Max Vozeler has reported a vulnerability in pstotext, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to pstotext not using the "-dSAFER" option when calling GhostScript to extract plain-text from PostScript files. This potentially allows malicious postscript code to execute arbitrary commands on the system. The vulnerability has been reported in version 1.9. Other versions may also be affected. Reproducible: Always Steps to Reproduce: 1. 2. 3. Solution: Only use pstotext on trusted files.
http://secunia.com/advisories/16183/
Ok, there is no active maintainer so i CC'ed the ones from the changelog and maintainer-needed. If there is no volunteer to get this done, we might have to mask or remove this package.
Created attachment 64353 [details, diff] Debian patch for this issue This is a patch for this issue taken from the debian bug. Still nobody wants to do this?
Created attachment 64443 [details, diff] Patch for package This patch updates the ebuild, so it cannot be easier. Still needs a ChangeLog entry and a GnuPG signature, but I'm not a developer, so I cannot do that.
pstotext-1.8g-r1 is in the tree with the deb patch. KEYWORDS= ~amd64 ~x86 ~ppc ~sparc ~ppc64
Thanks a lot for the help bumping! Arches, please test pstotext-1.8g-r1 and mark stable, also thanks.
Stable on PPC
stable on ppc64
sparc stable.
Passes local regression testing. I processed 236 .ps files without error, and confirmed it now uses -dSAFER when calling gs. stable on x86. It appears to to not free a small chunk of memory before exiting and could probably use a wee bit of Makefile and gcc syntax loving at a later time. amd64 never appears to of had it marked stable. This would be a good time to go ahead and do it.
About amd64 testing: sure it's a good time to mark stable, but it shouldn't block GLSA release. Ready for GLSA
GLSA 200507-29. Thanks to everybody involved.