft GLSA.
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2004-10-18 06:16:19 UTC
This can't be at GLSA status : still waiting for printing herd to apply tempfile patch to a ppc-supported version... like 7.05.6-r2.
Comment 18 Heinrich Wendel (RETIRED) gentoo-dev 2004-10-18 11:20:08 UTC
added gs-7.05.6-r2 for ppc
Comment 19 Luke Macken (RETIRED) gentoo-dev 2004-10-18 11:53:22 UTC
ppc, please mark ghostscript-7.05.6-r2 stable.
Comment 20 Jochen Maes (RETIRED) gentoo-dev 2004-10-19 02:29:44 UTC
stable on ppc
Comment 21 Thierry Carrez (RETIRED) gentoo-dev 2004-10-19 05:15:34 UTC
Now we're set...
Comment 22 Thierry Carrez (RETIRED) gentoo-dev 2004-10-20 14:22:14 UTC
GLSA 200410-18