Max Vozeler has reported a vulnerability in pstotext, which can be exploited by
malicious people to compromise a vulnerable system.
The vulnerability is caused due to pstotext not using the "-dSAFER" option when
calling GhostScript to extract plain-text from PostScript files. This
potentially allows malicious postscript code to execute arbitrary commands on
The vulnerability has been reported in version 1.9. Other versions may also be
Steps to Reproduce:
Only use pstotext on trusted files.
Ok, there is no active maintainer so i CC'ed the ones from the changelog and
maintainer-needed. If there is no volunteer to get this done, we might have to
mask or remove this package.
Created attachment 64353 [details, diff]
Debian patch for this issue
This is a patch for this issue taken from the debian bug. Still nobody wants to
Created attachment 64443 [details, diff]
Patch for package
This patch updates the ebuild, so it cannot be easier. Still needs a ChangeLog
entry and a GnuPG signature, but I'm not a developer, so I cannot do that.
pstotext-1.8g-r1 is in the tree with the deb patch.
KEYWORDS= ~amd64 ~x86 ~ppc ~sparc ~ppc64
Thanks a lot for the help bumping!
Arches, please test pstotext-1.8g-r1 and mark stable, also thanks.
Stable on PPC
stable on ppc64
Passes local regression testing.
I processed 236 .ps files without error, and confirmed it now uses -dSAFER when
stable on x86.
It appears to to not free a small chunk of memory before exiting and could
probably use a wee bit of Makefile and gcc syntax loving at a later time.
amd64 never appears to of had it marked stable. This would be a good time to go
ahead and do it.
About amd64 testing: sure it's a good time to mark stable, but it shouldn't
block GLSA release.
Ready for GLSA
GLSA 200507-29. Thanks to everybody involved.